Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

Member security incident notifications

As announced in previous newsletters, over the last few months we have been working hard to improve the quality, volume and reporting of incidents and security issues of direct interest to our members to provide better, actionable threat intelligence.

We are pleased to announce that on 18 September 2015, members started to receive MSINs as a result of this improved capability.

About MSINs

Member security incident notifications (MSINs) provide an improved method to proactively inform members about security incidents affecting members’ data, systems or networks and are a daily customised composite security report containing incident notifications relevant to AusCERT member organisations’ domains and IP ranges. 

MSINs are produced from a range of sources and data sets and processing. For more details about the process click on the image below:

 MSIN_process.png

 For more information about the structure of MSINs see https://auscert.org.au/25670.

  • MSINs are tailored for each member organization, based on your organisation’s IPs and domains provided to us.
  • They are generally only issued to a member if at least one incident specific to the member is detected within the past 24-hour period. 
  • You may receive MSINs about identical incidents on consecutive days.  This indicates that the incident previously reported has not yet been resolved (you will notice it has a more recent timestamp).  If you don't wish to receive repeat notifications, please let us know.
  • If there are no incidents to report, you will not receive an MSIN.
  • MSINs may potentially include multiple incidents collated in one MSIN.   If we encounter a critical incident, we may send the details separately, in which case you may receive more than one MSIN per day.

To receive accurate and useful MSINs, it’s important you keep this information updated. Contact if you would like to update this information.

Member Security Incidents (MSI) include compromised hosts, IPs, URLs, accounts or data; other types of cyber attack and misconfigurations or vulnerable services that could be exploited. For more details click on the image below:

incidents.png

If you receive an MSIN that includes information about a vulnerable service, this report was obtained from one of our data sources. We are not scanning your web sites or IP address ranges to collect this information.

If you do not wish to receive notifications of some incident types, or think the information is inaccurate, then please let us know.   If you have any other feedback about the MSINs please let us know what you think.

How do the MSINs compare to other incident notifications and are there changes?

Our new systems better handle, process, analyse and can report on significantly greater volumes of disparate incident data, but during this transition period, AusCERT’s legacy systems will continue to handle some data sources, not yet incorporated into the new systems. The legacy systems and reports will run in parallel to ensure members get access to all available incident data that affects them.

The two systems, notifications and reports operate differently and it is useful to be aware of these differences while we transition all data to the new systems and phase out legacy systems and reporting methods. The following table describes the key differences and phases and explains why the Weekly Incident Summary Reports (WISR) do not include the Member Security Incident Notifications.

Before 18 SeptemberNowFuture


Type of notification and summary report received

Legacy incident notifications. Typically these include compromised hosts, domains, websites or accounts, phishing emails or sites.


Weekly Incident Summary Report (WISR) which provide a summary of the notifications sent to the member in the previous week and volume processed.  

Legacy incident notifications will continue. 

Legacy WISR will continue.

MSIN commence.  If multiple incidents per day they will be collated within a single daily report.

MSIN will continue.

Summary reports according to a range of criteria, eg various frequency/time period, sector etc

Nature of change

New systems brought online with new data sources.

Legacy systems, data and reports still continue until fully transitioned.

MSINs collate all incidents for a single member in a daily email notification, unlike legacy incident notifications which are sent separately (per incident).

Legacy incident notification reports and WISR will cease. These data sources will instead be included in the new MSIN.

WISR will be replaced by a better range of reports.

What this means for you

 

While overall the number of incidents we are processing has increased significantly, the WISR will not reflect this.

The WISR is based on a smaller number of data sources than before. Also some data sources have been migrated to the new system.

The legacy system only counts incidents from a sub-set of data that is yet to be transitioned to the new systems and does not include the larger volume of incidents being processed as part of the MSINs that members may have separately received during that week.

The total number of incidents processed, as reported in the WISR for the previous week, refers to a sub-set of data and does not include the total volume of incidents processed as part of the MSINs.


When all data is transitioned from previous sources to the new system, we will develop new replacement reports which summarise incidents relating to your organisation to provide more accurate member-specific reporting and better threat reporting in general.