IRIS-CERT Service Description

According to RFC 2350


This page has been digitally signed using GNU PGP
1. Document Information
1.1 Date of Last Update
1.2 Distribution List for Notifications
1.3 Locations where this Document May Be Found
2. Contact Information
2.1 Name of the Team
2.2 Address
2.3 Time Zone
2.4 Telephone Number
2.5 Facsimile Number
2.6 Other Telecommunication
2.7 Electronic Mail Address
2.8 Public Keys and Encryption Information
2.9 Team Members
2.10 Other Information
2.11 Points of Customer Contact
3. Charter
3.1 Mission Statement
3.2 Constituency
3.3 Sponsorship and/or Affiliation
3.4 Authority
4. Policies
4.1 Types of Incidents and Level of Support
4.2 Co-operation, Interaction and Disclosure of Information
4.3 Communication and Authentication
5. Services
5.1 Incident Response
5.1.1 Incident Triage
5.1.2 Incident Coordination
5.1.3 Incident Resolution
5.2 Proactive Activities
6. Incident Reporting Forms
7. Disclaimers

1. Document Information

1.1 Date of Last Update

This is version 1.6, published in August 2009.

1.2 Distribution List for Notifications

Notifications of updates are submitted to our security coordination mailing list <IRIS-CERT@listserv.rediris.es>. The susbcription to this mailing list is restricted to the security contact point of RedIRIS customers.

Subscription requests for this list should be sent to LISTSERV list manager at <LISTSERV@LISTSERV.REDIRIS.ES>. The body of the message should consist of the following words "suscribe iris-cert Name Surname". You can also subscribe it via WWW in the following URI.

For more information on the purporse of this mailing list, please visit http://www.rediris.es/list/info/iris-cert.es.html.

Digital signatures will be used for updating messages.

1.3 Locations where this Document May Be Found

The current version of this CSIRT description document is available from the IRIS-CERT WWW site; its URL is http://www.rediris.es/cert/servicios/iris-cert/rfc-2350.en.html.

Previous versions of this document are available here

Please make sure you are using the latest version.

2. Contact Information

2.1 Name of the Team

"IRIS-CERT": The RedIRIS Computer Emergency Response Team.

2.2 Address

IRIS-CERT
Dep. RedIRIS
Entidad Pública Empresarial Red.es
Edificio Bronce - 2a planta
Plaza Manuel Gómez Moreno, s/n
28020 Madrid
Spain

2.3 Time Zone

MET (UTC+0100) in winter and MET+0100 (UTC+0200) in summer (DST).
Daylight Saving Time according to the EU rules.

2.4 Telephone Number

+34 607 156313
Attended at bussines hours only.

2.5 Facsimile Number

+34-91-556-8864, attended at bussines hours only (This is *not* a secure fax)

2.6 Other Telecommunication

Mobile (Attended at bussines hours only): +34 607 156313

2.7 Electronic Mail Address

<cert@rediris.es>; This is a mail alias that relays mail to the human(s) on duty for the IRIS-CERT.
There is at least one member of the team on duty during business hours.

2.8 Public Keys and Other Encryption Information

IRIS-CERT uses PGP for encryption and signing.
IRIS-CERT has a PGP key, whose KeyID is 0x88A17FF5 and whose fingerprint is
F7 5A A6 6F D6 25 42 5A 48 8C D9 0E B4 77 3D 75

For details about the IRIS-CERT members PGP keys, please visit http://www.rediris.es/cert/servicios/iris-cert/keys.html or our PGP Public Key Server.

2.9 Team Members

Diego R. Lopez is the IRIS-CERT Chair.

