Perfil RFC 2350
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CSIRT Description for AndalucíaCERT
- ------------------------------------
1 About this document
This document contains a description of AndalucíaCERT in according to RFC 2350.
It provides basic information about the AndalucíaCERT team, its channels of
communication, and its roles and responsibilities.
1.1 Date of Last Update
This is version 8, published in November 2022.
Internal ID: CERT-CFG-001-07
1.2 Distribution List for Notifications
Notifications of updates are sent to our constituency through our
mailing list: consultas.cert [at] juntadeandalucia.es
and via our AndalucíaCERT website:
https://andaluciacert.juntadeandalucia.es
Subscription request for these bulletins must be made sending an
email to:
consultas.cert [at] juntadeandalucia.es
This mailing list is moderated.
1.3 Locations where this Document May Be Found
The current version of this CSIRT (Computer Security Incident
Response Team) description document is available on the
AndalucíaCERT website:
https://andaluciacert.juntadeandalucia.es
or asking for it by email at:
consultas.cert [at] juntadeandalucia.es
Please, make sure you are using the latest version.
1.4 Authenticating this Document
This document has been signed with the AndalucíaCERT's PGP
key included in section 2.7.
2 Contact Information
2.1 Name of the Team
"AndalucíaCERT" (Centro de Seguridad TIC de Andalucía): ICT
Security Center for Andalusia (Spain)
2.2 Address
AndalucíaCERT - Centro de Seguridad TIC de Andalucía
Sociedad Andaluza para el Desarrollo de la Sociedad de la
Información, S.A.U.
Agencia Digital de Andalucía - Junta de Andalucía
Avda. De la Arboleda s/n
41940 - Tomares (Sevilla)
Spain
2.3 Time Zone
Central European Time - CET (GMT+01:00, and GMT+02:00 from April
to October).
2.4 Telephone Number
+34 955 060 974
It is available in 24x7x365.
2.5 Facsimile Number
None
2.6 Other Telecommunication
None
2.7 Electronic Mail Address
Please report security incidents to:
atencion.cert [at] juntadeandalucia.es
For any other issue - e.g. general purposes, other services,
contacting CERT representatives, suscribe to CERT services, etc. -
please use:
consultas.cert [at] juntadeandalucia.es
2.8 Public Keys and Other Encryption Information
AndalucíaCERT uses PGP for encryption and signing.
The PGP keys and its signatures can be found at the usual large
public keyservers.
2.9 Team Members
No information is provided in public.
2.10 Other Information
General information about AndalucíaCERT, as well as links to
various security resources and services, can be found at our
website:
https://andaluciacert.juntadeandalucia.es
Please, note that our website has a private zone that is only
accessible from the intranet of Junta de Andalucia, so external
users can also ask for information by sending an email to:
consultas.cert [at] juntadeandalucia.es
2.11 Points of Customer Contact
The preferred method for contacting AndalucíaCERT is via
e-mail at all times, and using email adresses included in
section 2.7.
E-mails sent to these addresses will be acted upon by the officer
on duty on business hours, and normally responded before the next
business day.
If it is not possible (or not advisable for security reasons) to
use e-mail, or if you require urgent assistance, AndalucíaCERT
can be reached by telephone (please, refer to Sections 2.4, 2.5
and 2.6 for contact details).
If possible, when submitting your report, please use the template
menctioned in Section 6.
2.12 Operating hours
For urgent assistance on security incidents AndalucíaCERT
provides a 24x7x365 service.
Otherwise, the AndalucíaCERT hours of operation are 12x7x365
(7.00-19.00 Monday to Sunday, including holidays).
Consultations about services will be attended in office hours
(7.00h-19.00h Monday to Friday).
3 Charter
3.1 Mission Statement
AndalucíaCERT is aimed to the early detection of security
incidents affecting the Regional Government of Andalusia
organizations, as well as the coordination of incident handling
with them. Proactive measures are in constant development,
involving timely warning of potential problems, technical advice,
security education and related services.
3.2 Constituency
AndalucíaCERT supports incident response and security services
to Regional Government of Andalusia organizations.
Please, note that some of these services require prior
subscription from the organization.
Besides, some pro-active and educational material will also be
provided to other third-parties, IT specialists and the general
public as well.
3.3 Sponsorship and/or Affiliation
AndalucíaCERT is sponsored by Junta de Andalucía, the Regional
Government of Andalusia.
3.4 Authority
AndalucíaCERT operates under the auspices of Junta de
Andalucía, the Regional Government of Andalusia. AndalucíaCERT
is not an authoritative body.
AndalucíaCERT expects to work cooperatively with the
organizations within the Regional Government of Andalusia.
Each constituent is responsible for its own assets and
information. However and according to the AndalucíaCERT general
policies, should circumstances warrant it, AndalucíaCERT has the
authority to take the measures it deems appropriate to properly
handle a computer security related incident.
Organizations enrolled who wish to appeal the actions of
AndalucíaCERT should contact the Technical Manager in first
instance. If this recourse is not satisfactory, the matter may be
referred to the AndalucíaCERT Chair.
4 Policies
4.1 Types of Incidents and Level of Support
AndalucíaCERT is authorized to address all types of computer
security incidents which occur, or threaten to occur, at its
constituency.
AndalucíaCERT may act upon request of one of its
constituents, or may act if a constituent is, or threatens to be,
involved in a computer security incident.
The level of support given by AndalucíaCERT will vary depending on
the type and severity of the incident or issue, the type of
constituent, the size of the user community affected, and the
availability of AndalucíaCERT resources at the time, though in all
cases some response will be made within one working day. Resources
will be assigned according to recommendations for priority
criteria based on CCN-CERT guide CCN-STIC-817 (Common criteria for
Security Incident Management within the Spanish Public
Admnistration and eGovernment entities) available in
https://www.ccn-cert.cni.es/guias/guias-series-ccn-stic.html. Special
attention will be given to issues affecting critical
infrastructure.
Types of incidents other than those included in guide
CCN-STIC-817 will be prioritized according to their apparent
severity and extent. These incidents will be assessed as to their
relative severity at AndalucíaCERT's discretion.
Each organization within the Regional Government of Andalusia that
subscribes to the AndalucíaCERT services will nominate, at least,
one Liaison Officer (and a substitute), who will act as
representatives between the organization and
AndalucíaCERT. AndalucíaCERT generally will only support the
Liaison Officer, who is expected to coordinate and work
cooperatively with the IT administrators, security personnel and
end-users within his/her organization.
End-users can report security incidents directly to AndalucíaCERT,
but no direct support will be given to them, as they are expected
to contact their liaisons, system administrators, security
personnel, or department head for assistance.
While AndalucíaCERT understands that there is a wide range in the
expertise level of liaisons at its constituency, and while
AndalucíaCERT will endeavour to present information and assistance
at an appropriate level to each person, the AndalucíaCERT cannot
train liaisons nor system administrators on the fly, and it cannot
perform system maintenance on their behalf. Nevertheless, in most
cases the AndalucíaCERT will provide pointers to the information
needed to implement appropriate measures.
AndalucíaCERT is committed to keeping its constituency informed of
potential vulnerabilities, and where possible, will inform these
communities of such vulnerabilities before they are actively
exploited.
4.2 Co-operation, Interaction and Disclosure of Information
AndalucíaCERT will cooperate with other organizations and third
parties - e.g. other national/international CSIRTs, vendors and
manufacturers, security experts, the computer security community,
etc. - in the field of computer security. A special collaborative
relationship has been established with CCN-CERT, the Spanish
Governmental National Cryptology Center - CSIRT.
This cooperation with third parties will always be aimed at
managing and/or preventing security incidents, and/or improving
AndalucíaCERT (or the security community) capabilities,
training, and knowledge. Obviously, it is important to note that
this cooperation also includes and often requires the exchange of
information regarding security incidents and vulnerabilities.
Nevertheless, AndalucíaCERT will protect the privacy of its
constituency, and therefore will pass on information in an
anonymized way only. Unless explicity authorized, the identity or
vital information of victims of computer security incidents will
not be divulged.
AndalucíaCERT operates under the restrictions imposed by the
law of the Spanish Data Protection Authority, the Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data,
and the Directive (EU) 2016/680 of the European Parliament and of
the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data by competent
authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of
criminal penalties, and on the free movement of such data.
Therefore, it is also possible that the AndalucíaCERT may be
forced to disclose information due to a Court's order.
4.3 Communication and Authentication
In view of the types of information that AndalucíaCERT will likely
be dealing with, telephone will be considered sufficiently secure
to be used even unencrypted. Unencrypted e-mail will not be
considered particularly secure, but will be sufficient for the
transmission of low-sensitivity data. If it is necessary to send
highly sensitive data by e-mail, PGP will be used. Network file
transfers will be considered to be similar to e-mail for these
purposes: sensitive data should be encrypted for transmission.
