RFC 2350 1. Document Information This document contains a description of CSIRT-MU according to RFC 2350. It provides basic information about the CSIRT, the ways it can be contacted, describes its responsibilities and the services offered. 1.1 Date of Last Update This is version 1.5.4 as of 2020/10/20. 1.2 Distribution List for Notifications There is no distribution list for notifications as of October 2020. 1.3 Locations where this Document May Be Found The current version of this document can always be found at https://csirt.muni.cz/rfc_2350.txt. 2. Contact Information 2.1 Name of the Team CSIRT-MU: Computer Security Incident Response Team of Masaryk University 2.2 Address CSIRT-MU Institute of Computer Science Masaryk University Sumavska 416/15 602 00 Brno Czech Republic 2.3 Time Zone Central European Time: GMT+1, DST: GMT+2 (DST starts at 01:00 UTC on the last Sunday in March and ends at 01:00 UTC on the last Sunday in October.) 2.4 Telephone Number +420 549 494 242 (ask for the CSIRT-MU) 2.5 Facsimile Number +420 549 492 747 2.6 Other Telecommunication None. 2.7 Electronic Mail Address Please send incident reports to csirt@muni.cz. Non-incident-related mail should be addressed to csirt-info@muni.cz. 2.8 Public Keys and Encryption Information CSIRT-MU does sign outgoing messages. Furthermore, CSIRT-MU can decrypt messages and verify digital signature of a message. For these purposes CSIRT-MU uses following keys: pub 4096R/E3439FE2 2016-06-29 uid CSIRT-MU (Request Tracker) key fingerprint E40F 4E57 BCE8 26A8 FCF6 AD0F 6D25 E8BB E343 9FE2 sub 4096R/F3839E58 2016-06-29 Official communication (non-incident-related) by CSIRT-MU should be signed by this key: pub 4096R/77CFBC4B 2016-08-30 uid CSIRT-MU (Info Requests) key fingerprint 281E 58DD DCB3 64EB AA6E DE70 47EA C34C 77CF BC4B sub 4096R/AF4DB39C 2016-08-30 These keys can be found on most key-servers. 2.9 Team Members The CSIRT team leader is Tomas Plesnik. Other team members, along with their areas of expertise and contact information, are listed at the CSIRT-MU web pages. Management, liaison and supervision are provided by head of Cybersecurity and Data Management Division of Institute of Computer Science, Masaryk University (https://www.muni.cz/ics/920200). 2.10 Other Information General information about the CSIRT-MU can be found at https://csirt.muni.cz/. 2.11 Points of Customer Contact The preferred method for contacting CSIRT-MU is via e-mail. For incident reports and related issues please use csirt@muni.cz. This will create a ticket in our tracking system and alert the human on duty. For general inquiries please send e-mail to csirt-info@muni.cz. If it is not possible (or advisable due to security reasons) to use e-mail, you can reach us via telephone at +420 549 494 242 (ask for the CSIRT-MU). The CSIRT-MU's hours of operation are generally restricted to 09:00-17:00 Monday to Friday except for holidays. 3. Charter 3.1 Mission Statement The goals of CSIRT-MU are: - to create trustworthy central contact point for ICT infrastructure at MU, - to prevent, detect and resolve computer security incidents related to the MUICT infrastructure, - to raise IT security awareness among students and staff of MU, - to research and develop tools, technologies and procedures to contribute to the state-of-the-art cyber security domain. 3.2 Constituency The constituency are students and staff of Masaryk University, Brno, Czech Republic and the Masaryk University network: - all IPv4 addresses within range 147.251.0.0/16, - all IPv6 addresses within range 2001:718:801::/48, - domain muni.cz. 3.3 Sponsorship and/or Affiliation CSIRT-MU is part of Institute of Computer Science, Masaryk University. 3.4 Authority According to Masaryk University Directives No. 9/2017 and No. 10/2017 CSIRT-MU ensures coordination and sets the procedure for security incident handling. It is authorized to: - monitor the operations of the computer resources in the network domain of MU within the limits of the relevant legal regulations pertaining to protection of privacy, protection of communications and processing of personal data. - disconnect a network subdomain or a host - if there is reasonable suspicion that they are being abused by an unauthorized person (attacker) - whose administrator does not adequately respond to a security incident report pertaining to such subdomain machine or subdomain. - if technical resources were connected to such domain or changes were made to the network software configuration without the administrator's knowledge and such resources or such change led to serious malfunctions threatening the operations of the MU network - set other binding rules regulating the specific activities in connected subdomains (specifying DNS servers, communications protocols, degree of openness of certain network services, rules for reporting security incidents and reacting to them, etc.) - entitled to withdraw network access for a period of at most one month from a user who breached the provisions of this directive. 