Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Security Team -> CSIRT

The eduGAIN Security Team CSIRT's main duty is to provide a central coordination point at the inter-federation level for the security incident response. Moreover, the team will share information on  security threats relevant for the eduGAIN community.

While each Federation Operator and Federation Participant provides security support within their respective domain of responsibility, inter-federation remains everybody's responsibility, which means no entity is effectively accountable to do the necessary work. Yet, when defending against global attacks targeting global services, inter-federation must be at the core of incident response strategy.
The eduGAIN Security Team CSIRT supports this collective responsibility in inter-federation incident response within eduGAIN.

The eduGAIN Security Team CSIRT is a central contact and support point for security incidents, and coordinates the investigation and resolution of suspected security incidents that affect Federation Operators and Federation Participants. This includes notifying Federation Participants and Federation Operators or any other relevant entity about attacks potentially affecting them.

The collective expertise and experience accumulated by the eduGAIN community as it defends against attacks is invaluable. The eduGAIN Security Team CSIRT ensures that lessons learned, statistics, and other useful information are disseminated appropriately to improve our security posture as a global, united community.

eduGAIN Security Incident Response Handbook

The eduGAIN Security Team CSIRT in collaboration with the REFEDS Sirtfi WG developed an eduGAIN Security Incident Response (SIR) Handbook, which is currently under consultation, after REFEDS consultation (see https://wiki.refeds.org/x/-oCNAw) is now promoted across eduGAIN community for adoption.

The eduGAIN SIR handbook defines the process for resolving security incidents affecting eduGAIN participants involving all key stakeholders. In particular, it is essential to involve the federation in security operations or possible intrusions affecting eduGAIN entities.

...

Security threats information sharing

The eduGAIN Security Team CSIRT will share information on potential and actual security threats with the federation security contacts and if needed with the entities's Sirtfi security contacts.

This includes vulnerabilities, malicious indicators and exposed or compromised credentials ;
. Whenever possible the eduGAIN Security Team CSIRT will notify entities when information about exposed credentials surfaces. Although the origin of the compromise or its context may not be known, the available data is made available to the possibly affected entity, so that they can make their own determination.

...

  • Strictly abiding to the Traffic Light Protocol (TLP, https://www.first.org/tlp/), which is used in most communications to mark information being shared according to its sensitivity and the audience with whom it may be shared. TLP violations will be followed-up with the utmost severity.
  • Urging all entities to adopt (and update their metadata accordingly) the Sirtfi framework (https://refeds.org/sirtfi). Federation Participants that support the Sirtfi framework (https://refeds.org/sirtfi) will receive full Incident Response information, more details on vulnerabilities or ongoing attacks, and support. Federation Participants that do not support Sirtfi will receive limited information and support. 

...

For computer security emergencies or in case a security incident is suspected:

Contact the eduGAIN Security TeamCSIRT: abuse@edugain.org

PGP key fingerprint: F9FF B82B 9700 72D1 F753 25CF 5E3C 31D7 CE43 BCB8