Difference between revisions of "EGI CSIRT:Main Page"

From EGIWiki
Jump to: navigation, search
(RFC-2350 DRAFT)
(RFC-2350 DRAFT)
Line 58: Line 58:
  
 
1. Document Information
 
1. Document Information
 +
  
 
1.1. Date of Last Update  
 
1.1. Date of Last Update  
 
This is version 0.9 of 18. Oct. 2012.
 
This is version 0.9 of 18. Oct. 2012.
 +
  
 
1.2. Distribution List for Notifications  
 
1.2. Distribution List for Notifications  
Line 69: Line 71:
  
 
Any questions about updates please address to the EGI-CSIRTe-mail address.
 
Any questions about updates please address to the EGI-CSIRTe-mail address.
 +
  
 
1.3. Locations where this Document May Be Found  
 
1.3. Locations where this Document May Be Found  
Line 75: Line 78:
  
 
2. Contact Information  
 
2. Contact Information  
 +
  
 
2.1. Name of the Team
 
2.1. Name of the Team
Line 80: Line 84:
 
Short name: EGI-CSIRT
 
Short name: EGI-CSIRT
 
EGI-CSIRT is the CERT or CSIRT team for EGI (http://www.egi.eu/about/EGI.eu/)  A research-or-educational / non-commercial-organisation  in The Netherlands.
 
EGI-CSIRT is the CERT or CSIRT team for EGI (http://www.egi.eu/about/EGI.eu/)  A research-or-educational / non-commercial-organisation  in The Netherlands.
 +
  
 
2.2. Address  
 
2.2. Address  
Line 90: Line 95:
 
2.3. Time Zone  
 
2.3. Time Zone  
 
GMT+1 (GMT+2 with DST or Summer Time, which starts on the last Sunday in March and ends on the last Sunday in October)
 
GMT+1 (GMT+2 with DST or Summer Time, which starts on the last Sunday in March and ends on the last Sunday in October)
 +
  
 
2.4. Telephone Number
 
2.4. Telephone Number
 
Regular telephone number:  +31 (0)20 89 32 007 (EGI.eu secretary telephone number)   
 
Regular telephone number:  +31 (0)20 89 32 007 (EGI.eu secretary telephone number)   
 
Emergency telephone number +31 (0) 6 3037 2845 (EGI.eu Director)  
 
Emergency telephone number +31 (0) 6 3037 2845 (EGI.eu Director)  
 +
  
 
2.5. Facsimile Number  
 
2.5. Facsimile Number  
 
No-Fax-Number   
 
No-Fax-Number   
 +
  
 
2.6. Other Telecommunication  
 
2.6. Other Telecommunication  
 
  email: contact@egi.eu
 
  email: contact@egi.eu
 +
  
 
2.7. Electronic Mail Address  
 
2.7. Electronic Mail Address  
 
abuse@egi.eu
 
abuse@egi.eu
 
This address can be used to report all security incidents to which relate to the EGI-CSIRT constituency, including copyright issues, spam and abuse.
 
This address can be used to report all security incidents to which relate to the EGI-CSIRT constituency, including copyright issues, spam and abuse.
 +
  
 
2.8. Public Keys and Encryption Information  
 
2.8. Public Keys and Encryption Information  
Line 117: Line 127:
 
2.9. Team Members  
 
2.9. Team Members  
 
No information is provided about the EGI-CSIRT team members in public.  
 
No information is provided about the EGI-CSIRT team members in public.  
 +
  
 
2.10. Other Information  
 
2.10. Other Information  
See the EGI-CSIRT webpages  
+
See the EGI-CSIRT webpages  
 
https://wiki.egi.eu/wiki/EGI_CSIRT:Main_Page
 
https://wiki.egi.eu/wiki/EGI_CSIRT:Main_Page
 +
 +
 
2.11. Points of Customer Contact  
 
2.11. Points of Customer Contact  
 
Regular cases: use EGI-CSIRTe-mail address.  
 
Regular cases: use EGI-CSIRTe-mail address.  
 
Regular response hours: Monday-Friday, 09:00-17:00 (except public holidays (Christmas, New Years eve, Eastern).
 
Regular response hours: Monday-Friday, 09:00-17:00 (except public holidays (Christmas, New Years eve, Eastern).
 
EMERGENCY cases: send e-mail with EMERGENCY in the subject line.  
 
EMERGENCY cases: send e-mail with EMERGENCY in the subject line.  
 +
 +
 
3. Charter  
 
3. Charter  
 +
  
 
3.1. Mission Statement
 
3.1. Mission Statement
 
The mission of EGI-CSIRTis to co-ordinate the resolution of IT security incidents related to their constituency (see 3.2), and to help prevent such incidents from occurring.
 
