CSIRT Description for LITNET CERT

Table of Contents:

1. Document Information
1.1 Date of Last Update
1.2 Distribution List for Notifications
1.3 Locations where this Document May Be Found
1.4 Authenticating this document
2. Contact Information
2.1 Name of the Team
2.2 Address
2.3 Time Zone
2.4 Telephone Number
2.5 Facsimile Number
2.6 Other Telecommunication
2.7 Electronic Mail Address
2.8 Public Keys and Encryption Information
2.9 Team Members
2.10 Other Information
2.11 Points of Customer Contact
3. Charter
3.1 Mission Statement
3.2 Constituency
3.3 Sponsorship and/or Affiliation
3.4 Authority
4. Policies
4.1 Types of Incidents and Level of Support
4.2 Co-operation, Interaction and Disclosure of Information
4.3 Communication and Authentication
5. Services
5.1 Incident Response
5.1.1. Incident Triage
5.1.2. Incident Coordination
5.1.3. Incident Resolution
5.2 Proactive Activities
6. Incident Reporting Forms
7. Disclaimers

1. About this document

1.1 Date of Last Update

This is version 1.4, published Jun 05 2006.

1.2 Distribution List for Notifications

LITNET CERT doesn’t use any distribution list to notify about changes to this document.

1.3 Locations where this Document May Be Found

The current version of this CSIRT description document is available from the LITNET CERT WWW site; its URL is https://cert.litnet.lt/csirt-description-for-litnet-cert. Please make sure you are using the latest version.

1.4 Authenticating this document

This document has been signed with the LITNET CERT’s PGP key. Signed html source of this document can be found at https://cert.litnet.lt/csirt-description-for-litnet-cert.asc

2. Contact Information

2.1 Name of the Team

“LITNET CERT”: LITNET Computer Emergency Response Team

2.2 Address

LITNET CERT
Studentu 48a-101
51367, Kaunas
Lithuania

2.3 Time Zone

Eastern Europe Time (GMT+0200, and GMT+0300 from April to October)

2.4 Telephone Number

+370 37 300 645

2.5 Facsimile Number

+370 37 300 643

2.6 Other Telecommunication

None available.

2.7 Electronic Mail Address

<cert@litnet.lt> This is a mail alias that relays mail to the human(s) on duty for the LITNET CERT.

2.8 Public Keys and Other Encryption Information

The LITNET CERT has a PGP key, whose KeyID is 0x7A6177D9 and whose fingerprint is:

AA 02 4D 01 E0 DA 63 BD 25 99 5B C2 74 73 76 B6.

The key and its signatures can be found at the usual large public key servers (such as pgp.mit.edu).

2.9 Team Members

LITNET CERT consists of eight working groups which are located in LITNET regional centers. Each working group has at least one person – LITNET CERT member. LITNET CERT working groups are listed in https://cert.litnet.lt/lt/kontaktai

Marius Urkis (LITNET Network Operating Center, KTU) is the LITNET CERT coordinator. Individual LITNET CERT team members are listed in the LITNET CERT web pages, at https://cert.litnet.lt/lt/kontaktai

2.10 Other Information

General information about the LITNET CERT, as well as links to various recommended security resources, can be found at https://cert.litnet.lt

2.11 Points of Customer Contact

The preferred method for contacting the LITNET CERT is via e-mail at <cert@litnet.lt>; e-mail sent to this address will handled by the responsible human.

If it is not possible (or not advisable for security reasons) to use e-mail, the LITNET CERT can be reached by telephone during regular office hours.

The LITNET CERT’s hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except holidays).

3. Charter

3.1 Mission Statement

The purpose of the LITNET CERT is to provide capability to deal with computer security incidents in LITNET networks and to do their prevention.

3.2 Constituency

The LITNET CERT’s constituency is all organizations connected to LITNET network (AS2847 and AS5479).

3.3 Sponsorship and/or Affiliation

LITNET CERT is funded by LITNET – Academic and Research Network in Lithuania.

