INTECO-CERT Service Description according to RFC 2350

1 Document Information

1.1 Date of last update

This is version 1.0 published 5th May 2008

1.2 Distribution List for Modifications

Notifications of updates are submitted to the mailing list

INTECO Bulletin subscription, will spell: b o l e t i n e s arroba c e r t punto i n t e c o punto e s b o l e t i n e s arroba c e r t punto i n t e c o punto e s

Subscription information is available for citizens and for Small and Medium-Sized Enterprises (SMEs) at

Access to register page

1.3 Locations where this document may be found

The current version of this document is available on the INTECO-CERT web site:

 

Link to RFC information

1.4Authenticating this document

This document have been signed with the INTECO-CERT PGP key. The signatures are also on our Web site PGP Signature

2 Contact Information

2.1 Name of the team

INTECO-CERT: INTECO IT Incident Response Center

2.2 Address

INTECO-CERT
Avda. Jose Aguado 41
Edificio INTECO
24005 León

2.3 Timezone

INTECO-CERT is one/two hour(s) ahead of UTC (GMT) in winter/summer,
UTC+0100 in winter and UTC+0200 in summer ( DST).

2.4 Telephone number

+ 34 987 877 189
This line is available during normal working hours (from 08:30am to 18:30pm From Monday to Thursday and from 08:30am to 15:00pm on Friday) and should be contacted only for regarding general INTECO-CERT inquiries. If you want to report a computer security incident, please use these forms:

 

2.5 Fax number

+34 987 261 016
(This is not a secure fax)

2.6 Email

Mailbox of INTECO-CERT, will spell: c e r t arroba c e r t punto i n t e c o punto e sThis is a mail alias that relays mail to the human(s) on duty for INTECO-CERT. Mail is the preferred way of contacting INTECO-CERT.

INTECO-CERT incidence mailbox, will spell: i n c i d e n c i a s arroba c e r t punto i n t e c o punto e s;This is the mail to report a computer security incident to INTECO-CERT.

2.7 PGP keys

INTECO-CERT has a the following PGP keys,

User ID: INTECO-CERT <cert@cert.inteco.es>
Key ID: 0xB729A0CD Key type: ELG
Key size: 2048 bit Expiration: 31/10/2012
Fingerprint: C82C AF18 3C23 058A EA27 F1AB 1496 A4D7 B729 A0CD

User ID: INTECO-CERT <incidencias@cert.inteco.es>
Key ID: 0x0DCB4264 Key type: ELG
Key size: 2048 bit Expiration: Never
Fingerprint: A230 1EE1 F521 19DE 10E7 8E09 00F9 7042 0DCB 4264

2.8 Team members

Operations coordinator is Javier Berciano Alonso.

User ID: Javier Berciano Alonso <jberciano@cert.inteco.es>
Key ID: 0xE813FD37 Key type: ELG
Key size: 2048 bit Expiration: 24/06/2012
Fingerprint: 12C0 732A E132 2F06 1BAF 49C6 7CDB E892 E813 FD37

Relations coordinator is Jorge Chinea López.

User ID: Jorge Chinea López <jchinea@cert.inteco.es>
Key ID: 0xF526D971 Key type: ELG
Key size: 2048 bit Expiration: 10/07/2013
Fingerprint: 74AE 9411 1502 D4D1 7BB8 2B75 2909 DCE4 F526 D971

2.9 Points of Contacts

For general purpose contact preferred method is by email at Mailbox of INTECO-CERT, will spell: c e r t arroba c e r t punto i n t e c o punto e s .If not by email, contact by telephone or Facsimile during office hours, from Monday to Friday.

For reporting a computer security incident preferred method is by email at INTECO-CERT incidence mailbox, will spell: i n c i d e n c i a s arroba c e r t punto i n t e c o punto e s. If possible, when submitting your report, use the form mentioned in section 6.

3 Charter

3.1 Mission Statement

The Primary purpose of INTECO-CERT is to provide Information and consultancy on IT security and standing law services for Spanish Small and Medium-Sized Enterprises and citizens to deal with computer security problems and their prevention.

3.2 Constituency

INTECO-CERT supports incident response and security services for all Spanish Small and Medium-Sized Enterprises and Citizens.

3.3 Sponsoring organisation

INTECO-CERT is sponsored by the National Institute of Communication Technologies (INTECO) who is in charge of establishing the basis for the coordination of different public initiatives, concerning technological security, accessibility and inclusion in the digital society and communication solutions for individuals and companies.

3.4 Authority

INTECO-CERT operates under the auspices of the Spanish Industry, Tourism And Trade Ministry as a part of The ‚Plan Avanza’, the Research and Development Plan, adopted by the Spanish Cabinet on 4th November 2005, focuses on the correct use of ICT (Information and Communication Technologies)

4 INTECO-CERT Policies

4.1 Types of incidents and level of support

INTECO-CERT is authorised to address all types of computers security incidents which occurs at its constituency.

INTECO-CERT may act upon requests of one of its constituents or may act if one of its constituents is involved in a computer security incident.