The mission of EGI-CSIRTis to co-ordinate the resolution of IT security incidents related to their constituency (see 3.2), and to help prevent such incidents from occurring.
 +
  
 
3.2. Constituency  
 
3.2. Constituency  
 
The constituency for EGI-CSIRTis EGI.eu (http://www.egi.eu/about/EGI.eu/) A research-or-educational /not-for-profit foundation established under Dutch law in The Netherlands.
 
The constituency for EGI-CSIRTis EGI.eu (http://www.egi.eu/about/EGI.eu/) A research-or-educational /not-for-profit foundation established under Dutch law in The Netherlands.
 
This constituency consists of:
 
This constituency consists of:
An overview of the 50+ above mentioned integrated RPs/ participating countries is in:  http://www.egi.eu/community/resource-providers/
+
An overview of the 50+ above mentioned integrated RPs/ participating countries is in:  http://www.egi.eu/community/resource-providers/
 +
 
  
 
3.3. Sponsorship and/or Affiliation  
 
3.3. Sponsorship and/or Affiliation  
 
EGI-CSIRTis part of Egi.eu, is a not-for-profit foundation established under Dutch law to coordinate and manage the European Grid Infrastructure (EGI) federation on behalf of its participants: National Grid Initiatives (NGIs) and European International Research Organisations (EIROS). .
 
EGI-CSIRTis part of Egi.eu, is a not-for-profit foundation established under Dutch law to coordinate and manage the European Grid Infrastructure (EGI) federation on behalf of its participants: National Grid Initiatives (NGIs) and European International Research Organisations (EIROS). .
 +
  
 
3.4. Authority  
 
3.4. Authority  
Line 143: Line 162:
  
 
4. Policies
 
4. Policies
 +
  
 
4.1. Types of Incidents and Level of Support  
 
4.1. Types of Incidents and Level of Support  
 
All incidents are considered normal priority unless they are labeled EMERGENCY. EGI-CSIRT itself is the authority that can set and reset the EMERGENCY label. An incident can be reported to EGI-CSIRT as EMERGENCY, but it is up to EGI-CSIRT to decide whether or not to uphold that status.
 
All incidents are considered normal priority unless they are labeled EMERGENCY. EGI-CSIRT itself is the authority that can set and reset the EMERGENCY label. An incident can be reported to EGI-CSIRT as EMERGENCY, but it is up to EGI-CSIRT to decide whether or not to uphold that status.
 +
  
 
4.2. Co-operation, Interaction and Disclosure of Information  
 
4.2. Co-operation, Interaction and Disclosure of Information  
 +
 
ALL incoming information is handled confidentially by EGI-CSIRT, regardless of its priority.
 
ALL incoming information is handled confidentially by EGI-CSIRT, regardless of its priority.
  
Line 159: Line 181:
  
 
EGI-CSIRT  \does not report incidents to law enforcement, unless national law requires so. Likewise, EGI-CSIRT only cooperates with law enforcement EITHER in the course of an official investigation – meaning that a court order is present – OR in the case where a constituent requests that EGI-CSIRTcooperates in an investigation. When a court order is absent, EGI-CSIRT will only provide information on a need-to-know base.
 
EGI-CSIRT  \does not report incidents to law enforcement, unless national law requires so. Likewise, EGI-CSIRT only cooperates with law enforcement EITHER in the course of an official investigation – meaning that a court order is present – OR in the case where a constituent requests that EGI-CSIRTcooperates in an investigation. When a court order is absent, EGI-CSIRT will only provide information on a need-to-know base.
 +
  
 
4.3. Communication and Authentication  
 
4.3. Communication and Authentication  
Line 167: Line 190:
  
 
5. Services
 
5. Services
 +
  
 
5.1. Incident Response (Triage, Coordination and Resolution)
 
5.1. Incident Response (Triage, Coordination and Resolution)
 
EGI-CSIRT is responsible for the coordination of security incidents somehow involving their constituency (as defined in 3.2). EGI-CSIRT therefore handles both the triage and coordination aspects. Incident resolution is left to the responsible administrators within the constituency – however EGI-CSIRT will offer support and advice on request.
 
EGI-CSIRT is responsible for the coordination of security incidents somehow involving their constituency (as defined in 3.2). EGI-CSIRT therefore handles both the triage and coordination aspects. Incident resolution is left to the responsible administrators within the constituency – however EGI-CSIRT will offer support and advice on request.
 +
  
 
5.2. Proactive Activities  
 
5.2. Proactive Activities  
Line 179: Line 204:
 
6. Incident reporting Forms
 
6. Incident reporting Forms
 
https://wiki.egi.eu/wiki/EGI_CSIRT:Incident_reporting
 
https://wiki.egi.eu/wiki/EGI_CSIRT:Incident_reporting
 +
  
 
7. Disclaimers
 
7. Disclaimers
 
THIS IS THE DRAFT VERSION OF EGI-CSIRTs rfc-2350
 
THIS IS THE DRAFT VERSION OF EGI-CSIRTs rfc-2350

Revision as of 14:44, 18 October 2012

EGI-CSIRT web site EGI-CSIRT Public wiki EGI-CSIRT Contacts EGI-CSIRT Activities EGI-CSIRT Private wiki