All members of IRIS-CERT can be found in the IRIS-CERT WWW pages, at:
http://www.rediris.es/cert/servicios/iris-cert/keys.html
and:
http://www.rediris.es/rediris/equipo/

2.10 Other Information

General information about IRIS-CERT, as well as links to various security resorces and services, can be found at
http://www.rediris.es/cert/

2.11 Points of Customer Contact

The preferred method for contacting IRIS-CERT is via e-mail at <cert@rediris.es>. E-mail sent to this address will be acted upon by the officer on duty. If you required urgent assistance, you can either put "urgent" in the subject line or contact with the team by telephone as mentioned in Sections 2.4 and 2.6 of this documment.

If it is not possible (or not advisable for security reasons) to use e-mail, IRIS-CERT can be reached by telephone or fax during regular office hours (Please, check Sections 2.4, 2.5 and 2.6)

IRIS-CERT's hours of operation are generally restricted to regular business hours (09:00-18:00 Monday to Thursday, 09:00-15:00 Friday). During summer time (16 June to 15 September) 08:00 to 15:00 Monday to Friday. This timetable is applicable except national holidays and holidays applicable in the city of Madrid.

If possible, when submitting your report, use the form mentioned in section 6.

3. Charter

3.1 Mission Statement

IRIS-CERT is aimed to the early detection of security incidents affecting centers affiliated to RedIRIS, as well as the coordination of incident handling with them. Proactive measures are in constant development, involving timely warning of potential problemas, technical advice, training and related services.

3.2 Constituency

The IRIS-CERT offers full service (including specialized security planning and training) to all organizations conneceted by RedIRIS.
Limited Service (incident handling and coordination with other IRTs as a last point of contact for emergency or high priority security matters) for the rest of the *.es domain.

3.3 Sponsorship and/or Affiliation

The IRIS-CERT is sponsored by RedIRIS (The Spanish Research and Academic Network). RedIRIS provides advanced communication services to the scientific community and national universities. It is funded by the Ministry of Science and Innovation and is included in the Ministry's map of Special Scientific and Technological Facilities. It is managed by the Public Corporate Entity Red.es, which reports to the Ministry of Industry, Tourism and Trade. is the main element for providing network infrastructure and services within the National Plan for Research, Development and Innovation, and assumes the responsibility of providing the required network services and current and future support to the infrastructure, according to the main objectives of the Plan.

IRIS-CERT is affiliated with FIRST (http://www.first.org/), The Forum on Incident Response and Security Teams, since 1997. It had also contributed in the TERENA's pilot project EuroCERT (http://www.eurocert.org) from its starting on 1st of May of 1997, until 25th of March of 1999, when it ended.

Currently, IRIS-CERT is contributing in the TERENA Task Force, TF-CSIRT (http://www.terena.nl/activities/tf-csirt/), to encourage and support the cooperation between CSIRTs in Europe.

IRIS-CERT is accredited in the TERENA Trusted Introducer Service since 23th March 2001.

IRIS-CERT also maintains affiliations with various other CSIRTs around the word on an as needed basis.

3.4 Authority

IRIS-CERT operates under the auspices of, and with authority delegated by, the director of RedIRIS.

The IRIS-CERT expects to work cooperatively with system administrators and users at RedIRIS connected institutions, and, insofar as possible, to avoid authoritarian relationships. However and according to the RedIRIS AUP, should circumstances warrant it, IRIS-CERT has the authority to take the measures it deems appropiate to properly handle a computer security related incident.

RedIRIS connected institutions who wish to appeal the actions of IRIS-CERT should contact the IRIS-CERT chair. If this resource is not satisfactory, the matter may be referred to the Director of RedIRIS.

Policies

4.1 Types of Incidents and Level of Support

IRIS-CERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at its constituency (see 3.2). IRIS-CERT may act upon request of one of its constituents, or may act if a constituent is, or threatens to be, involved in a computer security incident.

The level of support given by IRIS-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the available IRIS-CERT resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the priorities listed in the following URL http://www.rediris.es/cert/servicios/iris-cert/prio.en.html.

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent. These incidents will be assessed as to their relative severity at IRIS-CERT's discreption.

