Versions Compared

Old Version 1

changes.mady.by.user Jan Michielsen

Saved on

compared with

New Version 2

changes.mady.by.user Melvin Koelewijn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Author/Source: Wim Biemolt
Distribution: World
Classification : Unclassified External
Subject : RFC 2350 formatted SURFcert Service Description
Index : R-16-01
Page : 1
Version : 45
Date: 0607-1110-20182021

1. About this document

1.1 Date of last update

This is version 45, published November 6October 7, 20182021.

1.2 Distribution List for Notifications

Notifications of updates are submitted to our mailing list. Site Security Contacts of SURFnet SURF customers are automatically added to this list. Subscription to this list is limited to Site Security Contacts of SURFnet SURF customers. Only SURFcert can post messages to this list.

...

The current version of this CSIRT description document is available from the SURFcert WWW wiki site; its URL is https://wwwwiki.surfsurfnet.nl/endisplay/surfcert/service-descriptionSURFcert/Dienstbeschrijving+SURFcert. Please make sure you are using the latest version.

...

2.1 Name of the team

"SURFcert": the SURFnet SURF Computer Emergency Response Team.

...

+31 887873000, business hours only (ask for SURFcert)
+31 622923564, emergencies only, attended at all times.

SURFcert's emergency phonenumber phone-number is only to be used in case of emergencies.

...

2.7 Electronic Mail Address

cert [at] surfnetsurfcert.nl; This is a mail alias that relays mail to all SURFcert kernel members. There is always one kernel member on duty. This kernel member handles all incoming mail.

2.8 Pubic keys and other encryption information

SURFcert uses PGP for encryption and signing. The PGP key can be found on the PGP-keyserver: https://keys.openpgp.org/search?q=cert@surfnetcert@surfcert.nl.

2.9 Team members

SURFcert consists of 10 members; 5 from SURFnet SURF and 5 for the connencted instititionsconnected institutions:

  • Wim Biemolt (SURFcert chair).
  • Paul Dekkers
  • Jaap van Ginkel (UvA)
  • Jeffeny Hoogervorst (UvT)
  • Koos van den Hout (UU)
  • Thijs Kinkhorst
  • Remon Klein Tank (WUR)
  • Melvin Koelewijn
  • Luuk Oostenbrink
  • Peter Peters (UT)

...

General information about SURFcert can be found at httphttps://certsurf.surfnet.nl/surfcert.

2.11 Points of customer contact

...

3. Charter

SURFcert operates under an operational framework, Report R-92-01a charter. This report charter can be found at: R-­92-­01 Operational Framework SURF cert. Details on SURFcert operation can be found in this operational framework.

...

The primary purpose of SURFcert is to provide a mechanism for institutions within the Netherlands, connected to SURFnetSURF, to deal with computer security problems and their prevention.

...

The SURFcert Constituency are those sites that are connected to SURFnetSURF.

3.3 Sponsorship and/or affiliation

SURFnet SURF bv will fund the work of SURFcert and will fund the technical provisions needed in order to gain and maintain maximum reachability.

...

SURFcert operates under the auspices of, and with authority delegated by, the directors of SURFnet SURF bv.

SURFcert expects to work cooperatively with system administrators, networkmanagers and users of SURFnet SURF connected institutions, and, insofar as possible, to avoid authoritarian relationships. However, should circumstances warrant it, SURFcert has the authority to take the measures it deems appropriate to properly handle a computer security related incident.

SURFnet SURF connected institutions who wish to appeal the actions of SURFcert should contact the SURFcert chair, Wim Biemolt.

If this recourse is not satisfactory, the matter may be referred to the SURFnet SURF director through your SURFnet SURF account manager.

4. Policies

...

While SURFcert understands that there exists great variation in the level of system administrator expertise at its constituency, and while SURFcert will endeavor to present information and assistance at a level appropriate to each person, SURFcert shall not train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, SURFcert will provide pointers to the information needed to implement appropriate measures.

SURFnetSURF, as the organisation under whose sole jurisdiction SURFcert is operating, offers the possibility to the constituency for consultancy projects on an ad-hoc basis. In security related matters, SURFcert may at its own discretion suggest to embark on a consultancy project, which will provide for more resources where necessary in order to do a full analysis and remedial of an observed security breach.

...

While there are legal and ethical restrictions on the flow of information from SURFcert, all of which may also be outlined in Policies policies at the organisations of its constituency, and all of which will be respected, SURFcert acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites where necessary, SURFcert will otherwise share information freely when this will assist others in resolving or preventing security incidents.

...

  • Because of the nature of their responsibilities and consequent expectations of confidentiality, members of the constituency's management are entitled to receive whatever information is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions.

  • System administrators at organisations that are members of the constituency are also, by virtue of their responsibilities, trusted with confidential information. However, unless such people are also members of SURFcert, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems.

  • Users within the constituency are entitled to information which pertains to the security of their own computer accounts, even if this means revealing "intruder information", or "embarrassing information" about another user. For example, if account aaaa is cracked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was cracked, and how the attack on the bbbb account was executed. User bbbb is also entitled, if they request it, to information about account aaaa which might enable bbbb to investigate the attack. For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa. Users within the constituency are entitled to be notified if their account is believed to have been compromised.

  • The constituency community will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general community. There is no obligation on the part of SURFcert to report incidents to the community, though it may choose to do so; in particular, it is likely that SURFcert will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so.

  • The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though SURFcert recognizes that, for all intents and purposes, information made available to its constituency community is in effect made available to the community at large, and will tailor the information in consequence.

  • The computer security community will be treated the same way the general public is treated. While members of SURFcert may participate in discussions within the computer security community, such as newsgroups, mailing lists (including the full-disclosure list "bugtraq"), and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from SURFcert experience will be disguised to avoid identifying the affected parties.

  • The press will also be considered as part of the general public. SURFcert will generally not interact directly with the Press concerning computer security incidents, except to point them toward information already released to the general public. However, SURFcert acknowledges the role of the Press as a vehicle to inform the broad public in general and its own constityency in particular. To properly accomodate this function, the SURFnet SURF Public Relations department acts as the focal point in Press contacts. The SURFnet SURF Public Relations department will call in SURFcert in case a SURFcert statement is needed. Only SURFcert can make statements on behalf of SURFcert. The Chief Information Officer and the Chair are responsible for making public statements on behalf of SURFcert. The above does not affect the ability of individual members of SURFcert to grant interviews on general computer security topics; in fact, they are encouraged to do so, as a public service to the community. Note that all SURFcert members are committed to absolute confidentiality pertaining specific incidents.

  • Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the other site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites well known to SURFcert (for example, several other European CSIRTs have informal but well-established working relationships with SURFcert in such matters).
    For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident.
    In its contact with other CSIRTs, SURFcert will see to it that the information which is made available to others, will be signed (so as to provide for non-repudiation), and, whenever deemed necessary, crypted. See also 4.3 for more details.

  • Vendors will be considered as foreign CSIRTs for most intents and purposes. SURFcert wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties.

  • Law enforcement officers will receive full cooperation from SURFcert, including any information they require to pursue an investigation, notwithstanding the earlier statements made about confidentiality.

...

SURFcert keys can be found on https://keys.openpgp.org/search?q=cert@surfnetcert@surfcert.nl.

5. Services

5.1 Incident response

...