RFC 2350 1. Document Information This document contains a description of CSIRT-MU according to RFC 2350. It provides basic information about the CSIRT, the ways it can be contacted, describes its responsibilities and the services offered. 1.1 Date of Last Update This is version 0.2 as of 2012/02/07. 1.2 Distribution List for Notifications There is no distribution list for notifications as of February 2012. 1.3 Locations where this Document May Be Found The current version of this document can always be found at http://www.muni.cz/ics/services/files/rfc2350.txt. 2. Contact Information 2.1 Name of the Team CSIRT-MU: Computer Security Incident Response Team of Masaryk University 2.2 Address CSIRT-MU Institute of Computer Science Masaryk University Botanická 68a 602 00 Brno Czech Republic 2.3 Time Zone Central European Time, GMT+1 (From the last Sunday in March to the last Sunday in October GMT+2) 2.4 Telephone Number +420 549 494 242 (ask for the CSIRT-MU) 2.5 Facsimile Number +420 549 492 747 2.6 Other Telecommunication None. 2.7 Electronic Mail Address Please send incident reports to csirt@muni.cz. Non-incident-related mail should be addressed to csirt-info@muni.cz. 2.8 Public Keys and Encryption Information CSIRT-MU does not sign or encrypt outgoing messages. On the other hand, CSIRT-MU can decrypt messages and verify digital signature of a message. For these purposes CSIRT-MU uses following keys: pub 1024D/125ABB45 2010-12-31 uid CSIRT-MU RT (Request Tracker) key fingerprint = 4523 36D2 4A0D BE6C A6C8 F762 019C D0AE 125A BB45 sub 2048g/D817C22C 2010-12-31 Official communication (non-incident-related) by CSIRT-MU may be signed by this key: pub 1024D/8BF6B8EF 2010-12-30 uid CSIRT-MU Info key fingerprint = 3C71 A9BA 6F55 87BC 9307 5D99 7CB4 1588 8BF6 B8EF sub 2048g/798FB6F5 2010-12-30 These keys can be found on most key-servers. 2.9 Team Members The CERT team leader is Jan Vykopal. Other team members, along with their areas of expertise and contact information, are listed at the CSIRT-MU web pages. Management, liaison and supervision are provided by Petr Pištěk, Assistant Director of Institute of Computer Science, Masaryk University. 2.10 Other Information General information about the CSIRT-MU can be found at http://www.muni.cz/csirt. 2.11 Points of Customer Contact The preferred method for contacting CSIRT-MU is via e-mail. For incident reports and related issues please use csirt@muni.cz. This will create a ticket in our tracking system and alert the human on duty. For general inquiries please send e-mail to csirt-info@muni.cz. If it is not possible (or advisable due to security reasons) to use e-mail, you can reach us via telephone at +420 549 494 242 (ask for the CSIRT-MU). The CSIRT-MU's hours of operation are generally restricted to 09:00-15:00 Monday to Friday except holidays. 3. Charter 3.1 Mission Statement The purpose of CSIRT-MU is: - to detect computer security incidents, - to coordinate security efforts and to provide appropriate incident response, - to disseminate basic IT knowledge among end users. 3.2 Constituency The constituency are students and staff of Masaryk University, Brno, Czech Republic and the Masaryk University network: - all IPv4 addresses within range 147.251.0.0/16, - all IPv6 addresses within range 2001:718:801::/48, - domain muni.cz. 3.3 Sponsorship and/or Affiliation CSIRT-MU is part of Institute of Computer Science, Masaryk University. 3.4 Authority The CSIRT-MU operates under the auspices of, and with authority delegated by, the Institute of Computer Science of Masaryk University. The CSIRT-MU expects to work cooperatively with system administrators and users at Masaryk University. 4. Policies 4.1 Types of Incidents and Level of Support CSIRT-MU is authorized to address all types of computer security incidents which occur, or threaten to occur, in our Constituency (see 3.2). The level of support given by CSIRT-MU will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and CSIRT-MU's resources at the time. Special attention will be given to issues affecting critical infrastructure. Note that no direct support will be given to end users; they are expected to contact their system and/or network administrator at their department for assistance. CSIRT-MU will support the latter people. CSIRT-MU is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information CSIRT-MU will cooperate with other organisations in the field of computer security. This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. Nevertheless CSIRT-MU will protect the privacy of their customers. CSIRT-MU operates under the restrictions imposed by Czech law. This involves careful handling of personal data as required by Personal Data Protection Act, but it is also possible that - according to Czech law - CSIRT-MU may be forced to disclose information due to a Court's order. 4.3 Communication and Authentication For normal communication not containing sensitive information CSIRT-MU will use conventional methods like unencrypted e-mail or fax. For secure communication PGP-encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. TI, FIRST) or by other methods like call-back, mail-back or even face-to-face meeting if necessary. 5. Services 5.1 Incident Response CSIRT-MU will assist university administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1. Incident Triage - Determining whether an incident is authentic. - Assessing and prioritizing the incident. 5.1.2. Incident Coordination - Determine the involved organizations and/or parts of university. - Contact the involved parties to investigate the incident and take the appropriate steps. - Facilitate contact to other parties which can help resolve the incident. - Send reports to other CERTs if needed. 5.1.3. Incident Resolution - Advise local security teams on appropriate actions. - Follow up on the progress of the concerned local security teams. - Ask for reports. - Report back. CSIRT-MU will also collect statistics about incidents within its constituency. 5.2 Proactive Activities - Automatic and real-time intrusion detection. - CSIRT-MU tries to raise security awareness in its constituency. - Collect contact information of local administrators and teams. - Publish announcements concerning serious security threats. - Observer current trends in technology and distribute relevant knowledge to the constituency. - Provide fora for community building and information exchange within the constituency. 6. Incident Reporting Forms There are no official forms available yet. For reporting incident please use the following basic rules: - A report must contain your contact and organizational information - name and organization name, e-mail, optionally telephone number. - A report must contain an IP address and and incident type (spam, scanning, DOS etc.). - A report about scanning must contain part of a log showing the problem - A report about spam or malware must contain a copy of the entire mail header from the e-mail, which is considered to be a spam or malware. - A report about phishing or pharming must contain URL. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CSIRT-MU assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.