4. Policies As a part of Masaryk University, CSIRT-MU must comply with internal regulations and standards of Masaryk University, such as Masaryk University Directives No. 9/2017 and No. 10/2017 and ICS Director Measure No. 1/2010. CSIRT-MU also recognizes and uses best practices formulated by the European community of CSIRTs (TF-CSIRT and Trusted Introducer) and ENISA, EU Agency for Network and Information Security, for example TI's CSIRT Code of Practice. 4.1 Types of Incidents and Level of Support CSIRT-MU is authorized to address all types of computer security incidents which occur, or threaten to occur, in its Constituency (see 3.2). The level of support given by CSIRT-MU will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and CSIRT-MU's resources at the time. Special attention will be given to issues affecting critical infrastructure. Note that no direct support will be given to end users; they are expected to contact their system and/or network administrator at their department for assistance. CSIRT-MU will support the latter people. CSIRT-MU is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information CSIRT-MU will cooperate with other organisations in the field of computer security. This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. In such cases CSIRT-MU conforms to the Information Sharing Traffic Light Protocol (TLP). Nevertheless CSIRT-MU will protect the privacy of their customers. CSIRT-MU operates under the restrictions imposed by Czech law. This involves careful handling of personal data as required by Personal Data Protection Act, but it is also possible that - according to Czech law - CSIRT-MU may be forced to disclose information due to a Court's order. 4.3 Communication and Authentication For normal communication not containing sensitive information CSIRT-MU will use conventional methods like unencrypted e-mail or fax. For secure communication PGP-encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. TI, FIRST) or by other methods like call-back, mail-back or even face-to-face meeting if necessary. All team members are also obliged to use a X.509 certificates to sign e-mail communication. 4.4 Code of Ethics and Conduct In addition to abovementioned Code of Practice, members of CSIRT-MU are also bound by Masaryk University Academic and Professional Employee Code of Ethics specified in Masaryk University Directive No. 6/2015. 5. Services 5.1 Incident Handling CSIRT-MU handles cybersecurity incidents in order to defend Masaryk University's network. In particular it handles these types of incidents: - incidents which threat the security of Masaryk University's network infrastructure (these include DoS attacks, password breaks, port scanning, etc.) - attacks on users of MU's network and services (for example phishing or e-mail scams) - other cybersecurity incidents which are relevant to MU 5.2. Warnings and information CSIRT-MU is constantly monitoring current cyber-security threats and informs about those which are relevant to MU users. Each report also contains basic recommendations for reducing the risk of the threat. 5.3. Penetration testing CSIRT-MU offers testing services developed or operated at MU in order to detect vulnerable components, outdated software and possible attack vectors. The result of testing is a report that evaluates cybersecurity aspects of selected services and also set of recommendations for improvement. 5.4. IT administrators education CSIRT-MU provides the education for IT administrators within its constituency (see 3.2) on preventing and processing security incidents. Team also provides them with basic security advice. 5.5. Users education CSIRT-MU offers training on the basics of cybersecurity for all users within its constituency (see 3.2). Training participants learn to actively prevent the most common threats they face during their day-to-day work. Team also provides advice on the secure use of IT and internet to help users actively prevent the usual threats. 6. Incident Reporting Forms A webform for incident reporting is available at CSIRT-MU web pages https://csirt.muni.cz/services/incident-handling. The report should contain the following information: - Contact information (name, university ID number, email) so that we can reach out to you. - Try to describe the problem in your own words with as many details as possible. It will help us understand and resolve the issue. - If needed, you can attach some files to the report (i.e., a screenshot of the problem). 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CSIRT-MU assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.