Where it is necessary to establish trust, for example before
relying on information given to the AndalucíaCERT, or before
disclosing confidential information, the identity of the other
party will be ascertained to a reasonable degree of trust. Within
the constituency, and with known neighbour sites, referrals from
known trusted people will suffice to identify someone. Otherwise,
appropriate methods will be used, like call-back, mail-back or
even face-to-face meeting if necessary to ensure that the party is
not an impostor. Incoming e-mail whose data must be trusted will
be checked with the originator personally, or by means of digital
signatures using PGP.
5 Services
5.1 Incident Response
AndalucíaCERT will assist its constituency in handling the
technical and organizational aspects of incidents. In particular,
it will provide assistance or advice with respect to the following
aspects of incident management:
5.1.1 Incident Triage
- Investigating whether indeed an incident occurred.
- Determining the extent of the incident
- Determining the initial relevance and priorization of the incident.
- Determining the affected Andalusian organization,
5.1.2 Incident Coordination
- Determining the initial cause of the incident (vulnerability
exploited).
- Contacting the Liaison Officers of the involved Andalusian
organizations.
- Facilitating contact with other sites which may be involved.
- Facilitating contact with appropriate security teams, and/or
other third parties which can help mitigate and/or solve the
incident.
- Making reports to other CSIRTs.
- Composing announcements to constituents and/or its end-users, if
applicable.
5.1.3 Incident Resolution
- Technical assistance to resolve the incident. This may include
analysis of compromised systems.
- Forensic analysis of affected devices when under recommended circumstances.
- Malware analysis through static and dynamic artifact exploration.
- Recommendations on eradication or elimination of the cause of
a security incident (the vulnerability exploited) and its
effects.
- Recommendations about restoring affected systems and services to
their status before.
- Recovery aid in returning systems back to normal operation,
including onsite assistance.
- Recommendations on securing the system to prevent future
incidents.
AndalucíaCERT will collect statistics concerning incidents which
occur within or involve its constituency and will notify the
community as necessary to assist it in protecting against known
attacks.
5.2 Proactive Services
Proactive services provide means to reduce the number of actual
incidents by giving proper and suitable information concerning
potential incidents to the constituency.
AndalucíaCERT coordinates and maintains the services below to the
extent possible depending on its resources. For further info
regarding these services, along with instructions for subscribing
and joining mailing lists, please send an email to AndalucíaCERT
(see section 2.7), or visit the AndalucíaCERT website.
5.2.1 Monitoring of ICT infrastructures for security alerts / incidents
AndalucíaCERT will use specialized tools - e.g. SIEM - or
expertise to detect attacks in the ICT infrastructures of the
constituents subscribed to the service, and forward the alerts /
incidents to the Liaison Officer of the organization.
5.2.2 Threat hunting
AndalucíaCERT searches proactively looking for traces of
theats or undiscovered incidents in its constituents.
The service is based on the identification of specific
tactics and techniques used by threat actors.
5.2.3 Threat intelligence
The intelligence gathered by AndalucíaCERT is analysed, stored,
managed and shared with the constituents. The data is offered
not only in form of Indicators of Compromise (IOC), but in
form of Snort rules for direct deployment into detection devices.
5.2.4 Traps programme
AndalucíaCERT performs advanced detection by deployment of
traps in form of services to identify and gahter information
of prospect attackers. To that aim a specific spamtrap programme
and honeynet are distribute among its constituents.
5.2.5 Endpoint protection
AndalucíaCERT tackles the protection of ransomware through
the distribution of a specific tool of ransomware vaccine deployment.
The raised alerts of the vaccine agent are also monitored and
consequently handled.
5.2.6 Vulnerability Analysis and Management
AndalucíaCERT will assist its constituency in discovery and reaction to
new vulnerabilities to its ICT infrastructures. This objective is covered through different activities:
- Automatic vulnerability scans
- Specific application or system audit using black, grey or white box techniques
- Vulnerability lifecycle follow-up
5.2.7 Security warnings, alerts and announcements
AndalucíaCERT will provide its constituency, through the
Liaison Officers' email and the AndalucíaCERT website, with
information about ongoing attacks that might affect other
constituents, security vulnerabilities, security alerts in the
general sense, and short-term recommended actions to deal with
the resulting problems.
5.2.8 Security awareness
AndalucíaCERT will provide its constituency with periodic
bulletins and news related to security best practices,
tips&tricks, documentation and tools, links to security related
sites, recommendations, etc.
