1. About this document

1.1 Date of Last Update

This is version 1.2, published 2007-11-26.

1.2 Distribution List for Notifications

Currently esCERT-UPC does not use any distribution lists to notify about changes in this document.

1.3 Locations where this Document May Be Found

The current version of this CSIRT description document is available from the esCERT WWW site at:

http://escert.upc.edu/_pub/rfc2350esCERTv1_2.txt

Please make sure you are using the latest version.

2. Contact Information

2.1 Name of the Team

esCERT-UPC: The UPC University Computer Emergency Response Team.

2.2 Address

C/ Jordi Girona 1-3

Modul D6 007,

08034 Barcelona (SPAIN)

2.3 Time Zone

GMT+0100/0200 DST

2.4 Telephone Number

+34 934015795

+34 934016984

2.5 Facsimile Number

+34 934017055 (this is *not* a secure fax)

2.6 Other Telecommunication

None available.

2.7 Electronic Mail Address

<cert@escert.upc.edu>  This is a mail alias that relays mail to the human(s) on duty on esCERT.

2.8 Public Keys and Other Encryption Information

The esCERT has a PGP key, whose KeyID is 0xDAF483F4 and whose fingerprint is 3897 6DD7 6994 C2D3 F5B0 E8F0 4652 1917 DAF4 83F4.

The key and its signatures can be found at the usual large public keyservers.

2.9 Team Members

Manel Medina is the esCERT Director.

Other members of the team are:

2.10 Other Information

General information about the esCERT, as well as links to various recommended security resources, can be found at http://escert.upc.edu

2.11 Points of Customer Contact

The preferred method for contacting the esCERT is via e-mail at <cert@escert.upc.edu>; e-mail sent to this address will "biff" the responsible human, or be  automatically forwarded to the appropriate backup person, immediately.  If you require urgent assistance, put "URGENTE" in your subject line.

If it is not possible (or not advisable for security reasons) to use e-mail, the esCERT can be reached by telephone during regular office hours.  Telephone messages are checked daily.

The esCERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except holidays).

If possible, when submitting your report, use the form mentioned in section 6.

3. Charter

3.1 Mission Statement

The purpose of the esCERT is to assist members of UPC University community in responding to such incidents when and if they occur.

EsCERT is also committed to proactively reduce the risk of computer security providing vulnerability alters, proactive network scans, ID’s deployment and related measures.

3.2 Constituency

The esCERT's constituency is the UPC University community and with partial support to the Spanish Internet Community.

However, please note that, esCERT resolution services will be provided for on-site UPC systems only.

3.3 Sponsorship and/or Affiliation

Initially UPC (Universitat Politècnica de Catalunya), CICYT (Comisión Interministerial de Ciencia y Tecnología), Generalitat de Catalunya and CE (Comisión Europea) provided funds which made possible esCERT-UPC. Now-a-days esCERT-UPC provides for 100% of its operational costs.

UPC provides networking infrastructure, space on its campus and telephone service to the esCERT.

esCERT maintains affiliations with various other CSIRTs on an as needed basis.

3.4 Authority

The esCERT operates under the auspices of, and with authority delegated by, the Department of Computing Services of UPC University (UPCNet).

The esCERT expects to work cooperatively with system administrators and users at UPC University, and, insofar as possible, to avoid authoritarian  relationships.  However, should circumstances warrant it, the esCERT will appeal to Computing Services to exert its authority, direct or indirect, as necessary.

Members of the esCERT in contact with UPCNet which provides networking infrastructure to the UPC community and has established protocols and granted authority to enforce networking restrictions should the need arise.

4. Policies

4.1 Types of Incidents and Level of Support

The esCERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at its constituency.

The level of support given by esCERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the esCERT's resources at the time, though in all cases some response will be made within two working days.

Incidents will be prioritised according to their apparent severity and extent. These incidents will be assessed as to their relative severity at esCERT's discretion.

No direct support other than general security information will be given to end users; they are expected to contact their system administrator, network  administrator, or department head for assistance.  The esCERT will support the latter people.

While the esCERT understands that there exists great variation in the level of system administrator expertise at UPC University, and while the esCERT will endeavour to present information and assistance at a level appropriate to each

person, the esCERT cannot train system administrators on the fly but it will perform system maintenance on their behalf when needed.

In most cases, the esCERT will provide pointers to the information needed to implement appropriate measures if system administrators are capable of taking appropriate measures by themselves.

The esCERT is committed to keeping the UPC University system administration community informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. Distribution lists are available for such task.

4.2 Co-operation, Interaction and Disclosure of Information

esCERT defaults to keep all information relative to incidents confidential.

While appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites where necessary, the esCERT will otherwise share information freely when this will assist others in resolving or preventing security incidents.

4.3 Communication and Authentication

In view of the types of information that the esCERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted.  Unencrypted e-mail will not be considered particularly secure, but will be

sufficient for the transmission of low-sensitivity data.

If it is necessary to send highly sensitive data by e-mail, PGP will be used.  Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.

Where it is necessary to establish trust, for example before relying on information given to the esCERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust.  Within UPC University, and with known

neighbor sites, referrals from known trusted people will suffice to identify someone.  Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that

the party is not an impostor.  Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported and recommended).

EsCERT Keys can be found here: http://escert.upc.edu/index.php/web/es/nos_certificados.html

5. Services

5.1 Incident Response

esCERT will assist system administrators in handling the technical and organizational aspects of incidents.  In particular, it will provide assistance or advice with respect to the following aspects of incident management:

5.1.1 Incident Triage

-        Investigating whether indeed an incident occurred.

-        Determining the extent of the incident.

5.1.2 Incident Coordination

-        Determining the initial cause of the incident (vulnerability exploited).

-        Facilitating contact with other sites which may be involved.

-        Facilitating contact with UPC University Security.

-        Making reports to other CSIRTs.

-        Composing announcements to users, if applicable.

5.1.3 Incident Resolution (only on the UPC community)

-        Removing the vulnerability.

-        Securing the system from the effects of the incident.

In addition, esCERT will collect statistics concerning incidents which occur within or involve the UPC University community, and will notify the community as necessary to assist it in protecting against known attacks.

5.2 Proactive Activities

The esCERT coordinates and maintains the following services to the extent possible depending on its resources:

-        Information services

·        List of departmental security contacts, administrative and technical.

·        Mailing lists to inform security contacts of new information relevant computer security. These lists will be available only to UPC University system  administrators.

·        Repository of security tools and documentation for use by sysadmins.  Where possible, precompiled ready-to-install versions will be supplied.  These will be supplied to the general public via www or ftp.

-        Training services

·        Members of the esCERT will give periodic seminars on computer security related topics; these seminars will be open to UPC University system administrators.

·        On demand training will also be provided when resources are available.

-        Archiving services

·        Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the UPC University and UPCNet.

6. Incident Reporting Forms

If possible, use the following form when reporting a security incident: (This form is only available in Spanish)

http://escert.upc.edu/index.php/web/es/serv_respuesta.html