What is a cyber security incident?

A cyber security incident is any activity that may threaten the security of a system or its information. A compromise incident is where the security of a system or its information was successfully harmed. Examples include extracting information from a computer network, defacing a website, or degrading the reliability of an online service.

What is a cyber attack?

The Australian Government has defined a cyber attack as a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity.

This definition was developed in 2011 after extensive policy and legal consultation. It was subsequently used to underpin the provisions of the ANZUS Treaty that allow Australia and the US to consult each other in the event of a cyber attack on either party. Australia has not yet been subjected to any activities that could be considered a cyber attack.

A destructive cyber attack against Australian networks or critical infrastructure—that would seriously compromise national security, stability or prosperity—is unlikely outside a period of significant heightened tension or escalation to conflict with another country.

What can businesses do to protect themselves from cyber attack?

CERT Australia encourages businesses to be prepared before an incident occurs. This involves knowing your network, understanding the value of your information, and understanding how both are protected. Being prepared also involves understanding what constitutes normal behaviour on your network so you can detect unusual behaviour.

Read more about protecting your network in General Guidance.

Why partner with CERT Australia?

We encourage organisations that are responsible for systems of national interest to partner with us before an incident occurs. Prevention is much better than cure when critical business systems are at stake. By having this relationship in place, we can share information efficiently and effectively with businesses to help with prevention and if necessary, mitigation.

Read more about becoming a partner.

Why is it important to report cyber incidents?

Timely reporting of cyber incidents to CERT Australia allows us to form a more accurate view of cyber security threats and make sure you receive the right help and advice. All information provided to us is held in the strictest confidence.[c3] 

Why have I received an email from CERT Australia about my website?

If you own a website (that is you are the registered domain owner), you may receive an email from us to notify that your website may be hosting, or redirecting to, malicious content.

Contact us for more information.

Why have I received an email from CERT Australia about compromised credentials?

We sometimes receive information from partner organisations about details of compromised user credentials. We then attempt to identify and notify those affected by email. If you want to check the legitimacy of the email, contact us.

How is CERT Australia different from commercial CERTs?

CERT Australia’s services are free and do not promote any particular products. We do not compete with commercial services in the market.

CERT Australia is part of the Australian Government’s Attorney-General’s Department. We also work in the Australian Cyber Security Centre, sharing information and working closely with the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP), the Australian Signals Directorate (ASD) and the Australian Criminal Intelligence Commission (ACIC). In addition, we work closely and share information with our international counterparts.

By using our government, industry and international networks, we provide businesses with the most useful and effective advice possible, as soon as possible.

What about investigating cyber security incidents?

If your business has experienced a cyber security incident, this may result in a police investigation.

Law enforcement cyber crime teams are well aware of, and will attempt to minimise, the potential business impacts a criminal investigation can have on an organisation. However, there are likely to be some effects that need to be weighed against business interests.

This may involve considering whether or not you are prepared to keep the breached system open to preserve evidence, or shut down the system to prevent further intrusion—thereby running the risk of destroying potential evidence.

If you would like to have a cyber security incident investigated by law enforcement:

  • individuals and small businesses should report the incident to the Australian Cybercrime Online Reporting Network
  • disconnect the compromised machine from the network and wait for law enforcement to respond
  • keep the system turned on – RAM data will be lost if a machine is powered down
  • leave the compromised machine alone—do not run programs or open files—leave this for law enforcement. Interacting with the machine can destroy forensic evidence and prevent an investigation from progressing
  • if virtualised, suspend the compromised machine and copy the related files to new media.

You may decide not to report a cyber security incident to law enforcement. However, it is still important to report an incident to CERT Australia.

What are the responsibilities of internet providers when they receive Australian Internet Security Initiative (AISI) reports from CERT?

Internet providers are encouraged to alert their customers about malware infections and service vulnerabilities identified on their services, as well as provide advice about how to resolve the specific problem. However there is no requirement for them to do so.

Do internet providers pay for AISI data?

No. AISI data is provided free of charge to members.

Who provides AISI data to CERT?

CERT Australia receives AISI data from many different sources including Microsoft, the Shadowserver Foundation, Team Cymru and the Spamhaus Project.

How reliable is the AISI data?

The AISI data is considered highly reliable. The different data sources used in the AISI are carefully evaluated prior to inclusion in the daily reports. 

How often are the AISI reports issued by CERT Australia?

AISI reports are sent every day to participating internet providers.

How many internet providers participate in the AISI?

Approximately 150 providers participate in the AISI. They are listed on the members page .

My service has been reported by AISI as vulnerable? What should I do to remove the vulnerability?

The appropriate remedial action will depend on the specific vulnerability, the software and operating system installed, the make and type of infected device and how it is configured.

For example, if a vulnerability is located in a home router there may or may not be a firmware update to address that vulnerability. If there is no firmware update, it may be possible to configure the router to reduce or remove the impact of the vulnerability, such as changing a setting on the router to turn off remote access.

Read more about vulnerabilities  and open services reported through the AISI.

My service has been reported by AISI as having a ‘DDoS Amplifier’ vulnerability, how does this affect the operation of my service?

Distributed Denial of Service (DDoS) amplifier reports indicate a misconfigured service. Like many other malware infections and service vulnerabilities reported through the AISI, these services can be used to cause harm to other internet users.

A DDoS attack on a website or server may render a service inoperable or degrade its performance for the duration of the attack. The term ‘amplification’ in this context means that the amount of traffic generated from an affected service will be many times that of the original communication directing the ‘attack’.

My service has been reported by AISI as infected with malware—what should I do?

The appropriate action will depend on the specific malware reported and the device on which the malware is located. 

Many malware detections reported through the AISI are typically long-term infections. For example, if you receive an AISI report for a Conficker infection, it is highly likely that you have additional serious malware infections that have not been reported through the AISI. You may need to seek expert technical assistance to ensure all malware is removed from your device(s)—particularly if you have taken remedial action and are still receiving AISI malware reports related to your service.

How did CERT Australia identify my service as having a malware infection or service vulnerability?

The data used by CERT Australia in the AISI contains an IP address and a date/time stamp. This data is included in the daily reports provided to AISI members so it can be correlated with other data in their systems to identify the affected customer. CERT Australia does not hold ISP customer information.

There have been multiple instances of malware reported by AISI on my service, what does this mean?

Often malware affects multiple devices on a network. The objective of the AISI is to provide as much information as practical that can be used to identify the specific source of a malware infection.

Have Australian internet providers adopted any standard approach to actioning AISI malware reports?

The Communications Alliance has issued a voluntary code of practice—the iCode—which focuses on how ISPs and consumers can minimise the security risks inherent in using the internet. The iCode is designed to provide a consistent approach for ISPs to help inform, educate and protect their customers in relation to cyber security risks.

More detail on the iCode is provided here.