wCOwMwPU.kTiEt.ReEdMuERGENCY RESPONSE TEAM CERT Description Heiko Reese Contact Karlsruhe Institute of Technology (KIT) Computer Emergency Response Team (CERT) Heiko Reese Manager Campus South Zirkel 2 76131 Karlsruhe Germany Telephone: +49 721 608-46350 E-Mail: heiko.reese@kit.edu www.cert.kit.edu Published by Karlsruhe Institute of Technology (KIT) Computer Emergency Response Team (CERT) Zirkel 2 | 76131 Karlsruhe | Germany Telephone: +49 721 608-45678 E-Mail: cert@kit.edu Revised on 2021-02-10 (Revision --revision--) www.kit.edu Contents 1 About this Document 5 1.1 Date of Last Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Distribution List for Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Locations Where this Document May Be Found . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 Authenticating this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Contact Information 6 2.1 Name of the Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3 Date of Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.4 Timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.5 Telephone Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.6 Other Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.7 Electronic Mail Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.8 Public Keys and Other Encryption Information . . . . . . . . . . . . . . . . . . . . . . . . 7 2.9 Team Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.10 Other Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.11 Points of Customer Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3 Charter 9 3.1 Mission Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2 Constituency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.3 Sponsorship and/or Affiliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4 Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.5 Operated Network Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4 Policies 11 4.1 Classification of incoming Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.2 Record retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.3 Record deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.4 Types of Incidents and Levels of Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.5 Cooperation, Interaction and Disclosure of Information . . . . . . . . . . . . . . . . . . . 12 4.6 Communication and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5 Services 16 5.1 Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1.1 Incident Triage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1.2 Incident Coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1.3 Incident Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.2 Proactive Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.2.1 Information Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2.2 Training Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2.3 Auditing Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3 6 Incident Reporting Forms 18 7 Disclaimers 19 Revision History Version Effective as of Author(s) Change(s) 1 2012-11-07 Dussa, Tobias Initial revision. 2 2013-03-06 Dussa, Tobias Network list updates; URL updates; spelling corrections; minor additions. 3 2013-10-17 Dussa, Tobias Updated team member information; uni- fied IPv6 address notation; spelling correc- tions. 4 2017-02-14 Dussa, Tobias Updated team member information; up- dated policy references; minor corrections; minor layout changes; fixed notation incon- sistency. 5 2018-01-26 Dussa, Tobias Updated team member information. 6 2018-03-23 Dussa, Tobias Updated network information. 7 2021-02-10 Reese, Heiko Updated team member information, re- moved fax. 4 1 About this Document 1.1 Date of Last Update This is version 7, published on February 10, 2021. 1.2 Distribution List for Notifications Notifications of updates are submitted to our mailing list cert-info@lists.kit.edu. Subscription requests for this list should be sent to the Sympa listserver at cert-info-request@lists.kit.edu; the subject of the message should consist of the word subscribe. Send the word help instead if you don't know how to use a Sympa list server. Additional help to this list is available at https://www.lists.kit.edu/sympa/help. Archives of this list are available at https://www.lists.kit.edu/sympa/info/cert-info. Log- ging on with your subscribed mail address is required to view the archives. This mailing list is moderated. 1.3 Locations Where this Document May Be Found The current version of this CERT description document is available from the KIT-CERT website; its URL is https://www.cert.kit.edu/p/rfc2350. Please make sure you have the latest version. 