EGI CSIRT Mission

The EGI CSIRT covers all aspects of operational security aimed at achieving a secure infrastructure within EGI and relies on site and NGI security contact information maintained in the GOCDB by each NGI. The EGI CSIRT ensures both the coordination with peer grids and with the NGIs and NREN CSIRTs. The EGI CSIRT acts as a forum to combine efforts and resources from the NGIs in different areas, including Grid security monitoring, Security training and dissemination, and improvements in responses to incidents (e.g. security drills). Each NGI will appoint an NGI Security Officer in order to provide the NGI CSIRT function. The resulting group of NGI Security Officers collaborate as part of the EGI CSIRT.

The EGI CSIRT is led and coordinated by the EGI Security Officer, whose role and mission are defined by security policies approved by EGI and the NGIs.

EGI CSIRT Term of Reference (ToR)

How To Report a Security Incident

This is the official and approved EGI-CSIRT procedure to be followed in case of a security incident

EGI CSIRT Operation Policies and Procedures

Other operational Procedures approved by the OMB and PMB of interest for sites and users.

ALL EGI sites are required to follow these procedures in order to report and handle Grid-related security incident. We strongly encourage all the security contacts and system administrators to have a printed copy of all of them.

EGI CSIRT Security Alerts

Security alerts and/or security advisories will be sent to all EGI site security contacts or NGI security officers by EGI CSIRT using either an EGI broadcasting tool or a pre-established mailing list. They will also be listed on this page. They may cover a wide range of software, including but not limited to the EGI middleware.

EGI CSIRT Groups and Activities

EGI CSIRT security team is organized in following groups.

Incident Response Task Force (IRTF)
Handle day to day operational security issues and coordinate Computer-Security-Incident-Response across the EGI infrastructure.
Security Drills Group (SDG)
The objectives of the Security-Drills are twofold. One aspect is to get an overview of the incident response capabilities of the sites participating in EGI and improve the collaboration among the distributed teams. The second is to improve the Security-Incident-Handling capabilities of the EGI-CSIRT itself. Here we continuously have to revisit our procedures and check whether our tracing of the security activities is sufficiently monitored and recorded.
Security Monitoring Group (SMG)
Develop, deploy and maintain security monitoring tools.
Training and Dissemination Group (TDG)
Raise security awareness and improve security for system administrators by providing security training and best practice

EGI CSIRT Members

You can find contact information of the team members here

RFC-2350 DRAFT

Please Note this is currently the draft version of EGI-CSIRTs rfc-2350 EGI-CSIRTprofile Established according to RFC-2350.


1. Document Information


1.1. Date of Last Update This is version 0.9 of 18. Oct. 2012.


1.2. Distribution List for Notifications This profile is kept up-to-date on the location specified in 1.3 . E-mail notification of updates are sent to: • All EGI-CSIRT members • All EGI-CSIRT constituents

Any questions about updates please address to the EGI-CSIRTe-mail address.


1.3. Locations where this Document May Be Found The current version of this profile is always available on https://wiki.egi.eu/wiki/EGI_CSIRT:Main_Page#RFC-2350_DRAFT.


2. Contact Information


2.1. Name of the Team Full name: EGI-CSIRT Short name: EGI-CSIRT EGI-CSIRT is the CERT or CSIRT team for EGI (http://www.egi.eu/about/EGI.eu/) A research-or-educational / non-commercial-organisation in The Netherlands.


2.2. Address EGI.eu Science Park 140 1098 XG Amsterdam, NL The Netherlands


2.3. Time Zone GMT+1 (GMT+2 with DST or Summer Time, which starts on the last Sunday in March and ends on the last Sunday in October)


2.4. Telephone Number Regular telephone number: +31 (0)20 89 32 007 (EGI.eu secretary telephone number) Emergency telephone number +31 (0) 6 3037 2845 (EGI.eu Director)


2.5. Facsimile Number No-Fax-Number


2.6. Other Telecommunication

email: contact@egi.eu


2.7. Electronic Mail Address abuse@egi.eu This address can be used to report all security incidents to which relate to the EGI-CSIRT constituency, including copyright issues, spam and abuse.


2.8. Public Keys and Encryption Information PGP/GnuPG is supported for secure communication. The current EGI-CSIRT team-key can be found on https://wiki.egi.eu/wiki/EGI_CSIRT:PGP and is also present on the public keyservers. Please use this key when you want/need to encrypt messages that you send to EGI-CSIRT. When due, EGI-CSIRTwill sign messages using the same key.