The information will be sent by email to the Liaison Officers,
and will also be available in the AndalucíaCERT website.
5.2.9 Training
AndalucíaCERT will offer its constituency a training programme
focused on gathering key cybersecurity capabilities. The programme will be
implemented by masive online courses through AndalucíaCERT's own platform,
webinars and on-site courses. The courses and its respective calls will be
announced on the AndalucíaCERT website.
5.2.10 Cyberexercises and cybersimulations
AndalucíaCERT offer periodic cyberexercises to its constituents
in order to test and improve their capabilities under a crisis situation.
There are three types of cyberexercises in the scope, tackling
awareness, decission making and technical analysis of an incident.
5.2.10 Archiving services and Statistics
Records of handled security incidents will be kept. While this
information will remain confidential, periodic statistical reports
will be made available to the constituency in an anonymous way.
6 Incident Reporting Forms
Use the following template and send it by email to the appropiate
email of AndalucíaCERT (see section 2.7). This is the most
preferable way to report a computer security incident.
Please, provide as much detail as possible and attach any relevant
file (log, email, image, etc.):
=================================================================
INCIDENT REPORT
- Type of incident detected (Phishing, Malware, DDoS,
Unauthorized use/access...):
- Incident Details (Provide a short description of the incident):
- When was this incident detected? (Provide datetime and
timezone):
- How was this incident detected? (Provide a short description,
and if this incident is related to a previous one):
- Have you taken any action to contain, mitigate and/or resolve
this incident? If so, what ones?:
- Have you reported this incident to other individuals or
organizations?:
Complete the following information about affected system and
attacker host.
--- Affected System (Duplicate if needed) ---
Hostname:
Domain:
IP Address:
Port:
Operating System:
Primary purpose of the affected system (Workstation, Web/DNS/
FTP/Application/Database server, Router, Firewall...):
Relevance/criticality of the affected system, if known (critical
/ very high / high / medium / low):
Level of security of the affected system, if known (system is/is
not patched, ...):
--- End Affected System ---
--- Attacker Host (Duplicate if needed) ---
Hostname:
Domain:
IP Address:
Port:
Protocol:
--- End Attacker Host ---
=================================================================
7 Disclaimers
While every precaution will be taken in the preparation of
information, notifications and alerts, AndalucíaCERT assumes no
responsibility for errors or omissions, or for damages resulting
from the use of the information contained within.
-----BEGIN PGP SIGNATURE-----
iQJWBAEBCgBAFiEEVvMmec4oWSynjJ04VXpnrDL8pgkFAmNpA58iHGF0ZW5jaW9u
LmNlcnRAanVudGFkZWFuZGFsdWNpYS5lcwAKCRBVemesMvymCcNyD/4qGO3AdmfP
qIyp/Ahs3xGxaCoXJD2rHpVybb0ebDZNyKNa4Zi68iHZ48fS7D7GaOGEJUrpBlqN
/wlELbuHChQvQOTpF1JLCgiBl6OzOiimMbDlXdovhvMzMjaIxEpkcOkQgwYNyDzb
UUP0xNQea7hlQXdFvgogJAOQfO/usV5UoqaFRL8fr8o0l+zuhwcbfEMvKDJWJvYB
CpGQ/6G/HH7c1vnu/cLd4DOucG2XxHLIKI6PjrhStFCpnkcLUIHYof+UhVfwpdVe
JzN5l/T97e2Lx51Z2BZdRYuNlApOaNNwnuOH9RfdbIG2CwEaBOP6L23enPU4OjFY
MITKE4G1f6atLm7tlmLC7+rHJ0von/2Rdfv/owxs7A8S7lfPteCws8mdyqirlAsV
4CtJt87LvdUE40OFRtD7g/MPAj9ccQ/B61WxR9k6yYJSDnzsZJ0CCKFeVWNWY/+j
W+dPCzBqbRrtAt19ZhZ/Ww1m7/4rcYMcIxnGXRLyns7jlaPW6OULH+3adks9lEhE
G3+EKyyq1QGWwY0OYFgoQe44BvgzsGlMKjGGYPoiLKoGYxSozHGHJcPrJKncatiW
4o0r87luuR5HgJKJ6B8RAVQlrtBmnJuuftRm7b6/eHMUiw6deBWNLPe5XK5pF+rW
EN7GX0a0/DjJ3VP/tceN07aotfRSTcxGzA==
=hciL
-----END PGP SIGNATURE-----
Descarga: RFC2350