1.4 Authenticating this Document This document has been signed with the KIT-CERT PGP key. The key's fingerprint can be found on the KIT-CERT web site and in the SCC-News (the printed newsletter of the Steinbuch Centre for Computing). The public key can be downloaded from the usual key servers, for example the MIT public key server (http://pgpkeys.mit.edu). See section 2.8 for more information. 5 2 Contact Information 2.1 Name of the Team KIT-CERT: Karlsruhe Institute of Technology Computer Emergency Response Team. 2.2 Address KIT-CERT Karlsruhe Institute of Technology Steinbuch Centre for Computing 76128 Karlsruhe Germany 2.3 Date of Establishment KIT-CERT was established March, 14th 2008. 2.4 Timezone Europe/Berlin (UTC+01, and UTC+02 on DST). 2.5 Telephone Number +49 (721) 608-45678 (ask for KIT-CERT). 2.6 Other Telecommunications Not available. 2.7 Electronic Mail Address KIT-CERT can be reached via cert@kit.edu. This is a mail alias that relays mail to the KIT-CERT staff on duty. 6 2.8 Public Keys and Other Encryption Information The KIT-CERT PGP key has the KeyID 0x291D553CD742DE72 and the following fingerprint: 69AF DA25 704D FD54 3BA1 C408 291D 553C D742 DE72. The public key is as follows: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.6 (GNU/Linux) mQGiBEfq1YkRBACz0Ew1CZE80Fz9vCIGoupQKnUvLzjVYl6gN2eno4Qne2NME0sQ sVIUKojZUF774pI+HIKB5TATh77GoXfOD0LeniUwbJ9/PgV3++41L33tQYy07AUF 1gvIK2Elwn1NF493e4gZCiEwBZf5Dyi9tYhfrtNo6IgKR6Wkaz6HjzVAZwCg9jQg 0+Vy1yQWFcBLUXb4K60LT1ED/3iIg40658cN6W+nzuM5Cxfe4xT8Ig2Ug3IJ6Y1F nfdNC4FDf5w5RnClDpk2gaUYhjJFLV2odfWNJizlzsFq43r4gAlpvMbuaY9U60kr TqILTkwMpOQ2PAzZZekbZHJbmaoCLDmKzP4sn6b3QE5HBP+BXh4FxfgaESjCg1IM KM/gA/9n51Spe62Upnf3Dsalk5ynFad0WXCMKUJQy/xXbk1ke9dSngxU8LA0E+kM I0W6W7Lo1b1eX0PT5mY+cAJf4q6hENNQTOh0NBg3hnHiIBm6mQqH/G1sC9v1gLWC r5+S4gwl0C4LTPB77pRIoEFSSAPqO7BFema5j9ySudtbVwbni7QXS0lULUNFUlQg PGNlcnRAa2l0LmVkdT6IYAQTEQIAIAUCR+rViQIbAwYLCQgHAwIEFQIIAwQWAgMB Ah4BAheAAAoJECkdVTzXQt5yQlQAni9WSeicIF3pvtnz/0ux4Yqrw5ZJAJ9aKvje 0rqcd/gRSQrN69dLLZpRqLkCDQRH6tWMEAgAtZzpGMpYay0ORq6k0RlKBeofQGpH VogKJwI9Va3LkfhPrb6UPYmSZM7iQFWOZ4SbqRvQ4oflfdwKqn94e3SQBmemWs6r hGbxGbrmC4gsRHaAKam+XiKn+GsW93Y3Y0Zy++k0/UPadHtrVDrYd0iy3dzlMP/s sdvkFLs+fck4/e9wo2RZ0lC+pt7ihiPem3Yh1euqT10y8CdBhRJeaZLZuAj5/rHp tgeuiNpgnIBK908YjZ0Iis3oxVCL3ZyOfOjvxujag73pO95Tm7mMNE83qgVyJ2xN uu/FObPDIgGOBcMYCoJ4CdTpJFOVkTgf6uzjDBIgBtqHVxXP0K/4PM+wLwADBQf9 GciKe/5W9KngdY3/Rh38++cv1sWPHvGDE0TVx8HjJXU2KGIYugPH98KYcbqAYM/g TSDPQjx6vx6lDdIiHTSzE6vGj0Pjy0tjiLdKmYKHR8EabeRap9QTwpn7BxOGcnL7 Z57jKksxFmx+UAISBG5Gx1+KF5OIqPlzwFTKivtUFXCS9+xGQJnjefL5Wk8tj46G hoc86vkgaWFkvlClKqVtdXipIjUDzGYV+iKsniBSO6L0FHoa0Vr265rcrte4YOR6 Jl8Yc9UHQwsB5Yb3+VjQVAs7HEwXcxTyZE7FnWQWrqie7UZzmEbxY+ZZ+u7pPaKV ADbLoWlWuqeAueyMOmR9JYhJBBgRAgAJBQJH6tWMAhsMAAoJECkdVTzXQt5yLu8A n04d1ETvPDdNwKn/LHT7A8sZiDptAKDUd3U3Qfcdj+sD9S0lnBWT5GyVQA== =GMy5 -----END PGP PUBLIC KEY BLOCK----- The key and its signatures can be found on the usual public key servers. Additionally, the key can be found at http://www.cert.kit.edu. KIT-CERT seeks to gain as many signatures from other teams or individuals for the KIT-CERT public key in an effort to further the PGP "web of trust." 2.9 Team Members Heiko Reese from the Systems and Servers department is the KIT-CERT coordinator. Backup coordi- nators and other team members and contact information, are listed in the KIT-CERT web pages at http://www.cert.kit.edu. List of team members: + Reese, Heiko (Team Coordinator) + Zangerle, Konstantin 7 + Tuellmann, Thorsten Management, liaison and supervision are provided by Heiko Reese, head of IT Security, Steinbuch Centre for Computing, Karlsruhe Institute of Technology. 2.10 Other Information General information about the KIT-CERT as well as links to various recommended security resources can be found at http://www.cert.kit.edu. 2.11 Points of Customer Contact The preferred method for contacting the KIT-CERT is via e-mail through cert@kit.edu; e-mail sent to this address will be delivered to the on-duty staff. If urgent assistance is required, include the keyword [URGENT] in your subject line. If it is not possible or not advisable for security reasons to contact the KIT-CERT via e-mail, contact may be made by telephone during regular office hours. Voicemail is checked less frequently than e-mail. The KIT-CERT hours of operation are generally restricted to regular business hours (09:00--17:00 local time, Monday through Friday, except on holidays). 8 3 Charter 3.1 Mission Statement The goals of the KIT-CERT are 1. to assist the Karlsruhe Institute of Technology community in responding to computer-security- related incidents when they occur, and 2. to assist members of the KIT community in implementing proactive measures to reduce the risk of such incidents to occur. 