-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CSIRT Description for CERT Polska ================================= 1. About this document 1.1 Date of Last Update This is version 2.1, published on 13 March 2025. 1.2 Distribution List for Notifications Currently, CERT Polska does not use any distribution lists to notify about changes in this document. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the CERT Polska website; its URL is https://cert.pl/uploads/misc/rfc2350.txt Please make sure you are using the latest version. 1.4 Authenticating this document This document has been signed with the CERT Polska PGP key. The signature is also available on our website at URL: https://cert.pl/en/uploads/misc/pgp-pubkey.asc 2. Contact Information 2.1 Name of the Team CERT Polska 2.2 Address CERT Polska NASK - National Research Institute ul. Kolska 12 01-045 Warszawa Poland 2.3 Time Zone Central European Time (GMT+0100, GMT+0200 from April to October) 2.4 Telephone Number +48 22 380 82 74 2.5 Other Telecommunication None available. 2.6 Electronic Mail Address This is a mail alias that serves the humans on duty for CERT Polska. 2.7 Public keys and Other Encryption Information CERT Polska has a PGP key, which KeyID is 969C0EB8 and which fingerprint is DC34 CB6E CD73 C0B1 DC8C 8AE7 FD58 C59E 969C 0EB8 The key and its signatures can be found at the usual large public keyservers and at https://cert.pl/en/uploads/misc/pgp-pubkey.asc 2.8 Other Information General information about CERT Polska, as well as links to various recommended security resources, can be found at https://cert.pl/en/ CERT Polska uses the following Facebook page to publish news about current activities https://www.facebook.com/CERT.Polska CERT Polska posts short messages on current events to the following X accounts https://x.com/cert_polska https://x.com/cert_polska_en 2.9 Points of Customer Contact The preferred method for contacting CERT Polska is via e-mail at ; e-mail sent to this address will be handled by the responsible human. We encourage our customers to use PGP encryption when sending any sensitive information to CERT Polska. If it is not possible (or not advisable for security reasons) to use e-mail, CERT Polska can be reached by telephone during regular office hours. Off these hours incoming phone calls are transmitted to an answering machine. All messages recorded are checked ASAP. CERT Polska operates 24 hours a day, every day of the year. If possible, when submitting your report, use the form mentioned in section 6. 3. Charter 3.1 Mission Statement The mission of CERT Polska is to identify, analyse and mitigate threats targeting Polish internet users. As an essential part of the national cybersecurity system, CERT Polska in a role of the CSIRT NASK contributes to ensuring cybersecurity at the national level. 3.2 Constituency Constituency of CERT Polska is defined in Article 26 (1) of the Act of 5 July 2018 on the national cybersecurity system. They are all legal entities and persons in Poland, excluding the constituency of the other two national CSIRTs, which are: central government departments, agencies supervised by the Prime Minister, critical infrastructure entities and the military. Note that ANY incident involving any host, network, legal entity or a person in Poland MAY be reported to CERT Polska. Reports of incident outside CERT Polska's constituency will be forwarded without undue delay to the relevant CSIRT. 3.3 Sponsorship and/or Affiliation CERT Polska is a part of NASK - National Research Institute, which is fully owned by the state and under the supervision of the Minister of Digital Affairs. Day to day operations of CERT Polska are financed from the state budget. 3.4 Authority The Act of 5 July 2018 on the national cybersecurity system defines competencies and authority of CSIRT NASK - a role assigned to NASK in the national cybersecurity system. The Act of 28 July 2023 on Combating Abuse in Electronic Communications imposes on CSIRT NASK the obligations of maintaining systems preventing phishing, smishing and CLI spoofing. CERT Polska fulfills parts of CSIRT NASK role, specifically addressing operational aspects such as: - monitoring of cybersecurity threats at the national level, - incident response, - information sharing, - participation in CSIRTs Network. 4. Policies 4.1 Types of Incidents and Level of Support CERT Polska is authorized to handle all types of computer security incidents which occur, or threaten to occur, within its constituency. The level of support given by CERT Polska will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the availability of CERT Polska's resources at the time. However, in all cases some response will be provided within two working days. Incidents will be prioritized according to their apparent severity and extent. Critical, significant and substantial incidents, as well as incidents in public entities (as defined in Article 2 of the Act of 5 July on the national cybersecurity system) are coordinated by respective CSIRTs - including CERT Polska, according to their constituency. Incident handling is the responsibility of individual entities. However, under Article 26 of the Act of 5 July on the national cybersecurity system, in reasonable cases, at the request of operator of essential service providers, digital service providers, or public entities, CERT Polska may provide direct support in incident handling. 4.2 Co-operation, Interaction and Disclosure of Information CERT Polska exchanges all necessary information with other CSIRTs, other entities included in the Polish national cybersecurity system, as well as with affected parties' administrators. No personal nor overhead data are exchanged unless explicitly authorized. CERT Polska supports Information Sharing Traffic Light Protocol (TLP 2.0). Any communication that comes with tags supported by the TLP will be handled appropriately. All sensitive data (such as personal data, system configurations, known vulnerabilities with their locations) are encrypted if they must be transmitted over unsecured environment as stated below. 4.3 Communication and Authentication In view of the types of information that CERT Polska deals with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust — such as before relying on information provided to CERT Polska or before disclosing confidential information — the identity and bona fides of the other party will be verified to a reasonable level of assurance. Within NASK and among known neighboring sites, referrals from trusted individuals will suffice for identification. Otherwise, appropriate methods will be employed, including searching FIRST membership records, using WHOIS and other Internet registration databases, as well as telephone call-backs or e-mail verification to confirm that the party is not an impostor. Incoming e-mails containing data that must be trusted will be verified directly with the sender or through the use of digital signatures, particularly PGP, which is supported. 5. Services The list of services is based on FIRST CSIRT Services Framework https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2-1 5.1 Information security event management Monitoring and detection Event analysis CERT Polska performs monitoring and detection to identify potential security threats and vulnerabilities. Analysis of security events is conducted to understand the nature and impact of incidents, enabling informed decision-making and mitigation strategies. 5.2 Information security incident management CERT Polska provides incident response capabilities in the following areas: 5.2.1 Information security incident report acceptance Information security incident analysis - Investigating whether indeed an incident occurred. - Determining the extent of the incident. 5.2.2 Artifact and forensic evidence analysis Mitigation and recovery Information security incident coordination Crisis management support - Determining the initial cause of the incident (vulnerability exploited) - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate law enforcement officials, if necessary. - Making reports to other CSIRTs - Composing announcements to users, if applicable 5.3 Vulnerability Management Vulnerability discovery / research Vulnerability report intake Vulnerability analysis Vulnerability coordination Vulnerability disclosure Vulnerability response CERT Polska is a Partner of CVE Program as a CNA (CVE Numbering Authority). Coordinated Vulnerability Disclosure Policy is available at: https://cert.pl/en/cvd/ Information about processed vulnerabilities and published advisories are available at: https://cert.pl/en/cve/ 5.4 Situational awareness Data acquisition Analysis and synthesis Communication CERT Polska coordinates and maintains the following services to the extent possible depending on its resources: - Dangerous websites Warning List: https://cert.pl/en/warning-list/ - Network security information sharing platform ("n6") available to all network administrators: https://cert.pl/en/n6/ - Artemis vulnerability scanner: https://cert.pl/en/posts/2024/01/artemis-security-scanner/ - Malware database system: https://mwdb.cert.pl/ - Platform integrating services for administrators: https://moje.cert.pl/ - Malicious texts patterns: https://telegraf.cert.pl/ - Information services through the following channels: = Facebook website: https://facebook.com/CERT.Polska = X: https://x.com/CERT_Polska (PL) and https://x.com/CERT_Polska_en (EN) - Training and educational services: https://hack.cert.pl/ 5.5 Knowledge transfer Awareness building Training and education Technical and policy advisory CERT Polska's threat analysis article reports are published on website: https://cert.pl/ CERT Polska provides tools and facilities to monitor and analyze threats. https://github.com/CERT-Polska CERT Polska organizes an annual SECURE conference covering current important security issues which is open for all interested parties. Conference's website: https://secure.edu.pl/ CERT Polska contributes to NASK's activities in the area of awareness rising and education on cybersecurity. 6. Incident Reporting Forms CERT Polska had created a local form designated for reporting incidents to the team. We strongly encourage anyone reporting an incident to fill it out, although this is never required. The form is available at: https://incydent.cert.pl/ 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CERT Polska assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWY6TcOnDdbCy9NTF9eGe5kOY/b0FAmfSxAYACgkQ9eGe5kOY /b2mxQgA36BRVXnpUkblzxDEMt2095Pk5Q8ktiJ074EJRDYdiOIEo4aJKuJPc/Yn ekjR4qTOVJbRMyyHY/zsDXJ5Cf/w82EvccM1BEZ4a55/iKJguqzrkspec7z7Gyjs ajrugLZ9+3OO3UxBgSJALccmUyYLpoxvYs0uaXkKTMTy13D/5RJ6FknClPNrx10l FQV/iJLyqv1rx1c+sqjultBhyMOE+siNr7mpVrcvFdDYw00f3wrlTfZPoNSzV4BU niyG8wCWl7F7Sc+mUfnsoa1NUN1tJJZOr3JCXxKUIs0Y9/Xxuqy3BnipWY507k6I oZM0L93owGJsd0xpeBP4FGLKKF4vFg== =pxpk -----END PGP SIGNATURE-----