The level of support given by INTECO-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the INTECO-CERT’s resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities:

  • Threats to the physical safety of human beings.
  • Root or system-level attacks on any Management Information System, or any part of the backbone network infrastructure.
  • Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
  • Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration.
  • Denial of service attacks on any of the above three items.
  • Any of the above at other sites, originating from the Constituency of INTECO-CERT.
  • Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks.
  • Threats, harassment, and other criminal offenses involving individual user accounts.
  • Compromise of individual user accounts on multi-user systems.
  • Compromise of desktop systems.
  • Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. netnews and e-mail forgery, unauthorized use of IRC bots.
  • Denial of service on individual user accounts, e.g. mailbombing.

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.

In most cases, INTECO-CERT will provide pointers to the information needed to implement appropriate measures.

INTECO-CERT is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

4.2 Co-operation, Interaction and Disclosure of Information

INTECO-CERT will cooperate with other organisations in the field of computer security. This cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities. Nevertheless INTECO-CERT will protect the privacy of its constituency and therefore (under normal circumstances) pass on information in an anonymized way only.

INTECO-CERT operates under the restrictions imposed by the law of Spanish Data Protection Authority. Therefore it is also possible that INTECO-CERT may be forced to disclose information due to a Court’s order.

INTECO-CERT, unless explicitly authorized, will not divulge the identity or vital information of victims of computer security incidents.

4.3 Communication and Authentication

Telephone and unencrypted e-mail are considered sufficient for the transmission of low-sensitivity data. If it is necessary to send high sensitivity data by e-mail, PGP will be used. Network file transfers will be considered similar to e-mail for these purposes.

INTECO-CERT contact information can be found in section 6

5 Services

5.1 Incident Response

INTECO-CERT will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of the incident management.

5.1.1 Incident Triage

INTECO-CERT Incident triage includes:

  • Investigating whether indeed an incident occurred.
  • Determining the extent of the incident.
5.1.2 Incident Coordination

INTECO-CERT Incident Coordination includes:

  • Determining the initial cause of the incident (exploited vulnerability).
  • Facilitating contact with other sites which may be involved.
  • Facilitating contact with appropriate security teams and/or law enforcement officials if necessary.
  • Making reports to other CSIRTs.
  • Composing announcements to users (members of the constituency), if applicable.
5.1.3 Incident Resolution

INTECO-CERT incident resolution services include:

  • Technical Assistance. This may include analysis of compromised systems.
  • Recommendations on Eradication or Elimination of the cause of a security incident (the vulnerability exploited), and its effects.
  • Recovery Aid in restoring affected systems and services to their status before.
  • Suggestions in securing the system from the effects of the incident.

INTECO-CERT will collect statistics concerning incidents which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks.

5.2 Proactive Services

Proactive services provide means to reduce the number of actual incidents by giving proper and suitable information concerning potential incidents to the constituency. INTECO-CERT additional proactive services include:

5.2.1 Announcements

INTECO-CERT will provide its constituency with information about ongoing attacks, security vulnerabilities, alerts in the general sense, and short-term recommended course of action for dealing with the resulting problems.

5.2.2 Vulnerability Analysis

INTECO-CERT will assist its constituency in reaction to the discovery of new vulnerabilities. A database is maintained collecting information of vulnerabilities, automatically and manually, via network scans and by other means. Penetration testing teams are coordinated.

5.2.3 Security Tools

A repository of various tested security tools and security tools developed by INTECO-CERT will be supplied to the general public via web.

5.2.4 User Awareness Program

The users’ awareness of security issues is improved by best practices guidelines programs, and appropriate measures. This implies an awareness of legal issues, in particular the enforcement of evidence collection.

INTECO-CERT will also attempt to provide valuable educational materials aimed at increasing the awareness of security as well as improving the overall knowledge of security techniques among the members of the constituency. These materials in electronic formats will be distributed through the official website.

5.2.5 Archiving services

Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the INTECO-CERT constituency.

5.3 Security Quality Management Services

In order to supervise and to increase the quality of the offered services, the following services are performed,

  • Awareness Building
  • Education/Training
  • Product Evaluation or Certification
5.3.1 Documentation

A documentation is maintained, dealing with the following topics:

  • The procedures being part of the services are documented.
  • Results of Incident Management and Incident Analysis are documented, resulting in suggestions how to improve the services or systems, respectively.
5.3.2 Statistics

This service provides statistics of the offered services. The statistics serve as a base for evaluating the quality the services and, if possible, improving them.

5.3.3 Education and Training

Team members are constantly trained to enhance their skills and capacities.

6 Incident reporting form

Just for Spanish Small and Medium-Sized Enterprises, INTECO-CERT has created an online incident reporting form which is available at:

Incidents Management

Please, notice that you must be registered in INTECO-CERT as a Spanish Small and Medium-Sized Enterprise for using it. You can register at:

New user registration

This is the most preferable way to report a computer security incident to INTECO-CERT.

7 Disclaimer

While every precaution will be taken in the preparation of information, notifications and alerts, INTECO-CERT assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained.