DESCRIPTION OF PIONIER-CERT 1. About this document This document is the official description of PIONIER-CERT prepared according to (and significantly based upon) the RFC 2350. 1.1 Date of Last Update This is version 2.0.1, published on March 8th 2023 1.2 Distribution List for Notification None available at this moment. 1.3 Locations Where This Document May Be Found The current version of this CSIRT description document is available from the PIONIER-CERT website; its URL is: http://cert.pionier.gov.pl/en/about-us/ Please make sure you are using the latest version. 1.4 Authenticating this Document The text versions of this document have been signed with PIONIER-CERT's GnuPG key. A detached PGP signature for this file is available from: http://cert.pionier.gov.pl/en/about-us SHA256 checksums for PDF versions of this document are also available and can be downloaded from: http://cert.pionier.gov.pl/en/about-us 2 Contact Information 2.1 Name of the Team PIONIER-CERT is the Computer Security Incident Response Team of Polish Scientific Broadband Network PIONIER (http://www.PIONIER.net.pl/). 2.2 Address PIONIER-CERT Poznan Supercomputing and Networking Center Address for legal and financial documents: ul. Z. Noskowskiego 12/14 61-704 Poznan Address for correspondence: ul. Jana Pawła II 10 61-139 Poznan POLAND 2.3 Time Zone UTC+0100 in winter and UTC+0200 in summer (DST). Central European time. 2.4 Telephone Number There is no telephone number available to be used for reporting incidents at the moment. 2.5 Facsimile Number + 48 61 852 59 54, attended business hours only (this is *not* a secure fax) 2.6 Other Telecommunication None available at this moment. 2.7 Electronic Mail Address : This is a mail alias that relays mail to the team members and security officer on duty handling all incoming mails. 2.8 Public Keys and Other Encryption Information PIONIER-CERT uses GnuPG for encryption and signing all outcoming information. In case such verification cannot be easily applied (for example the distribution of PDF files) the MD5 checksum for every file is provided. It has to be emphasized that if there is no verification method applied to a published document, it should not be considered as originating from PIONIER- CERT. The usage of appropriate cryptographic methods in every communication process with the Team is strongly advised. The actual operating public key (GnuPG) can be downloaded from: https://cert.pionier.gov.pl/en/pgp-keys/ Its fingerprint is: 65F6 5987 0A89 29CC 3AB0 080E E337 216D 0887 798C 2.9 Team Members The core staff of PIONIER-CERT Team consists of security engineers from the ICT Security Department of Poznan Supercomputing and Networking Center. There is also a delegated security officer, closely co-operating with the core team, in every Metropolitan Area Network operating as a part of PIONIER. Top level management and supervision is provided by: -Norbert Meyer, the Director of Data Processing Technologies Division at Poznan Supercomputing and Networking Center -and Gerard Frankowski manager of ICT Security Department. Operational management and liaison is conducted by: -Maciej Miłostan -and Grzegorz Kowalski. 2.10 Other Information General information about the PIONIER-CERT can be found at: http://cert.pionier.gov.pl/ The site is available in two versions: English (for general information purpose and with guidelines according to incidents reporting process) and Polish (containing also some additional security information. 2.11 Points of Customer Contact The preferred method for contacting PIONIER-CERT (including reporting security incidents) is sending an e-mail to . An appropriate team member will handle all emails sent to this address. An incident can be also reported using fax (see section 2.5). PIONIER-CERT's operating hours are generally restricted to regular business hours (08:00-18:00 Monday to Friday, except holidays). 3 Charter 3.1 Mission Statement The main goal of PIONIER-CERT is to provide a sufficient quality of response to all security incidents involving computers connected to PIONIER. Therefore such a statement covers two possible cases: the first one with a site connected to PIONIER as a victim of abuse and the second with a site connected to PIONIER as an actual source of abuse. PIONIER-CERT is to be an authoritative representative of PIONIER site in both cases. Therefore PIONIER-CERT is focusing specially on following tasks: - an adequate technical support while handling security incidents and recovering from their consequences, - a complex co-ordination of all responses to an incident with special emphasis on exchanging information between various interested parties, - valuable educational materials aimed at increasing the awareness of security as well as improving the overall knowledge of security techniques among the members of the constituency. 3.2 Constituency The declared Constituency of PIONIER-CERT contains all those systems connected to PIONIER i.e. networks of most academic and scientific institutions in Poland. 3.3 Sponsorship and/or Affiliation PIONIER-CERT is a part of Poznań Supercomputing and Networking Center (http://www.psnc.pl/), the operator of PIONIER network. 3.4 Authority PIONIER-CERT operates under the auspices of, and with authority delegated by, management of PIONIER. PIONIER-CERT expects to work cooperatively with system administrators and members of PIONIER, and, insofar as possible, to avoid an authoritarian relationship. However, should circumstances warrant it, PIONIER-CERT has the authority to undertake countermeasures that would seem to be required for appropriate handling the reported security incident. 4 Policies 4.1 Type of Incidents and Level of Support PIONIER-CERT is authorized to address all types of computer security incidents that occur, or threaten to occur, at the range of its constituency (see section 3.2). As it was defined in section 3.1, the overall process of PIONIER- CERT operating covers all kinds of security incidents involving systems in our constituency (i.e. when they are targets or actual sources of abusive activity). The level of support provided by PIONIER-CERT will vary depending upon the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the resources available at the time, though in all cases a response will be made within one working day. Resources will be assigned according to the following priorities, listed in a decreasing order: - root or system-level attacks on any Management Information System, or any part of the backbone network infrastructure, - root or system-level attacks on any significant public service machine, either multi-user or dedicated-purpose, - compromise of the restricted confidential service accounts or software installations, compromise of data secrecy (in case of confidential data) or integrity (also in case of published information), - denial of service or any other attempts of limiting availability of service or information (especially massive distributed attacks), - large-scale organized attacks of any kind, e.g. abusive information gathering, social engineering attacks, password cracking attacks, - threats, harassment, and other criminal offenses involving individual user accounts (or any other aspects of their virtual identity), - compromise of individual user accounts on multi-user of desktop systems, - forgery and misrepresentation, and other security-related violations of local rules and regulations. Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent. Note that direct support will be given to end users only in special cases (connected with major menace to the security level of the constituency). However, in most cases, end users are expected to contact their security officers, system and network administrator, or department head for assistance. PIONIER-CERT will support the latter. While PIONIER-CERT understands that there exists a great diversity on the level of the system administrator expertise among the members of PIONIER, and while PIONIER-CERT will endeavor to present information and assistance at a level appropriate to each person, PIONIER-CERT cannot train the system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, PIONIER-CERT will provide pointers to the information needed to implement appropriate measures. PIONIER-CERT is committed to keeping the system administration community of PIONIER informed of the potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information There are legal and ethical restrictions on the flow of information from PIONIER-CERT, many of which may also be outlined in the policies of the specific member institutions of PIONIER, all of which will be respected. Therefore, while appropriate measures are taken to protect the identity of the members of our constituency and the members of other sites where necessary, PIONIER-CERT will otherwise share information freely when this assists others in resolving or preventing security incidents. In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from PIONIER-CERT. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist. Information being considered for release will be classified as follows: - Private user information is information about the particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual, and/or ethical reasons. Private user information will be not be released in the identifiable form outside PIONIER-CERT, except for some special cases as provided for below. If the identity of the user is disguised, the information can be released freely (for example to show a sample .cshrc file as modified by an intruder, or to demonstrate a particular social engineering attack). - Intruder information is similar to private user information, but concerns entities performing abusive activity. While intruder information, and in particular identifying information, is not released to the public (unless it becomes a matter of public record, for example because criminal charges have been laid), it will be exchanged freely with system administrators and CSIRTs tracking an incident (further referred to as "interested parties"). - Private site information is technical information about the particular systems or sites. Private site information will not be released without the permission of the site in question, except for some special cases as provided below. - Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds. Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed. It is assumed that information according with specific vulnerability can be released only if a working fix is available (provided by vendors or any other parties including CSIRT itself). - Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or a group of users (including an organization). Embarrassing information will not be released without the permission of the site or users in question, except for some special cases as provided below. - Statistical information is embarrassing information with the identifying information stripped off. Statistical information will be released only after adequate preprocessing in the form of official periodical reports. - Contact information explains how to reach the system administrators and CSIRTs. Contact information will be released freely, except for some special cases where the contact person or entity has requested that this not be the case, or where PIONIER-CERT has a reason to believe that the dissemination of this information would not be appreciated. Potential recipients of information from PIONIER-CERT will be classified as follows: - Because of the nature of their responsibilities and consequent expectations of confidentiality, the members of PIONIER Consortium are entitled to receive whatever is necessary to facilitate the handling of computer security incidents, which occur in their jurisdictions. - System administrators of the organizations that are members of the constituency are also, by virtue of their responsibilities, trusted with confidential information. However, unless such people are also members (or trusted coopers) of PIONIER-CERT, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems. - The members of the constituency (users of PIONIER) are entitled to the information which pertains to the security of their own computer accounts, even if this means revealing "intruder information", or "embarrassing information" about another user. Users within the constituency are entitled to be notified if their account is believed to have been compromised. - The members of the constituency will receive no restricted information, unless the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general PIONIER community. There is no obligation on the part of PIONIER-CERT to report incidents to the community, though it may choose to do so; in particular. It is likely that PIONIER-CERT will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so. - The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though PIONIER-CERT recognizes that, for all intents and purposes, information made available to the PIONIER community is in effect made available to the community at large, and will tailor the information in consequence. - The computer security community will be treated the same way the general public is treated. While members of PIONIER-CERT may participate in discussions within the computer security community, such as newsgroups, mailing lists, and conferences, they will treat such forums as though they were the public at large. While the technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from PIONIER-CERT experience will be disguised to avoid identifying the affected parties. - The press will also be considered as part of the general public. PIONIER- CERT will not interact directly with the press concerning computer security incidents, except for pointing them toward the information already released to the general public. - Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites well known to PIONIER-CERT. For the purposes of resolving a security incident, otherwise semi- private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident. - Vendors will be considered as foreign CSIRTs for most intents and purposes. PIONIER-CERT wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, vulnerability discovered in such a product will be reported to its vendor, along with the most important technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties. - Law enforcement officers will receive full cooperation from PIONIER- CERT, including any information they require to pursue an investigation, in special cases involving serious abuse or clear-cut criminal activity. However, in some other cases PIONIER-CERT may delay this action until such a circumstance has been irrevocable, e.g. by court order. In such cases, all affected people or organizations will be notified. 4.3 Communication and Authentication In view of the types of information that PIONIER-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP (GnuPG) will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on the information given to PIONIER-CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within PIONIER, and with known neighbor sites, referrals from the known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of the FIRST members, Trusted-Introducer members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail, whose data must be trusted will be checked with the originator personally, or by means of digital signatures (GnuPG and PGP in particular are supported). For GnuPG keys of PIONIER-CERT see also section 2.8. 5 Services 5.1 Incident Response PIONIER-CERT will assist the system administrators in handling the technical and organisational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of the incident management: 5.1.1 Incident Triage The main goals of incident triage is to investigate if a reported security incident actually occurred, determine its extent and severity (including a potential impact on the constituency) and verify if given occurrence can be considered as an incident according to CSIRT's policies. At this point some preliminary information preprocessing in the context of further incident management is performed. Each report is assigned a unique report number and each confirmed incident is assigned a unique incident number (as a single incident may be reported many times). The incident report to be accepted by PIONIER-CERT must contain all necessary information as specified in section 6. Therefore, if it is possible, all incidents should be reported using e-mail or fax number with the provided application forms. According to Team's policies, besides the specific cases (such as a vulnerability report), no anonymous incident report will be accepted. The incident report should be considered accepted after receiving a signed confirmation. 5.1.2 Response Coordination The main goal of PIONIER-CERT is to provide a complex co-ordination of all responses to a security incident with particular emphasis on exchanging information between various interested parties. According to such approach, several specific tasks can be distinguished: - determining the initial cause of the incident (exploited vulnerability), - facilitating contact with other sites which may be involved, - facilitating contact with appropriate security teams and/or law enforcement officials if necessary, - making reports to other CSIRTs, - composing announcements to users (members of the constituency), if applicable, - collecting and announcing statistics concerning incidents. It should be emphasised that all tasks mentioned above refer to both introduced cases covering the systems of PIONIER-CERT's constituency being as targets as well as the sources of attack or abusive forms of activity. 5.1.3 Incident Resolution PIONIER-CERT performs incident resolution only in a very limited range, in fact limited to special cases with a potential significant impact on its constituency. The actual range of activities in such cases may cover removing vulnerability, restoring a system which had been compromised or providing direct technical support while collecting evidence if criminal prosecution, or other disciplinary actions, are contemplated. 5.2 Proactive Activities PIONIER-CERT coordinates and maintains the following services to the extent possible depending on its resources: - Information services - The official website of PIONIER-CERT is supposed to provide exhaustive information about practical operating of CSIRTs as well as the most important pointers to information from other sites that might be important (or interesting) from the security point of view. The Team's website is stated to be the main channel for unrestricted distributing information by PIONIER-CERT. - Mailing lists to inform security contacts of new information relevant to their computing environments. Separate lists will be provided for all members of the Team's constituency and for a limited group of administrators. - Repository of various security tools, documentation, research articles and patches for operating systems or their significant components. This repository will be available to the general public wherever license restriction allow it, and will be accessible through commonly channels such as http and/or ftp. - Training services - Members of PIONIER-CERT will give periodic seminars on computer security related topics; these seminars, depending on their actual form and content, will be open to the general public or the trained technical administrators delegated by members of Team's constituency. - PIONIER-CERT will also attempt to provide valuable educational materials aimed at increasing the awareness of security as well as improving the overall knowledge of security techniques among the members of the constituency. These materials in electronic formats will be distributed through the official website of the Team. - Archiving services - Records of handled security incidents will be kept. While the records remain confidential, periodic statistical reports will be made available to the constituency. 6 Incident Reporting Forms There are no online forms for facilitating incident report procedures at the moment, however providing such a possibility may be expected in the future. There are overall guidelines and incident reporting samples available, containing all information that should be included in an incident report. These forms may be downloaded from the Team's website. 7 Disclaimer While every precaution is taken in the preparation of information, notifications and alerts, PIONIER-CERT assumes no responsibility for errors, omissions or damages resulting from the use of the information contained within.