Cyber Security Incident Reporting

Download ASD Broadcast: Cyber Security Incident Reporting (PDF), dated March 2014, released 1 May 2014

Introduction

  1. The Australian Signals Directorate (ASD) provides government with a greater understanding of cyber threats and the coordination of whole-of-government operational responses to cyber security incidents. The Cyber Security Incident Reporting (CSIR) scheme assists ASD with this role.

Why should I report a cyber incident?

  1. The Australian Government Information Security Manual (ISM) states agencies must report cyber security incidents to ASD. ASD uses cyber security incident reports as the basis for identifying and responding to cyber security incidents across government.
  2. A cyber security incident is a single or series of unwanted or unexpected cyber security events that have a significant probability of compromising business operations and threatening information security. Cyber security incidents can include denying, disrupting or theft of information on ICT systems. The confidentiality, integrity or availability of a system or the information stored, processed or communicated by it may be affected.
  3. The Cyber Security Operations Centre (CSOC) is responsible for improving government understanding of sophisticated cyber threats against Australian interests, and coordinating/providing operational responses to cyber security incidents of national importance.
  4. Reporting cyber security incidents helps ASD to develop a threat environment picture for government systems and assist other agencies who may also be at risk. Cyber security incident reports are also used for developing new policies, procedures, techniques and training measures to help prevent future incidents.
  5. Reporting cyber security incidents to ASD through the appropriate channels ensures that appropriate and timely assistance can be provided. In addition, it allows ASD to maintain an accurate threat environment picture for government systems through the CSIR scheme.
  6. Incident reports are only used for investigative purposes. ASD will not disclose the identification of the reporting agency outside of CSOC partner agencies without consent.
  7. Where incidents have been reported, ASD has often provided additional assistance to agencies, particularly in the form of investigation, analysis and technical advice leading to the identification on system compromises. Examples of incidents reported to CSOC include:
    • Repeated domain administrator accounts being locked out due to too many failed authentication attempts.
    • Unusual authentication events on VPN/remote access systems such as users being logged in from local workstations and VPN simultaneously or a number of log-in attempts from geographically disparate or overseas locations within short time frame.
    • Service accounts communicating with internet-based infrastructure.
    • Antivirus hits on servers including domain controllers.

When should I report a cyber security incident?

  1. The types of cyber security incidents agencies should report to CSOC include:
    • Suspicious or seemingly targeted emails with attachments or links.
    • Any compromise or corruption of information.
    • Unauthorised access or intrusion into an ICT system.
    • Data spills.
    • Theft or loss of electronic devices that have processed or stored Australian government information.
    • Intentional or accidental introduction of malware to a network.
    • Denial of Service attacks.
    • Suspicious or unauthorised network activity on a control system.
    • Control or monitoring systems.
    • Tampering with ICT equipment while travelling.
  2. Reporting cyber security incidents to ASD through the correct channels ensures that appropriate and timely assistance can be provided.

How do I report a cyber security incident?

  1. Agencies should coordinate reporting incidents to ASD through their Information Technology Security Advisor (ITSA).
  2. Australian agencies can report a cyber incident via ASD’s website by downloading a Cyber Security Incident Report form.
  3. Once a report is submitted to ASD it is recorded and assessed by ASD’s CSOC. At this time a decision is made as to what level of response is required.
  4. ASD can provide assistance upon request. Agencies that require immediate advice or assistance in response to a cyber-security incident should contact ASD as soon as possible

Further information

  1. The Cyber Security Incidents and the Information Security Documentation chapters of the Information Security Manual contain information on planning for, detecting, reporting and managing cyber security incidents.
  2. ASD’s Protect publication Preparing for and Responding to Cyber Security Incidents provides guidance for senior managers on cyber security incident response.
  3. Go to OnSecure to apply for an account.

Contact

Australian government customers with questions regarding this advice should contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.