-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CSIRT Description for AndalucíaCERT - ----------------------------------- 1 About this document This document contains a description of AndalucíaCERT in according to RFC 2350. It provides basic information about the AndalucíaCERT team, its channels of communication, and its roles and responsibilities. 1.1 Date of Last Update This is version 6, published in July 2018. Internal ID: CERT-CFG-001-06 1.2 Distribution List for Notifications Notifications of updates are sent to our constituency through our mailing list: consultas.cert [at] juntadeandalucia.es and via our AndalucíaCERT website: https://andaluciacert.juntadeandalucia.es Subscription request for these bulletins must be made sending an email to: consultas.cert [at] juntadeandalucia.es This mailing list is moderated. 1.3 Locations where this Document May Be Found The current version of this CSIRT (Computer Security Incident Response Team) description document is available on the AndalucíaCERT website: https://andaluciacert.juntadeandalucia.es or asking for it by email at: consultas.cert [at] juntadeandalucia.es Please, make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed with the AndalucíaCERT's PGP key included in section 2.7. 2 Contact Information 2.1 Name of the Team "AndalucíaCERT" (Centro de Seguridad TIC de Andalucía): ICT Security Center for Andalusia (Spain) 2.2 Address AndalucíaCERT - Centro de Seguridad TIC de Andalucía Sociedad Andaluza para el Desarrollo de la Sociedad de la Información, S.A.U. Consejería de Empleo, Empresa y Comercio - Junta de Andalucía Avda. De la Arboleda s/n 41940 – Tomares (Sevilla) Spain 2.3 Time Zone Central European Time - CET (GMT+01:00, and GMT+02:00 from April to October). 2.4 Telephone Number +34 955 060 974 It is available in 24x7x365. 2.5 Facsimile Number +34 955 405 572 2.6 Other Telecommunication None 2.7 Electronic Mail Address Please report security incidents to: atencion.cert [at] juntadeandalucia.es For any other issue - e.g. general purposes, other services, contacting CERT representatives, suscribe to CERT services, etc. - please use: consultas.cert [at] juntadeandalucia.es 2.8 Public Keys and Other Encryption Information AndalucíaCERT uses PGP for encryption and signing. The PGP key is: atencion.cert [at] juntadeancalucia.es KeyID: 0xE407E049 Fingerprint: E360 19DA 334A 29EC 648E 3E2F 9D24 94F8 E407 E049 consultas.cert [at] juntadeandalucia.es KeyID: 0x93DF1055 Fingerprint: 909D CF35 6135 936E B111 833C 4EF2 EBE1 93DF 1055 The PGP keys and its signatures can be found at the usual large public keyservers. 2.9 Team Members No information is provided in public. 2.10 Other Information General information about AndalucíaCERT, as well as links to various security resources and services, can be found at our website: https://andaluciacert.juntadeandalucia.es Please, note that our website has a private zone that is only accessible from the intranet of Junta de Andalucia, so external users can also ask for information by sending an email to: consultas.cert [at] juntadeandalucia.es 2.11 Points of Customer Contact The preferred method for contacting AndalucíaCERT is via e-mail at all times, and using email adresses included in section 2.7. E-mails sent to these addresses will be acted upon by the officer on duty on business hours, and normally responded before the next business day. If it is not possible (or not advisable for security reasons) to use e-mail, or if you require urgent assistance, AndalucíaCERT can be reached by telephone (please, refer to Sections 2.4, 2.5 and 2.6 for contact details). If possible, when submitting your report, please use the template menctioned in Section 6. 2.12 Operating hours For urgent assistance on security incidents the AndalucíaCERT provides a 24x7x365 service. Otherwise, the AndalucíaCERT hours of operation are generally restricted to business hours (8.00-20.00 Monday to Friday, except holidays) 3 Charter 3.1 Mission Statement AndalucíaCERT is aimed to the early detection of security incidents affecting the Regional Government of Andalusia organizations, as well as the coordination of incident handling with them. Proactive measures are in constant development, involving timely warning of potential problems, technical advice, security education and related services. 3.2 Constituency The AndalucíaCERT supports incident response and security services to Regional Government of Andalusia organizations. Please, note that some of these services require prior subscription from the organization. Besides, some pro-active and educational material will also be provided to other third-parties, IT specialists and the general public as well. 3.3 Sponsorship and/or Affiliation The AndalucíaCERT is sponsored by Junta de Andalucía, the Regional Government of Andalusia. 