...
Description for eduGAIN CSIRT
About this document
This is version 1.0.1, draft 2021/07/14, May 25th 2022.
Distribution List for Notifications
Notifications of updates are submitted to the eduGAIN Steering Group mailing list edugain-sg@lists.geant.org. The eduGAIN Steering Group mailing list is composed by of all the delegates and deputies of the eduGAIN participants, the subscription is managed by the eduGAIN Service. The mailing list is not moderated.
Locations where this Document May Be Found
The
...
current
...
version
...
of
...
this
...
CSIRT
...
description
...
document
...
is
...
available
...
from
...
the
...
eduGAIN
...
CSIRT website, https://edugain.org/edugain-security/
Please make sure you are using the latest version.
...
Authenticating this Document
This
...
document
...
has
...
been
...
signed
...
with
...
the
...
eduGAIN
...
CSIRTs
...
PGP
...
key.
...
The
...
signatures
...
are
...
also
...
on
...
our
...
Web
...
site,
...
under
...
: https://edugain.org/edugain-security/
Contact Information
Name of the Team
eduGAIN - CSIRT: The eduGAIN Computer Security Incident Response Team.
Address
GEANT C/O eduGAIN - CSIRT
PROBABLY THE GEANT
Hoekenrode 3
6th floor
1102 BR Amsterdam
The NetherlandsPOSTAL ADDRESS
Time Zone
Europe/Amsterdam (GMT+0100, and GMT+0200 from April to October)
Telephone Number
+31 12345679 (SOME GEAN OFFICE NUMBER, where the Opertor at least knows what to do when contacted on security issues related to eduGAIN)
Facsimile Number
...
44 1223 733033
Facsimile Number
Not available.
Other Telecommunication/Instant messaging
Not available.OTHER METHODS MONITORED BY THE eduGAIN CSIRT (keybase? slackchannel?)
Electronic Mail Address
...
This address can be used to report all security incidents which relate to the eduGAIN participants. This is a mail alias that relays mail to the human(s)
...
on
...
duty
...
for
...
the
...
eduGAIN
...
CSIRT.
Public Keys and Other Encryption Information
The
...
eduGAIN
...
CSIRT
...
has
...
a
...
PGP
...
key,
...
whose
...
fingerprint
...
F9FF B82B 9700 72D1 F753 25CF 5E3C 31D7 CE43 BCB8....
is
0497 8576 D7A6 3151 5401 DB98 697A 900B 7C8E 095E
The key and its signatures can be found at the usual large public keyservers.
Team Members
The eduGAIN - CSIRT team is coordinated by the eduGAIN - CSIRT security officer . Other team members along with their contact information are listed at the eduGAIN-CSIRT web page: <eduGAIN-CSIRT.WEBPAGE.ORG>and it is composed by security experts from the constituent participants and the Research and Education community. The current team composition is available on the eduGAIN wiki: <URL>
eduGAIN CSIRT will use the information you provide to help solve security incidents affecting eduGAIN. This means that by default the information will be distributed further to the appropriate parties – but only on a need-to-know base, and preferably anonymized.
Other Information
General
...
information
...
about eduGAIN security is in https://edugain.org/edugain-security/
The eduGAIN CSIRTs hours of operation are Monday - Friday
...
09:00-17:00
...
(CET/CEST)
...
, except public holidays. Outside business hours, eduGAIN CSIRT provides support on a best effort basis.
Charter
Mission Statement
The eduGAIN -CSIRT provides security incident coordination for eduGAIN and is the primary contact point for questions related to security issues affecting eduGAIN participants. Therefore eduGAIN-CSIRT operates and maintains a communications infrastructure and provides forensics support on request to end entities in coordination with the respective federations.
Constituency
CSIRT provides a central contact and support point for security incidents at the inter-federation level. It will work in close collaboration with Federation Security Contacts and Federation Operators to coordinate the investigation and resolution of suspected security incidents at the inter-federation level.
Constituency
eduGAIN consists of Federations whose primarily goal is to provide authentication and authorisation services to the research and education community. The eduGAIN Service provides an infrastructure for establishing trusted communications between Entities, such as Identity and Service Providers, belonging to different Federations.
Please refer to the [eduGAIN Constitution] for further details.
For an up to date list of the current eduGAIN Participants you can refer to: https://technical.edugain.org/statusThe eduGAIN constituency is the eduGAIN participants.
Sponsorship and/or Affiliation
eduGAIN is abc... the role of federations in eduGAIN goes here probably as wellCSIRT team members affiliated to a GEANT members will be funded by the GEANT project. Other members will be funded by their respective organisations.