3.2 Constituency The KIT-CERT constituency is the Karlsruhe Institute of Technology community, as defined in the context of the following policies: + ?Ordnung f?r die digitale Informationsverarbeitung und Kommunikation (IuK) am Karlsruher Insti- tut f?r Technologie (KIT) [IuK-Ordnung]? ("IT Processing and Communication Regime") of the Karl- sruhe Institute of Technology, published on 2013-10-15, and found at https://www.cert.kit.edu/p/iuk-ordnung. + ?IT-Sicherheit am KIT: Leitlinie des Karlsruher Instituts f?r Technologie? ("IT Security Guideline") of the Karlsruhe Institute of Technology, effective as of 2009-10-01, and found at https://www.cert.kit.edu/p/itsec-leitlinie. These two sets of policies will be referred to as KIT Policy in their entirety. However, notwithstanding any statements made by the above-mentioned policies, KIT-CERT services will be provided for on-site systems only. 3.3 Sponsorship and/or Affiliation KIT-CERT maintains affiliations with various University and Industrial CSIRTs throughout Germany on an as-needed basis. KIT-CERT cooperates closely with DFN-CERT, OSCG/WLCG (CERN), and EGI-CSIRT in terms of incident handling. KIT-CERT ist also member of the German CERT-Verbund and EduCV, is accredited at TI (Trusted Intro- ducer) and is a full member at FIRST (Forum of Incident Response and Security Teams). 3.4 Authority KIT-CERT operates under the auspices of, and with authority delegated by, the Steinbuch Centre of Com- puting at the Karlsruhe Institute of Technology. For further information on the mandate and authority of the Steinbuch Centre of Computing, please refer to the SCC Policies and the founding contract of the SCC. KIT-CERT strives to work cooperatively with system administrators and users throughout the Karlsruhe Institute of Technology, and to avoid authoritarian relationships whenever possible. However, should 9 circumstances warrant it, the KIT-CERT will appeal to the KIT CIO to exert its authority, directly or indirectly, as necessary. All members of the KIT-CERT are members of the IT Security Council of the KIT, and have all of the privileges and responsibilities assigned to system Administrators by the SCC Policies, or are members of the university management. Members of the Karlsruhe Institute of Technology community who wish to appeal the actions of the KIT-CERT should contact the head of Department IT Security and Service Management. If this recourse is not satisfactory, the matter may be referred to the Directorate of the Steinbuch Centre for Computing, in the case of perceived problems with existing policy, or to the Karlsruhe Institute of Technology CIO (in that order, in the case of perceived errors in the application of existing policy). 3.5 Operated Network Numbers KIT-CERT will operate on the following public IPv4 networks: + 129.13.0.0/16 + 141.3.0.0/16 + 141.52.0.0/16 + 141.70.44.0/23 + 141.70.81.0/24 + 192.108.45.0/24 + 192.108.46.0/24 + 192.108.47.0/24 + 192.108.68.0/24 + 193.174.1.192/29 + 193.196.32.0/20 KIT-CERT will operate on the following IPv6 networks: + 2001:638:304::/48 + 2001:7c0:409::/48 + 2a00:1398::/29 KIT-CERT will also operate on various private networks operated by the KIT. Furthermore, the KIT-CERT is assigned to the autonomous system AS34878. 10 4 Policies 4.1 Classification of incoming Information All incoming information will be classified as confidential or higher. This strict classification scheme prevents the inadventant disclosure of information that is classified through other (external) classification schemes that may not correspond to those of KIT-CERT. 4.2 Record retention The records containing information about security incients are retained with no scheduled date for dele- tion. This applies to records stored either electronically or as hardcopy. Electronic information is stored in a central database. This database is only accessible over authenti- cated and secured connections. Encrypted backups of this database are made on a daily basis and stored within the backup systems provided by SCC. If hardcopies of incident documentation are produced, they are stored in lockers accessible to KIT-CERT personnel only. Classified incident reports may be compiled and printed for KIT executive management. Sanitized and unclassified reports may be compiled and published for educational purposes. 4.3 Record deletion Media such as hard disk drives, floppies or flash drives are deleted in accordance with the guidelines provided by Bundesamt f?r Sicherheit der Informationstechnik (BSI), Germany's Federal Office for Infor- mation Security. The deletion of optical media is performed by a special shredding maschine. For the deletion of hardcopies paper shredding machines are used. All deletion actions are recorded in a logfile and are performed by KIT-CERT personnel only. 4.4 Types of Incidents and Levels of Support KIT-CERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at the Karlsruhe Institute of Technology. The level of support offered by the KIT-CERT varies with the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the KIT-CERT resources available at the time; though in all cases some response will be made. Resources will be assigned according to the following priorities, listed in decreasing order: 1. Threats to the physical safety of human beings. 