3.4 Authority The AndalucíaCERT operates under the auspices of Junta de Andalucía, the Regional Government of Andalusia. AndalucíaCERT is not an authoritative body. The AndalucíaCERT expects to work cooperatively with the organizations within the Regional Government of Andalusia. Each constituent is responsible for its own assets and information. However and according to the AndalucíaCERT general policies, should circumstances warrant it, AndalucíaCERT has the authority to take the measures it deems appropriate to properly handle a computer security related incident. Organizations enrolled who wish to appeal the actions of AndalucíaCERT should contact the Technical Manager in first instance. If this recourse is not satisfactory, the matter may be referred to the AndalucíaCERT Chair. 4 Policies 4.1 Types of Incidents and Level of Support AndalucíaCERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at its constituency. AndalucíaCERT may act upon request of one of its constituents, or may act if a constituent is, or threatens to be, involved in a computer security incident. The level of support given by AndalucíaCERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the availability of AndalucíaCERT resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to recommendations for priority criteria based on CCN-CERT guide CCN-STIC-817 (Common criteria for Security Incident Management within the Spanish Public Admnistration and eGovernment entities) available in https://www.ccn-cert.cni.es/guias/guias-series-ccn-stic.html. Special attention will be given to issues affecting critical infrastructure. Types of incidents other than those included in guide CCN-STIC-817 will be prioritized according to their apparent severity and extent. These incidents will be assessed as to their relative severity at AndalucíaCERT's discretion. Each organization within the Regional Government of Andalusia that subscribes to the AndalucíaCERT services will nominate, at least, one Liaison Officer (and a substitute), who will act as representatives between the organization and AndalucíaCERT. AndalucíaCERT generally will only support the Liaison Officer, who is expected to coordinate and work cooperatively with the IT administrators, security personnel and end-users within his/her organization. End-users can report security incidents directly to AndalucíaCERT, but no direct support will be given to them, as they are expected to contact their liaisons, system administrators, security personnel, or department head for assistance. While AndalucíaCERT understands that there is a wide range in the expertise level of liaisons at its constituency, and while AndalucíaCERT will endeavour to present information and assistance at an appropriate level to each person, the AndalucíaCERT cannot train liaisons nor system administrators on the fly, and it cannot perform system maintenance on their behalf. Nevertheless, in most cases the AndalucíaCERT will provide pointers to the information needed to implement appropriate measures. AndalucíaCERT is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform these communities of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information AndalucíaCERT will cooperate with other organizations and third parties - e.g. other national/international CSIRTs, vendors and manufacturers, security experts, the computer security community, etc. - in the field of computer security. A special collaborative relationship has been established with CCN-CERT, the Spanish Governmental National Cryptology Center - CSIRT. This cooperation with third parties will always be aimed at managing and/or preventing security incidents, and/or improving AndalucíaCERT (or the security community) capabilities, training, and knowledge. Obviously, it is important to note that this cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities. Nevertheless, the AndalucíaCERT will protect the privacy of its constituency, and therefore will pass on information in an anonymized way only. Unless explicity authorized, the identity or vital information of victims of computer security incidents will not be divulged. The AndalucíaCERT operates under the restrictions imposed by the law of the Spanish Data Protection Authority, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Therefore, it is also possible that the AndalucíaCERT may be forced to disclose information due to a Court's order. 4.3 Communication and Authentication In view of the types of information that AndalucíaCERT will likely be dealing with, telephone will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to the AndalucíaCERT, or before disclosing confidential information, the identity of the other party will be ascertained to a reasonable degree of trust. Within the constituency, and with known neighbour sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, like call-back, mail-back or even face-to-face meeting if necessary to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures using PGP. 5 Services 5.1 Incident Response AndalucíaCERT will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1 Incident Triage - Investigating whether indeed an incident occurred. - Determining the extent of the incident - Determining the initial relevance and priorization of the incident. - Determining the affected Andalusian organization, 5.1.2 Incident Coordination - Determining the initial cause of the incident (vulnerability exploited). - Contacting the Liaison Officers of the involved Andalusian organizations. - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate security teams, and/or other third parties which can help mitigate and/or solve the incident. - Making reports to other CSIRTs. - Composing announcements to constituents and/or its end-users, if applicable. 