CSIRT Description for CERT Polska ================================= 1. About this document 1.1 Date of Last Update This is version 1.06, published on 27 April 2010. 1.2 Distribution List for Notifications Currently CERT Polska does not use any distribution lists to notify about changes in this document. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the CERT Polska WWW site; its URL is http://www.cert.pl/txt/rfc2350.txt Please make sure you are using the latest version. 1.4 Authenticating this document This document has been signed with the CERT Polska PGP key. The signatures are also on our Web site, under: http://www.cert.pl/o-nas 2. Contact Information 2.1 Name of the Team "CERT Polska": Computer Emergecy Response Team Polska 2.2 Address CERT Polska NASK ul. Wawozowa 18 02-796 Warszawa Poland 2.3 Time Zone Central European Time (GMT+0100, GMT+0200 from April to October) 2.4 Telephone Number +48 22 3808 274 2.5 Facsimile Number +48 22 3808 399 (note: this is *not* a secure fax) 2.6 Other Telecommunication None available. 2.7 Electronic Mail Address This is a mail alias that serves the human(s) on duty for CERT Polska. 2.8 Public keys and Other Encryption Information CERT Polska has a PGP key, which KeyID is 0x553FEB09 and which fingerprint is D273 912B 6E00 49BA 3428 D485 07D7 5253 The key and its signatures can be found at the usual large public keyservers. 2.9 Team Members Piotr Kijewski is the CERT Polska coordinator. Other members of the team are: Tomasz Bukowski Katarzyna Gorzelak Tomasz Grudziecki Pawel Jacewicz Przemyslaw Jaroszewski Lukasz Juszczyk Piotr Lewandowski Miroslaw Maj Tomasz Pilat Rafal Tarlowski 2.10 Other Information General information about CERT Polska, as well as links to various recommended security resources, can be found at http://www.cert.pl/ 2.11 Points of Customer Contact The preferred method for contacting CERT Polska is via e-mail at ; e-mail sent to this address will be handled by the responsible human. We encourage our customers to use PGP encryption when sending any sensitive information to CERT Polska. If it is not possible (or not advisable for security reasons) to use e-mail, CERT Polska can be reached by telephone during regular office hours. Off these hours incoming phone calls are transmitted to an aswering machine. All messages recorded are checked ASAP. CERT Polska hours of operation are generally restricted to regular business hours (08:00 - 17:00 CET Monday to Friday except holidays). If possible, when submitting your report, use the form mentioned in section 6. 3. Charter 3.1 Mission Statement The purpose of CERT Polska is to assist Polish internet users in implementing proactive measures to reduce the risks of computer security incidents and to assist them in responding to such incidents when they occur. CERT Polska also handles incidents that originate in Polish networks and are reported by any Polish or foreign persons or institutions. 3.2 Consituency CERT Polska constituency is all hosts in .pl domain as well as all adresses assigned to NASK and other Polish internet providers. 3.3 Sponsorship and/or Affiliation CERT Polska is financially mantained by the Research and Academic Network in Poland (NASK) which it is formally a part of. 3.4 Authority CERT Polska operates under the auspices of, and with authority delegated by, Research and Academic Network in Poland (NASK). CERT Polska expects to work cooperatively with system administrators and customers of NASK. All members of CERT Polska are employees of NASK and thus have wide possibilities of interacting with NASK System Administrators. CERT Polska does its best to closely cooperate with all large ISP's abuse teams, establish direct contacts and exchange necessary data in order to prevent and recover from security incidents that affect their networks. 4. Policies 4.1 Types of Incidents and Level of Support CERT Polska is authorized to address all types of computer security incidents which occur, or threaten to occur, in Polish networks. The level of support given by CERT Polska will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the CERT Polska's resources at the time, though in all cases some response will be made within two working days. Incidents will be prioritized according to their apparent severity and extent. End users are expected to contact their systems administrator, network administrator, or department head for assistance. CERT Polska will give full support to the letter people. Only limited support can be given to end users. 4.2 Co-operation, Interaction and Disclosure of Information CERT Polska exchanges all necessary information with other CSIRTs as well as with affected parties' administrators. No personal nor overhead data are exchanged unless explicitly authorized. All sensible data (such as personal data, system configurations, known vulnerabilities with their locations) are encrypted if the must be transmitted over unsecured environment as stated below. 4.3 Communication and Authentication In view of the types of information that CERT Polska deals with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to CERT Polska, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable level of trust. Within NASK, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported). 5. Services 5.1 Incident Response CERT Polska will assist system administrators in handling the technical and organizational aspects of the incidents. In particular, it will provide assistance or advice with respect to the following aspects of incidents management: 5.1.1 Incident Triage - Investigating whether indeed an incident occured. - Determining the extent of the incident. 5.1.2 Incident Coordination - Determining the initial cause of the incident (vulnerability exploited) - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate law enforcement officials, if necessary. - Making reports to other CSIRTs - Composing announcements to users, if applicable 5.1.3 Incident Resolution CERT Polska will give advice but no physical support whatsoever to customers from outside of NASK internal network with respect to the incident resolution. - Removing the vulnerability. - Securing the system from the effects of the incident. - Collecting the evidence of the incident. In addition, CERT Polska will collect statistics concerning incidents processed, and will notify the community as necessary to assist it in protecting against known attacks. To make use of CERT Polska's services please refer to section 2.11 for points of contact. Please remember that amount of assistance will vary as described in section 4.1 5.2 Proactive Services CERT Polska coordinates and mantaines the following services to the extent possible depending in its resources: - Information services such as: list of security contacts, repository of securitty-related patches for various operating systems - Training and educational services CERT Polska organizes annual Secure conference covering current important security issues which is open for all interested parties. Detailed information about obtaining these services is available from CERT Polska website at: http://www.cert.pl/ 6. Incident Reporting Forms CERT Polska had created a local form designated for reporting incidents to the team. We strongly encourage anyone reporting an incident to fill it out, although this is never required. The current version of the form is available from: https://www.cert.pl/formularz/formularz.php https://www.cert.pl/formularz/formularz.php?lang=EN 7. Disclaimers While every preacution will be taken in the preparation of information, notifications and alerts, CERT Polska assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.