CSIRT Description for CERT Polska ================================= 1. About this document 1.1 Date of Last Update This is version 2.0, published on 04 March 2019. 1.2 Distribution List for Notifications Currently CERT Polska does not use any distribution lists to notify about changes in this document. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the CERT Polska WWW site; its URL is https://www.cert.pl/wp-content/uploads/2017/12/rfc2350.txt Please make sure you are using the latest version. 1.4 Authenticating this document This document has been signed with the CERT Polska PGP key. The signatures are also on our Web site, under: http://www.cert.pl/o-nas 2. Contact Information 2.1 Name of the Team CERT Polska 2.2 Address CERT Polska NASK ul. Kolska 12 01-045 Warszawa Poland 2.3 Time Zone Central European Time (GMT+0100, GMT+0200 from April to October) 2.4 Telephone Number +48 22 3808 274 2.5 Facsimile Number +48 22 3808 399 (note: this is *not* a secure fax) 2.6 Other Telecommunication None available. 2.7 Electronic Mail Address This is a mail alias that serves the human(s) on duty for CERT Polska. 2.8 Public keys and Other Encryption Information CERT Polska has a PGP key, which KeyID is 969C0EB8 and which fingerprint is DC34 CB6E CD73 C0B1 DC8C 8AE7 FD58 C59E 969C 0EB8 The key and its signatures can be found at the usual large public keyservers. 2.9 Other Information General information about CERT Polska, as well as links to various recommended security resources, can be found at http://www.cert.pl/ CERT Polska uses the following Facebook page to publish news about current activities http://www.facebook.com/CERT.Polska CERT Polska posts short messages on current events to the following twitter accounts http://www.twitter.com/cert_polska http://www.twitter.com/cert_polska_en 2.10 Points of Customer Contact The preferred method for contacting CERT Polska is via e-mail at ; e-mail sent to this address will be handled by the responsible human. We encourage our customers to use PGP encryption when sending any sensitive information to CERT Polska. If it is not possible (or not advisable for security reasons) to use e-mail, CERT Polska can be reached by telephone during regular office hours. Off these hours incoming phone calls are transmitted to an aswering machine. All messages recorded are checked ASAP. CERT Polska operates 24 hours a day, every day of the year. If possible, when submitting your report, use the form mentioned in section 6. 3. Charter 3.1 Mission Statement The mission of CERT Polska is to identify, analyse and mitigate threats targeting Polish internet users. As an essential part of the national cyber security system, CERT Polska contributes to ensuring cyber security at the national level. 3.2 Consituency Consitituency of CERT Polska is defined in Article 26 (1) of the Act of 5 July 2018 on the national cyber security system. All legal entities and natural persons in Poland, with the exceptions of: - entities subordinate to or supervised by the Minister of National Defence, including entities whose ICT systems or ICT networks are covered by a single list of facilities, installations, devices and services included in the critical inrastructure referred to in Article 5b, paragraph 7, subparagraph 1 of the Act of 26 April 2007 on crisis management, - companies of significant importance in terms of economy and defence, for whom the authority organising and supervising their performance of tasks for the defence of the state is the Minister of National Defence, - public finance sector entities referred to in Article 9, items 1, 8 and 9 of the Act of 27 August 2009 on public finance, with the exception of: research institutes, Office of Technical Supervision, Polish Air Navigation Services Agency, Polish Centre for Accreditation, National Fund for Environmental Protection and Water Management and regional funds for environmental protection and water management, - National Bank of Poland, - National Development Bank, - entities than listed in items 1 to 4 and paragraph 5, whose ICT systems or ICT networks are covered by a single list of facilities, installations, devices and services included in the critical infrastructure referred to in Article 5b, paragraph 7, subparagraph 1 of the Act of 26 April 2007 on crisis management. Note that ANY incident regarding any host, network, legal entity or natural person in Poland MAY be reported to CERT Polska. Reports of incident beyond CERT Polska's constituency will be forwarded without undue delay to the relevant CSIRT, according to Article 26 (8) of the Act of 5 July 2018 on the national cybersecurity system. 3.3 Sponsorship and/or Affiliation CERT Polska is financially maintained by the National Research Institute NASK which it is formally a part of. NASK receives a specified-user subsidy from the part of the state budget assigned to the minister compenent for digitalisation to fund operations of CERT Polska. 3.4 Authority The Act of 5 July 2018 on the national cyber security system defines competencies and authority of "CSIRT NASK" - a role assigned to NASK in the national cyber security system. Parts of that role, specifically addressing operational aspects such as: - monitoring of cyber security threats at the national level, - incident response, - information sharing, - participation in CSIRTs Network are fulfilled by CERT Polska. 4. Policies 4.1 Types of Incidents and Level of Support CERT Polska is authorized to address all types of computer security incidents which occur, or threaten to occur, in its constituency. The level of support given by CERT Polska will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the availability of CERT Polska's resources at the time, though in all cases some response will be made within two working days. Incidents will be prioritized according to their apparent severity and extent. Critical, significant and substantial incidents, as well as incidents in a public entity (as defined in Article 2 of the Act of 5 July on the national cyber security system) are coordinated by respective CSIRTs - including CERT Polska, according to their constituency. Incident handling is the responsibility of individual entities. However, under Article 26 of the Act of 5 July on the national cyber security system, in reasonable cases, at the request of operator of essential services, digital service providers, or public entities, CERT Polska may provide support in incident handling. 4.2 Co-operation, Interaction and Disclosure of Information CERT Polska exchanges all necessary information with other CSIRTs, other entities included in the Polish national cyber security system, as well as with affected parties' administrators. No personal nor overhead data are exchanged unless explicitly authorized. All sensitive data (such as personal data, system configurations, known vulnerabilities with their locations) are encrypted if they must be transmitted over unsecured environment as stated below. 4.3 Communication and Authentication In view of the types of information that CERT Polska deals with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to CERT Polska, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable level of trust. Within NASK, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported). 5. Services 5.1 Incident Response CERT Polska will provide incident response capabilities in the following areas: 5.1.1 Incident Triage - Investigating whether indeed an incident occured. - Determining the extent of the incident. 5.1.2 Incident Coordination - Determining the initial cause of the incident (vulnerability exploited) - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate law enforcement officials, if necessary. - Making reports to other CSIRTs - Composing announcements to users, if applicable 5.1.3 Incident handling In some cases, limited support may be provided in technical incident handling, including malware and forensic analysis, threat hunting, evidence collection. The extent of this support will depend on the type and severity of the incident, and the type of the affected entity. 5.2 Proactive Services CERT Polska coordinates and mantaines the following services to the extent possible depending on its resources: - Network security information sharing platform ("n6") available to all network administrators: https://n6.cert.pl/ - Information services through the following channels: = website: https://www.cert.pl/ = Facebook website: https://facebook.com/CERT.Polska = twitter: https://twitter.com/CERT_Polska (PL) and https://twitter.com/CERT_Polska_en (EN) - Training and educational services CERT Polska organizes an annual SECURE conference covering current important security issues which is open for all interested parties. CERT Polska contributes to NASK's activities in the area of awareness rising and education on cyber security. 5.3 Research and Development CERT Polska provides tools and facilities to monitor and analyze threats. https://github.com/CERT-Polska https://www.cert.pl/en/projekty/ 6. Incident Reporting Forms CERT Polska had created a local form designated for reporting incidents to the team. We strongly encourage anyone reporting an incident to fill it out, although this is never required. The current version of the form is available from: https://incydent.cert.pl/ 7. Disclaimers While every preacution will be taken in the preparation of information, notifications and alerts, CERT Polska assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.