RFC 2350 1. Document Information This document contains a description of CSIRT-VUT according to RFC 2350. It provides basic information about the CSIRT, the ways it can be contacted, describes its responsibilities and the services offered. 1.1 Date of Last Update This is version 1.0.1 as of 2022/08/29. 1.2 Distribution List for Notifications There is no distribution list for notifications about changes in this document. 1.3 Locations where this Document May Be Found The current version of this document can always be found at https://www.vut.cz/i/download/csirt/rfc2350.txt. 2. Contact Information 2.1 Name of the Team CSIRT-VUT: Computer Security Incident Response Team of Brno University of Technology 2.2 Address CSIRT-VUT COMPUTER AND INFORMATION SERVICES CENTRE Kolejni 2906/4 612 00 Brno Czech Republic 2.3 Time Zone Central European Time: GMT+1, DST: GMT+2 (DST starts at 01:00 UTC on the last Sunday in March and ends at 01:00 UTC on the last Sunday in October.) 2.4 Telephone Number +420 541 145 419 2.5 Facsimile Number None. Please use email. 2.6 Other Telecommunication None. 2.7 Electronic Mail Address Please send incident reports to cert@vutbr.cz. Non-incident-related mail should be addressed to noc@vutbr.cz. 2.8 Public Keys and Encryption Information CSIRT-VUT uses the following PGP key: pub 4096R/4D13A4CC uid CSIRT-VUT key fingerprint C329 F666 F843 F52E 59DF 76CE 6273 0B9D 4D13 A4CC The key can be found on most key-servers. 2.9 Team Members Further information about the team is listed at the CSIRT-VUT web pages. 2.10 Other Information General information about the CSIRT-VUT can be found at https://csirt.vutbr.cz/. 2.11 Points of Customer Contact The preferred method for contacting CSIRT-VUT is via e-mail. For incident reports and related issues please use cert@vutbr.cz. This will create a ticket in our tracking system and alert an admin. For general inquiries please send e-mail to noc@vutbr.cz. If it is not possible (or advisable due to security reasons) to use e-mail, you can reach us via telephone at +420 541 145 419. The CSIRT-VUT's hours of operation are generally restricted to 09:00-17:00 Monday to Friday except for holidays. 3. Charter 3.1 Mission Statement The goals of CSIRT-VUT are: - to create trustworthy central contact point for ICT infrastructure at BUT, - to prevent, detect and resolve computer security incidents related to the BUT infrastructure, - to raise IT security awareness among students and staff of BUT, - to research and develop tools, technologies and procedures to contribute to the state-of-the-art cyber security domain. 3.2 Constituency The constituency are students and staff of Brno University of Technology, Brno, Czech Republic and the Brno University network: - all IPv4 addresses within range 147.229.0.0/16, - all IPv6 addresses within range 2001:67c:1220::/46, - domain *.vutbr.cz, *.vut.cz, *.vutbr.net 3.3 Sponsorship and/or Affiliation CSIRT-VUT is part of Computer and Information Service Centre, Brno University of Technology. 3.4 Authority According to Brno University of Technology, Information Service Centre, Internal regulation No. 1/2018, CSIRT-VUT ensures coordination and sets the procedure for security incident handling. According to Guideline no. 22/2017, Rules of Operation of the BUT Computer Network, it is authorized to: - monitor the operations of the computer resources in the network domain of VUT within the limits of the relevant legal regulations pertaining to protection of privacy, protection of communications and processing of personal data. - disconnect a network subdomain or a host - if there is reasonable suspicion that they are being abused by an unauthorized person (attacker) - whose administrator does not adequately respond to a security incident report pertaining to such subdomain machine or subdomain. - if technical resources were connected to such domain or changes were made to the network software configuration without the administrator's knowledge and such resources or such change led to serious malfunctions threatening the operations of the VUT network - set other binding rules regulating the specific activities in connected subdomains (specifying DNS servers, communications protocols, degree of openness of certain network services, rules for reporting security incidents and reacting to them, etc.) - entitled to withdraw network access for a period of at most one month from a user who breached the provisions of this directive. 4. Policies As a part of Brno University of Technology, CSIRT-VUT complies with internal regulations and standards of Brno University of Technologyy, such as Internal regulation No. 1/2018 and Guideline No. 22/2017. CSIRT-VUT also recognizes and uses best practices formulated by the European community of CSIRTs (TF-CSIRT and Trusted Introducer) and ENISA, EU Agency for Network and Information Security, for example TI's CSIRT Code of Practice. 4.1 Types of Incidents and Level of Support CSIRT-VUT is authorized to address all types of computer security incidents which occur, or threaten to occur, in its Constituency (see 3.2). The level of support given by CSIRT-VUT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and CSIRT-VUT's resources at the time. Special attention will be given to issues affecting critical infrastructure. 4.2 Co-operation, Interaction and Disclosure of Information CSIRT-VUT will cooperate with other organisations in the field of computer security. This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. In such cases CSIRT-VUT conforms to the Information Sharing Traffic Light Protocol (TLP). Nevertheless CSIRT-VUT will protect the privacy of their customers. CSIRT-VUT operates under the restrictions imposed by Czech law. This involves careful handling of personal data as required by Personal Data Protection Act, but it is also possible that - according to Czech law - CSIRT-VUT may be forced to disclose information due to a Court's order. 4.3 Communication and Authentication For normal communication not containing sensitive information CSIRT-VUT will use conventional methods like unencrypted e-mail. For secure communication PGP-encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. TI, FIRST) or by other methods like call-back, mail-back or even face-to-face meeting if necessary. 5. Services 5.1 Incident Response CSIRT-VUT handles cybersecurity incidents in order to defend Brno University of Technology's network. In particular it handles these types of incidents: - incidents which threat the security of BUT's network infrastructure (these include DoS attacks, password breaks, port scanning, etc.) - attacks on users of BUT's network and services (for example phishing or e-mail scams) - other cybersecurity incidents which are relevant to BUT CSIRT-VUT will assist system administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1 Incident Triage - Determining whether an incident is authentic - Determining the extent of the incident. 5.1.2 Incident Coordination - Determining the involved organizations - Contacting the involved organizations to investigate the incident and take the appropriate steps - Facilitating contact to other parties which can help resolve the incident. - Facilitating contact with other sites which may be involved - Facilitating contact with appropriate law enforcement officials, if necessary. 5.1.3 Incident Resolution - Collecting the evidence of the incident. 5.2 Proactive Activities CSIRT-VUT: - constantly monitoring current cyber-security threats and informs about those which are relevant to BUT users. Each report also contains basic recommendations for reducing the risk of the threat. - offers testing services developed or operated at BUT in order to detect vulnerable components, outdated software and possible attack vectors. - provides the education for IT administrators within its constituency (see 3.2) on preventing and processing security incidents. Team also provides them with basic security advices. 6. Incident Reporting Forms Please, report security incident using email (see 2.7) and include the following info. - Contact information (name, university ID number, email) so that we can reach out to you. - Try to describe the problem in your own words with as many details as possible. It will help us understand and resolve the issue. - If needed, you can attach some files to the report (i.e., a screenshot of the problem). 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CSIRT-VUT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.