Incidents reporting
All security incidents involving systems defined as belonging to the constituency of PIONIER-CERT (former: POL34-CERT) should be reported via electronic mail or using the selected fax number. In the first case, the application of adequate cryptographic mechanisms is highly recommended (see the authentication section). As every incident report must be stored in some sorts of archive, the other communication channels will not be accepted except for some special cases.
To report an incident to PIONIER-CERT via email you should send the message to the address: cert@pionier.gov.pl (or directly to cert@man.poznan.pl )
In order to report an incident by fax use the following number: +48 61 852 59 54 (business hours only)
Please note that it is not a secure fax.
Regardless the of communication channel used to deliver an incident report, it should contain as much of the required information as possible. The general guidelines on what kind of information should be included, as it might be significant for the overall process of incident handling, will be presented in the following section. The incident report can be considered as received by PIONIER-CERT only after receiving a report confirmation, which will usually be delivered via mail (in special cases it may also be sent by fax if requested). The confirmation of the incident report will always contain a unique INCIDENT REPORT NUMBER, which should always be referred to during further communicating with PIONIER-CERT. Later, when the incident is accepted and various relations with the other ones are detected, the PIONIER-CERT will provide a unique INCIDENT CASE NUMBER referring to an actual accepted incident, which was described by the report. From this point the case number should always be used during the communication referring to a specific incident.
Reporting guidelines
A report of an incident should contain all information that might be considered useful for the overall process of incident handling. As it may be hard to determine what kind of information is important in such case, in this section the general overview of the required (or rather potentially significant) information is presented. It should also be emphasized at this point, that all information provided to PIONIER-CERT (former: POL34-CERT) is for internal use only in the context of a specific incident. For further discussion of privacy and information disclosure policies see description of PIONIER-CERT (PDF).
- The information that should be provided with an incident report can be divided into several categories. All of them are discussed below: Contact Information – this section refers to the person reporting the incident, but also to any person delegated to contact with PIONIER-CERT (if varies). The following information is required:
- Name of organization
- Name of person reporting an incident
- Position in organization
- Contact email address
- Contact phone number
- Contact fax number
- Attack Target Information – this section refers to all systems involved in detected attacks, separate description for every case. It should also include information that might be considered significant for example network structure by sharing resources by systems. The following information is required:
- Hostname
- IP address
- Main function of attacked host
- Operating system + vendor, version, applied patches
- Application + same details as above
- Incident Type Information – the following information is required/recommended:
- All information referring to conditions stated as being a security incident
- General attack description (using time references)
- Attempts to classify an incident
- Determined consequences
- Actual state (if the offender seems to be still active in the system)
- Available artifacts or logs (as attachements)
- Attack Source Information – the following information is recommended (if any available):
- Attack points (networks or hosts)
- IP addresses of involved hosts
- Available traces
- Used non-technological methods (social engineering)
- Various Additional Information – the following information is recommended
- Any team or police authorities where an incident has been reported (to facilitate co-operation and information exchange)
- Final comments
Information disclosure
There are legal and ethical restrictions on the flow of information from PIONIER-CERT (former: POL34-CERT), many of which may also be outlined in policies of specific member institutions of PIONIER all of which will be respected. Therefore, while appropriate measures are taken to protect the identity of the members of our constituency and members of other sites where necessary, PIONIER-CERT will otherwise share information freely when this assists others in resolving or preventing security incidents.
The detailed information concerning disclosure policies can be found in extended description of PIONIER-CERT, which is available in downloads section.