Authority
eduGAIN -CSIRT is authorized CSIRT operates with authority delegated by the eduGAIN Steering Group to investigate any activity within its Terms of Reference and, in coordination with the federations, take all necessary controlling actions to contain and mitigate suspected and confirmed computer incidents to limit the extend of possible service degradation or reputation damage to eduGAIN.
Policies
coordinate incident response at the inter-federation level and provide the services described in section 5 of this document.
Policies
The eduGAIN policy framework is available on the eduGAIN Technical site at the following URL:
https://technical.edugain.org/documentswe do not really have an extended set of policies
Types of Incidents and Level of Support
All security incidents that may have an impact at the inter-federation level are managed by eduGAIN CSIRT.
eduGAIN CSIRT aims to respond to requests within 4 office hours.
Co-operation, Interaction and Disclosure of Information
federations and comm flows go here, also comms to eSG
Communication and Authentication
TLP adherence and optional encrypted comms go here
Services
Incident Response
This the service a CSIRT has to provide
Incident Triage
- Investigating whether indeed an incident occured.
- Determining the extent of the incident. Single entity, or multiple federations affected.Incident Coordination
Incident Resolution
Proactive Activities
We can't do much here I'm afraid
Incident Reporting Forms
Link to possible incident-report templates
Disclaimers
...
The eduGAIN CSIRT closely collaborates with the Federation Security Contacts, Federation Operators, entities Security Contacts and the National Research and Education Network CSIRTs and CERTs to ensure that all the parties affected by a security incident at the inter-federation level are timely alerted and supported in the investigation, limitation and remediation process.
The roles and interactions of the different entities relevant to incident response within eduGAIN are described in the eduGAIN Security Incident Response Handbook [eduGAIN-SIRH]
eduGAIN CSIRT reports to the eduGAIN Steering Group (eSG).
Communication and Authentication
ALL incoming information is handled confidentially by eduGAIN CSIRT, regardless of its priority.
eduGAIN CSIRT supports the Traffic Light Protocol [FIRST TLP] - information that comes in with the tags WHITE, GREEN, AMBER or RED will be handled appropriately.
Untagged information will be treated as TLP-GREEN (see above). eduGAIN CSIRT will use the information you provide to help solve security incidents affecting eduGAIN. This means that by default the information will be distributed further to the appropriate parties – within the limits of the set TLP Tag, but only on a need-to-know base, and preferably anonymized.
Services
Incident Response
eduGAIN CSIRTs major IT security incident management function is incident coordination across eduGAIN Federations.
Incident Triage
eduGAIN CSIRT will support the eduGAIN participants investigating whether indeed an incident occurred and in case, determining the extent of the incident. This ranges from a single entity registered in one or more federations, to multiple entities from different federations affected.
Incident Response Coordination
eduGAN-CSIRT will organize the security incident communications across affected participants and coordinate the response activities to allow for an efficient containment and subsequently resolution of security incidents.
Incident Resolution
The incident resolution is ultimately the task of the organizations responsible for the affected entities. If possible and on request, eduGAIN CSIRT will support the entities in coordination with the federations.
Proactive Activities
The eduGAIN CSIRT will maintain the security communication channels with all the eduGAIN participants. In order to do that, from time to time, the eduGAIN CSIRT will organize communication challenges to assess the reliability and responsiveness of the communication infrastructure.
The eduGAIN CSIRT will occasionally share information about prominent security threats and vulnerabilities that may affect the eduGAIN community .
Incident Reporting Forms
The following form will be used to notify a suspected or verified security incident to any affected party. All the incident reports will be signed by the eduGAIN CSIRT with its PGP key.
Subject: [TLP:COLOR] subject
TLP:COLOR
## SUMMARY ##
Summary of the report.## INTRUSION TIMELINE ##
YYYY-MM-DD HH:MM:SS event 1
..
YYYY-MM-DD HH:MM:SS event N## INDICATORS OF COMPROMISE
Available IoCs.## REPORTING & SHARING
Where to report back about new findings on the incident.
The above form is based on the AARC Deliverable DNA3.2-Security Incident Response Procedure [AARC-DNA3.2]
Disclaimers
While every precaution will be taken in the preparation of information, notifications and alerts, eduGAIN CSIRT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.
References
[eduGAIN Constitution] https://technical.edugain.org/doc/eduGAIN-Constitution-v3ter-web.pdf
[FIRST TLP] https://www.first.org/tlp
[eduGAIN-SIRH] https://wiki.geant.org/download/attachments/218464365/eduGAIN%20Security%20Incident%20Response%20Handbook-v1-eSG-feedback.pdf
[AARC-DNA3.2] https://aarc-project.eu/wp-content/uploads/2017/02/DNA3.2-Security-Incident-Response-Procedure-v1.0.pdf