5.1.3 Incident Resolution - Technical assistance to resolve the incident. This may include analysis of compromised systems. - Recommendations on eradication or elimination of the cause of a security incident (the vulnerability exploited) and its effects. - Recommendations about restoring affected systems and services to their status before. - Forensics and Post-Mortem investigations. - Recommendations on securing the system to prevent future incidents. The AndalucíaCERT will collect statistics concerning incidents which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks. 5.2 Proactive Services Proactive services provide means to reduce the number of actual incidents by giving proper and suitable information concerning potential incidents to the constituency. AndalucíaCERT coordinates and maintains the services below to the extent possible depending on its resources. For further info regarding these services, along with instructions for subscribing and joining mailing lists, please send an email to AndalucíaCERT (see section 2.7), or visit the AndalucíaCERT website. 5.2.1 Monitoring of ICT infrastructures for security alerts / incidents The AndalucíaCERT will use specialized tools - e.g. SIEM - or expertise to detect attacks in the ICT infrastructures of the constituents subscribed to the service, and forward the alerts / incidents to the Liaison Officer of the organization. 5.2.2 Vulnerability Analysis and Management The AndalucíaCERT will assist its constituency in reaction to the discovery of new vulnerabilities to its ICT infrastructures by any means: manually reported, via automatic scans, etc. 5.2.3 Security warnings, alerts and announcements The AndalucíaCERT will provide its constituency, through the Liaison Officers' email and the AndalucíaCERT website, with information about ongoing attacks that might affect other constituents, security vulnerabilities, security alerts in the general sense, and short-term recommended actions to deal with the resulting problems. 5.2.4 Security awareness The AndalucíaCERT will provide its constituency with periodic bulletins and news related to security best practices, tips&tricks, documentation and tools, links to security related sites, recommendations, etc. The information will be sent by email to the Liaison Officers, and will also be available in the AndalucíaCERT website. 5.2.5 Archiving services and Statistics Records of handled security incidents will be kept. While this information will remain confidential, periodic statistical reports will be made available to the constituency in an anonymous way. 6 Incident Reporting Forms Use the following template and send it by email to the appropiate email of AndalucíaCERT (see section 2.7). This is the most preferable way to report a computer security incident. Please, provide as much detail as possible and attach any relevant file (log, email, image, etc.): ================================================================= INCIDENT REPORT - Type of incident detected (Phishing, Malware, DDoS, Unauthorized use/access...): - Incident Details (Provide a short description of the incident): - When was this incident detected? (Provide datetime and timezone): - How was this incident detected? (Provide a short description, and if this incident is related to a previous one): - Have you taken any action to contain, mitigate and/or resolve this incident? If so, what ones?: - Have you reported this incident to other individuals or organizations?: Complete the following information about affected system and attacker host. --- Affected System (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Operating System: Primary purpose of the affected system (Workstation, Web/DNS/ FTP/Application/Database server, Router, Firewall...): Relevance/criticality of the affected system, if known (critical / very high / high / medium / low): Level of security of the affected system, if known (system is/is not patched, ...): --- End Affected System --- --- Attacker Host (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Protocol: --- End Attacker Host --- ================================================================= 7 Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, AndalucíaCERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJbPgfoAAoJEJ0klPjkB+BJoWoQAJ/3UfbwypqYCbhpkXPaL7NT Fepps/YV4WX4ByHt4OGVyXEp73qUFBS9n+XbTxJBbXEUqUGFDGOp8QNWtK54l+rx mUxqU7IZRsDBIg6pCX76Cfm59G0juX2GpAdaPfFwgx6OllRXqWmA0ajJSUI/kzFc u4WrKl/ykdmdYZWyaOz2AhxtU8/E8AmGdaOEGVIS5H/33u/P8phuKx3XAGIhq4Nh H7VDIyghS6TH9xi/vExaIrfXVVgrjj5DBQnBs6BYw4vOvlGtLRhpZXjKiGUkUGQT dZnAypSIe59MsRuYVpjim9LCWShPysch5tgDALIOA1bkLqI6NNHMD6xbwQSlrQfB mcsJDoBQXZ6AaKxLyfYCvGJyjKlhkb5fLOvgK8s65gKSM4YWtHcChlwfGbzJylfN P0vgXVwjmtdueK10kdp/zkHkesk8gkoGt8mCeygCR9ezMMhVbKzlbpn6fkVQm0yH YQqjKHSTLF/aSPXiam+JmL1FSTZriCGG+bMNO2Ii6twYFjt+uPBGk7ojkSxMx56V 6RKTEfqSAWKrWpxfzkCXs6II04AgMuGgoLj4lkHpcrjb3Yz0T4QAB8mDFgu3Nhfb +tCYB8z2MrmZ8bQmKEg56iNpHRnUjpZEn+hUOM/1GVeoN/0ONZar/kN8SROVUKnN 7dS2BWgPU7WoPc50YrN3 =aVcL -----END PGP SIGNATURE-----