LITNET CERT is affiliated with FIRST, Forum of Incident Response and Security Teams, since 2003. LITNET CERT maintains affiliations with various CSIRTs around the world on an as needed basis.

3.4 Authority

LITNET CERT operates under the auspices of, and with authority delegated by, the Board of Academic and Research Network in Lithuania (LITNET).

LITNET CERT expects to work cooperatively with system administrators and users of LITNET connected institutions, and, insofar as possible, to avoid authoritarian relationships. However, should circumstances warrant it, the LITNET CERT has the authority to take the measures it deems appropriate to properly handle a computer security related incident. All members of LITNET CERT are employees of LITNET connected institutions and thus have wide possibilities of interacting with LITNET System Administrators.

Members of Lithuanian academic community who whish to appeal the actions to the LITNET CERT should contact the coordinator of LITNET CERT, Marius Urkis.If this recourse is not satisfactory, the matter may be referred to the director of LITNET Network Operating Center.

4. Policies

4.1 Types of Incidents and Level of Support

The LITNET CERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at LITNET networks.

The level of support given by LITNET CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the LITNET CERT’s resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities, listed in decreasing order:

  • Threats to the physical safety of human beings.
  • Root or system-level attacks on any Server System, or any part of the backbone network infrastructure.
  • Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
  • Any other type of compromise which leads or may lead to unauthorized access of systems.
  • Denial of service attacks on any of the above three items.
  • Large-scale attacks of any kind, e.g. sniffing attacks, IRC “social engineering” attacks, password cracking attacks.
  • Threats, harassment, and other criminal offenses involving individual user accounts.
  • Compromise of desktop systems.
  • Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. e-mail forgery, spam and etc.
  • Denial of service on individual user accounts, e.g. mail bombing.

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.

LITNET CERT will basically accept any incident report that involves an incident with one of the constituents either as a victim or as a suspect. However, LITNET CERT encourages the engagement of qualified security staff at the involved organization in an early stage. Whenever feasible, LITNET CERT will contact the relevant Site Security Contact of the organization allegedly involved, even if the end user has chosen not to do so.

While the LITNET CERT understands that there exists great variation in the level of system administrator expertise at LITNET networks, and while the LITNET CERT will endeavor to present information and assistance at a level appropriate to each person, the LITNET CERT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, the LITNET CERT will provide pointers to the information needed to implement appropriate measures.

The LITNET CERT is committed to keeping the LITNET system administration community informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

LITNET CERT will keep a record of a list of persons per institution who are known to LITNET CERT to be in charge of security policies and operations.

4.2 Co-operation, Interaction and Disclosure of Information

While there are legal and ethical restrictions on the flow of information from LITNET CERT, the LITNET CERT acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighboring sites where necessary, the LITNET CERT will otherwise share information freely when this will assist others in resolving or preventing security incidents.

In the paragraphs below, “affected parties” refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from the LITNET CERT. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist.

Information being considered for release will be classified as follows:

  • Private user information is information about particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual, and/or ethical reasons.Private user information will be not be released in identifiable form outside the LITNET CERT, except as provided for below. If the identity of the user is disguised, then the information can be released freely (for example to show a sample .cshrc file as modified by an intruder or to demonstrate a particular social engineering attack).
  • Intruder information is similar to private user information, but concerns intruders.While intruder information, and in particular identifying information will not be released to the public (unless it becomes a matter of public record, for example because criminal charges have been laid), it will be exchanged freely with system administrators and CSIRTs tracking an incident.
  • Private site information is technical information about particular systems or sites.It will not be released without the permission of the site in question, except as provided for below.
  • Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds.Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed.
  • Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or group of users.Embarrassing information will not be released without the permission of the site or users in question, except as provided for below.
  • Statistical information is embarrassing information with the identifying information stripped off.Statistical information will be released at the discretion of the LITNET CERT.
  • Contact information explains how to reach system administrators and CSIRTs.Contact information will be released freely, except where the contact person or entity has requested that this not be the case, or where LITNET CERT has reason to believe that the dissemination of this information would not be appreciated.