No direct support will be given to end-users, as they are expected to contact their system administrators.

While the IRIS-CERT understands that there exists great variation in the level of system administrator expertise at its constituency, and while the IRIS-CERT will endeavor to present information and assistance at a level appropriate to each person, the IRIS-CERT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, the IRIS-CERT will provide pointers to the information needed to implement appropriate measures.

IRIS-CERT is committed to keeping its constituency system administration community informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. To that extend, IRIS-CERT will keep a record of a list of per-institution individual Site Security Contacts. This contacts are given by the institutional PER (Contact Point to RedIRIS) at the time of affiliation and are included into the RedIRIS Security coordination mailing list, IRIS-CERT.

4.2 Co-operation, Interaction and Disclosure of Information

IRIS-CERT, unless explicitly authorized, will keep any information specific to any site involved in a security incident confidential.

4.3 Communication and Authentication

In view of the types of information that IRIS-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.

Where it is necessary to establish trust, for example before relying on information given to the IRIS-CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within the constituency, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported).

IRIS-CERT keys can be found in http://www.rediris.es/cert/servicios/iris-cert/keys.html.

5. Services

5.1 Incident Response

IRIS-CERT will assist system administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:
5.1.1 Incident Triage
  • Investigating whether indeed an incident occured.
  • Determining the extent of the incident.
5.1.2 Incident Coordination
  • Determining the initial cause of the incident (vulnerability exploited).
  • Facilitating contact with other sites which may be involved.
  • Facilitating contact with the affected constituent and/or appropriate law enforcement officials, if necessary.
  • Making reports to other CSIRTs.
  • Composing announcements to constituents, if applicable.
IRIS-CERT will colect statistics concerning incidents which occurs within or involve its constituency community, and will make these available in the RedIRIS general meetings and coordination groups, as described in http://www.rediris.es/cert/tareas/foros/astiris.html.es.
IRIS-CERT also generates annual reports available here.
5.1.3 Incident Resolution
IRIS-CERT provides no incident resolution services.

5.2 Proactive Activities

IRIS-CERT coordinates and maintains the following services to the extent possible depending on its resources:
  • Information Services
    • Coordination mailing lists to inform the security contact points of new information relevant to their computing enviroments. This lists will be available only to the appropiate technical security contact point within the constituency.
    • Security mailing list in RedIRIS. More information in http://www.rediris.es/cert/tareas/servicios/listas/.
    • Repository of security tools and documentation for use of the community. There will be supplied to the general public via www or ftp.
    • Links to security related sites, mailing list and newsgropus. There will be supplied to the general public via www or ftp.
  • Training services
    • The members of IRIS-CERT could give seminars on computer security related topics to its contituency on demmand.
    • There will be two Security Coordination Groups per year. One during the Annual RedIRIS Conference and the other at the RedIRIS Working Groups Assembly. In this CGs IRIS-CERT informs their constituents about the work in progress, the security state of art in the community and the incident handling status.
    • IRIS-CERT organizes an Annual Security Forum per year.
  • Archiving services
    • Records of handled security incidents will be kept. While this information will remain confidential, periodic statistical reports will be made available to the constituency in an anonymous way.
  • Technology watch
    • Observer current trends in technology and distribute relevant knowledge to the constituency.
  • Provision of intrusion detection services
    • The use of specialised tools or expertise to detect attacks and forward the alerts to the appropiate contact points in the community
Detailed descriptions of the above services, along with instructions for joining mailing lists, downloading information, or participating in certain services, are available at the IRIS-CERT web site, as per section 2.10 above.

6. Incident Reporting Forms

If possible, use the following form when reporting a security incident:
http://www.rediris.es/cert/servicios/iris-cert/incidentes/formulario.txt (Spanish version)
http://www.rediris.es/cert/servicios/iris-cert/incidentes/formulario.en.txt (English version)

7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, IRIS-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.