When due, sign your messages using your own key please - it helps when that key is verifiable using the public keyservers.


2.9. Team Members No information is provided about the EGI-CSIRT team members in public.


2.10. Other Information See the EGI-CSIRT webpages https://wiki.egi.eu/wiki/EGI_CSIRT:Main_Page


2.11. Points of Customer Contact Regular cases: use EGI-CSIRTe-mail address. Regular response hours: Monday-Friday, 09:00-17:00 (except public holidays (Christmas, New Years eve, Eastern). EMERGENCY cases: send e-mail with EMERGENCY in the subject line.


3. Charter


3.1. Mission Statement The mission of EGI-CSIRTis to co-ordinate the resolution of IT security incidents related to their constituency (see 3.2), and to help prevent such incidents from occurring.


3.2. Constituency The constituency for EGI-CSIRTis EGI.eu (http://www.egi.eu/about/EGI.eu/) A research-or-educational /not-for-profit foundation established under Dutch law in The Netherlands. This constituency consists of: An overview of the 50+ above mentioned integrated RPs/ participating countries is in: http://www.egi.eu/community/resource-providers/


3.3. Sponsorship and/or Affiliation EGI-CSIRTis part of Egi.eu, is a not-for-profit foundation established under Dutch law to coordinate and manage the European Grid Infrastructure (EGI) federation on behalf of its participants: National Grid Initiatives (NGIs) and European International Research Organisations (EIROS). .


3.4. Authority “The team coordinates security incidents on behalf of their constituency and has the authority to remove Resource Centers from its infrastructure (EGI). The team is however expected to make operational recommendations in the course of their work. Such recommendations can include but are not limited to remove Resource Centers from its infrastructure (EGI). The implementation of such recommendations is not a responsibility of the team, but solely of those to whom the recommendations were made.


4. Policies


4.1. Types of Incidents and Level of Support All incidents are considered normal priority unless they are labeled EMERGENCY. EGI-CSIRT itself is the authority that can set and reset the EMERGENCY label. An incident can be reported to EGI-CSIRT as EMERGENCY, but it is up to EGI-CSIRT to decide whether or not to uphold that status.


4.2. Co-operation, Interaction and Disclosure of Information

ALL incoming information is handled confidentially by EGI-CSIRT, regardless of its priority.

Information that is evidently sensitive”e in nature is only communicated and stored in a secure environment, if necessary using encryption technologies. When reporting an incident of sensitive nature, please state so explicitly, e.g. by using the label SENSITIVE in the subject field of e-mail, and if possible using encryption as well.

EGI-CSIRTsupports the Information Sharing Traffic Light Protocol (ISTLP – see https://www.trusted-introducer.org/links/ISTLP-v1.1-approved.pdf ) - information that comes in with the tags WHITE, GREEN, AMBER or RED will be handled appropriately.

EGI-CSIRT will use the information you provide to help solve security incidents, as all CERTs do. This means that by default the information will be distributed further to the appropriate parties – but only on a need-to-know base, and preferably in an anonymised fashion.

If you object to this default behavior of EGI-CSIRT, please make explicit what EGI-CSIRTcan do with the information you provide. EGI-CSIRT will adhere to your policy, but will also point out to you if that means that EGI-CSIRTcannot act on the information provided.

EGI-CSIRT \does not report incidents to law enforcement, unless national law requires so. Likewise, EGI-CSIRT only cooperates with law enforcement EITHER in the course of an official investigation – meaning that a court order is present – OR in the case where a constituent requests that EGI-CSIRTcooperates in an investigation. When a court order is absent, EGI-CSIRT will only provide information on a need-to-know base.


4.3. Communication and Authentication See 2.8 above. Usage of PGP/GnuPG in all cases where highly sensitive information is involved is highly recommended.

In cases where there is doubt about the authenticity of information or its source, EGI-CSIRT reserves the right to authenticate this by any (legal) means.


5. Services


5.1. Incident Response (Triage, Coordination and Resolution) EGI-CSIRT is responsible for the coordination of security incidents somehow involving their constituency (as defined in 3.2). EGI-CSIRT therefore handles both the triage and coordination aspects. Incident resolution is left to the responsible administrators within the constituency – however EGI-CSIRT will offer support and advice on request.


5.2. Proactive Activities EGI-CSIRT pro-actively advises their constituency in regard to recent vulnerabilities and trends in hacking/cracking. EGI-CSIRT advises Egi.eu on matters of computer and network security. It can do so pro-actively in urgent cases, or on request. Both roles are roles of consultancy: EGI-CSIRTis not responsible for implementation.


6. Incident reporting Forms https://wiki.egi.eu/wiki/EGI_CSIRT:Incident_reporting


7. Disclaimers THIS IS THE DRAFT VERSION OF EGI-CSIRTs rfc-2350