Potential recipients of information from the LITNET CERT will be classified as follows:

  • Because of the nature of their responsibilities and consequent expectations of confidentiality, members of the constituency’s management are entitled to receive whatever information is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions.
  • System administrators within the constituency, by virtue of their responsibilities, trusted with confidential information. However, unless such people are also members of LITNET CERT, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems.
  • Users within the constituency are entitled to information which pertains to the security of their own computer accounts, even if this means revealing “intruder information”, or “embarrassing information” about another user. For example, if account aaaa is cracked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was cracked, and how the attack on the bbbb account was executed. User bbbb is also entitled, if they request it, to information about account aaaa which might enable bbbb to investigate the attack. For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa. Users within the constituency are entitled to be notified if their account is believed to have been compromised.
  • The LITNET community will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general LITNET community. There is no obligation on the part of the LITNET CERT to report incidents to the community, though it may choose to do so; in particular, it is likely that the LITNET CERT will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so.
  • The computer security community will be treated the same way the general public is treated. While members of LITNET CERT may participate in discussions within the computer security community, such as newsgroups, mailing lists and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from LITNET CERT experience will be disguised to avoid identifying the affected parties.
  • The press will also be considered as part of the general public. The LITNET CERT will not interact directly with the Press concerning computer security incidents, except to point them toward information already released to the general public.The above does not affect the ability of members of LITNET CERT to grant interviews on general computer security topics; in fact, they are encouraged to do to, as a public service to the community.
  • Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the foreign site’s bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites well known to LITNET CERT (for example, several European CSIRTs have informal but well-established working relationships with LITNET CERT in such matters).For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. “Intruder information” will be transmitted freely to other system administrators and CSIRTs. “Embarrassing information” can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident.
  • Vendors will be considered as foreign CSIRTs for most intents and purposes. The LITNET CERT wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties.
  • Law enforcement officers will receive full cooperation from the LITNET CERT, including any information they require to pursue an investigation, notwithstanding the earlier statements made about confidentiality.

4.3 Communication and Authentication

In view of the types of information that the LITNET CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.

Where it is necessary to establish trust, for example before relying on information given to the LITNET CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within constituency, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported).

5. Services

5.1 Incident Response

LITNET CERT will assist system administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:

5.1.1 Incident Triage

  • Investigating whether indeed an incident occurred.
  • Determining the extent of the incident.

5.1.2 Incident Coordination

  • Determining the initial cause of the incident (vulnerability exploited).
  • Facilitating contact with other sites which may be involved.
  • Facilitating contact with the affected constituent and/or appropriate law enforcement officials, if necessary.
  • Making reports to other CSIRTs.
  • Composing announcements to users, if applicable.

5.1.3 Incident Resolution

  • Recommendations on removing vulnerability
  • Securing the system from the effects of the incident.
  • Collecting the evidence of the incident.

In addition, LITNET CERT will collect statistics concerning incidents which occur within or involve the LITNET community and will notify the community as necessary to assist it in protecting against known attacks. LITNET CERT will make these statistics available at
https://cert.litnet.lt/lt/statistika
https://cert.litnet.lt/en/statistika.

To make use of LITNET CERT’s incident response services, please send e-mail as per section 2.11 above. Please remember that the amount of assistance available will vary according to the parameters described in section 4.1.

5.2 Proactive Activities

The LITNET CERT coordinates and maintains the following services to the extent possible depending on its resources:

  • Information services
    • Mailing lists to inform security contacts of new information relevant to their computing environments. These lists will be available only to system administrators within the constituency.
  • Auditing services
    • security level of machines within constituency networks will be assessed on demand
  • Archiving services
    • Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the public.

6. Incident Reporting Forms

LITNET CERT has created an online incindent reporting form which is available at https://cert.litnet.lt/lt/pranesti-apie-incidenta. This is the most preferable way to report a computer security incident to LITNET CERT.

7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, LITNET CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.