2. Root or system-level attacks on any central IT-management system or any part of the backbone network infrastructure. 11 3. Root or system-level attacks on any large public-service machine, either multi-user or dedicated- purpose. 4. Compromise of restricted confidential service accounts or software installations. 5. Denial of service attacks on any of the above-mentioned systems. 6. Any of the above at other sites, originating from Karlsruhe Institute of Technology. 7. Large-scale attacks of any kind, e.g. sniffing attacks, "social engineering" attacks or password- cracking attacks. 8. Threats, harassment, or other criminal offenses involving individual user accounts. 9. Compromise of individual user accounts on multi-user systems. 10. Compromise of desktop systems. 11. Forgery, misrepresentation, or other security-related violations of local rules and regulations, e.g. netnews or e-mail forgery or unauthorized use of IRC bots. 12. Denial-of-service attacks on individual user accounts, e.g. mail bombing. Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent. Note that no direct support will be given to end users; they are expected to contact their respective system administrators, network administrators, or department heads for assistance. KIT-CERT will provide support to the latter group of persons. While the KIT-CERT understands that there is a great variety in the level of system administrator exper- tise at the Karlsruhe Institute of Technology, and while the KIT-CERT will endeavor to present information and assistance at a level appropriate to each person, the KIT-CERT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, the KIT- CERT will provide pointers to the information needed to implement appropriate measures. KIT-CERT is committed to keeping the Karlsruhe Institute of Technology system-administration com- munity informed of potential vulnerabilities, and, whenever possible, will inform this community of such vulnerabilities before they are actively exploited. 4.5 Cooperation, Interaction and Disclosure of Information While there are legal and ethical restrictions on the flow of information from the KIT-CERT, many of which are also outlined in the SCC Policy, and all of which will be respected, the KIT-CERT acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighboring sites whenever necessary, the KIT-CERT will otherwise share information freely when this will support others in resolving or preventing security incidents. In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from the KIT-CERT. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist. Information being considered for release will be classified as follows: 12 Private user information is information about particular users, or in some cases, particular applica- tions, which must be considered confidential for legal, contractual, and/or ethical reasons. Private user information will be not being released in identifiable form outside the KIT-CERT, except as provided for below. If the identity of the user is disguised, then the information can be released freely, for example to show a sample .cshrc file as modified by an intruder or to demonstrate a particular social engineering attack. Intruder information is similar to private user information, but concerns intruders. While intruder information, and in particular identifying information, will not be released to the public unless it becomes a matter of public record, for example because criminal charges have been brought forward, it will be exchanged freely with system administrators and CSIRTs tracking an incident. Private site information is technical information about particular systems or sites. It will not be re- leased without the permission of the site in question, except as provided for below. Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds. Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed. Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or group of users. Embarrassing information will not be released without the permission of the site or users in question, except as provided for below. Statistical information is embarrassing information with the identifying information stripped off. Sta- tistical information will be released at the discretion of the Steinbuch Centre for Computing. Contact information explains how to reach system administrators and CSIRTs. Contact information will be released freely, except where the contact person or entity has requested that this be not the case, or where KIT-CERT has reason to believe that the dissemination of this information would not be appreciated. Potential recipients of information from the KIT-CERT will be classified as follows: Because of the nature of their responsibilities and consequent expectations of confidentiality, members of the Karlsruhe Institute of Technology management are entitled to receive whatever infor- mation is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions. Members of the board of directors of the Karlsruhe Institute of Technology, members of direc- torate of the Steinbuch Centre for Computing, members of legal department, members of the IT-Security Council, and the Chief Information Officer are entitled to receive whatever information they request concerning a computer security incident or related matter which has been referred to them for resolution. The same is true for the KIT Security Department, when its assis- tance in an investigation has been enlisted, or when the investigation has been instigated at its request. System administrators at the Karlsruhe Institute of Technology will be given confidential informa- tion as far as is necessary in order for them to assist with an investigation, or in order to enable them to secure their own systems. Users at the Karlsruhe Institute of Technology are entitled to information which pertains to the se- curity of their own computer accounts, even if this means revealing "intruder information," or 13 "embarrassing information" about another user. Users at the Karlsruhe Institute of Technology are entitled to be notified if their account is believed to have been compromised. The Karlsruhe Institute of Technology community in general will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general KIT community. There is no obligation on the part of the KIT-CERT to report incidents to the community, though it may choose to do so; in particular, it is likely that the KIT-CERT will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so. The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though the KIT-CERT recognizes that, for all intents and purposes, information made available to the Karlsruhe Institute of Technology community is in effect made available to the community at large, and will tailor the information accordingly. The computer-security community will be treated the same way the general public is treated. While members of KIT-CERT may participate in discussions within the computer-security community, such as newsgroups, mailing lists (including full-disclosure lists such as bugtraq), and conferences, they will treat such forums as though they were the public at large. While technical issues (including vul- nerabilities) may be discussed at any level of detail, any examples taken from KIT-CERT experience will be disguised to avoid identification of the affected parties. The press will also be considered as part of the general public. KIT-CERT will not interact directly with the press concerning computer security incidents, except to point them toward information already released to the general public. If necessary, information will be provided to the Karlsruhe Institute of Technology public-relations department, and to the customer-relations group of the Steinbuch Centre for Computing. All incident-related queries will be referred to either one or both of these two bodies. The above does not affect the ability of members of KIT-CERT to grant interviews on general computer security topics; in fact, they are encouraged to do to, as a public service to the community. Other sites and CSIRTs , when they are partners in the investigation of a computer security incident, will in some cases be entrusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited those parts that are likely to be helpful in resolving the incident. Sharing of such information is most likely to happen in the case of sites well known to KIT-CERT; for example, several other German universities have informal but well-established working relationships with Karlsruhe Institute of Technology in such matters. For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident. Vendors will be considered as foreign CSIRTs for most intents and purposes. KIT-CERT wishes to en- courage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties. 14 Law enforcement officers will receive due cooperation from the KIT-CERT, including any information they require to pursue an investigation, in accordance with the SCC Policy and all relevant laws. 4.6 Communication and Authentication In view of the types of information that the KIT-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used, even if they do not provide encryption of the voice stream. Unencrypted e-mail will not be considered particularly secure, but sufficient for the transmission of low- sensitivity data. If it is necessary to send highly-sensitive data by e-mail, PGP/GPG/SMIME will be used as appropriate. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data will be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to the KIT- CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within the Karlsruhe Institute of Technology, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP/GPG/SMIME). 15 5 Services 5.1 Incident Response KIT-CERT will assist system administrators in handling the technical and organizational aspects of inci- dents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1 Incident Triage + Investigating whether indeed an incident occurred. + Determining the extent of the incident. 5.1.2 Incident Coordination + Determining the initial cause of the incident, i.e., identifying the vulnerability exploited by the attacker. + Facilitating contact with other sites which may be involved. + Facilitating contact with Karlsruhe Institute of Technology Security and/or appropriate law enforce- ment officials, if necessary. + Making reports to other CSIRTs. + Composing announcements to users, if applicable. 5.1.3 Incident Resolution + Removing the vulnerability, if possible. + Securing the system from the effects of the incident. + Evaluating whether certain actions are likely to reap results in proportion to their cost and risk, in particular those actions aimed at an eventual prosecution or disciplinary action: collection of evidence after the fact, observation of an incident in progress, setting traps for intruders, and so on. + Collecting evidence where criminal prosecution, or university disciplinary action, is contemplated. In addition, the KIT-CERT will collect statistics concerning incidents which occur within or involve the Karlsruhe Institute of Technology community, and will notify the community as necessary to assist in protecting against known attacks. To make use of KIT-CERT incident response services, please send an e-mail as per section 2.11 above. Please remember that the amount of assistance available will vary according to the parameters described in section 4.4. 5.2 Proactive Activities KIT-CERT coordinates and maintains the following services to the extent possible, depending on its re- sources: 16 5.2.1 Information Services + Mailing lists to inform security contacts of new information relevant to their computing environ- ments. These lists will be available only to Karlsruhe Institute of Technology system administrators. + Repository of vendor-provided and other security-related patches for various operating systems. This repository will be available to the general public wherever license restrictions allow it, and will be provided via commonly-available channels such as the World Wide Web and/or FTP. + Repository of security tools and documentation for use by system administrators. Where possible, precompiled ready-to-install versions will be supplied. These will be supplied to the general public via WWW or FTP as above. 5.2.2 Training Services + Members of the KIT-CERT will offer periodic seminars on computer-security-related topics; these seminars will be open to Karlsruhe Institute of Technology system administrators. 5.2.3 Auditing Services + Security level assignments. Machines and subnets of those networks defined in section 3.5 at the Karlsruhe Institute of Technology will be audited and assigned a security level. This security level information will be available to the Karlsruhe Institute of Technology community to facilitate the setting of appropriate access privileges. However, details of the security analyses will be confidential and available only to the parties concerned. + Operation of central network-traffic monitoring and analysis for the purpose of intrusion detection. + Operation of intrusion-prevention systems at chosen points of the network. + Records of security incidents handled will be kept. While the records will remain confidential, peri- odic statistical reports will be made available to the Karlsruhe Institute of Technology community. Detailed descriptions of the above services, along with instructions for joining mailing lists, down- loading information, or participating in certain services are available on the KIT-CERT web site, as per section 2.10 above. 17 6 Incident Reporting Forms Incidents can be reported via any communication channel to KIT-CERT and are not required to meet any particular form. 18 7 Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, the KIT- CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. 19