In incident handling proper communication channels are paramount, the function of these should frequently be assessed.

In  communication the standard tool is still e-mail, sometimes in combination with a ticket system and/or  with extensions, like cryptographic signing, or encrypted communications.

While the e-mail and ticket systems used do not change often, the contact addresses are rather dynamic and need regular verification.

Any support team responsible for the coordination of activities, like incident coordination need to know about he status of the used communication channels.

A way to assess the foundation of the communication channels is to run so called communication challenges, see for example https://wise-community.org/sccc/, or the reaction tests exercised in GEANT TF-CSIRT.

Past editions

Communication Challenge Toolset

The used toolset is developed by EGI CSIRT and adapted to the more generic situation we have in eduGAIN. It consists of

  • a webserver with a edugain.org server certificate.
  • unique url generator.
  • script to generate the "personalized" challenge message send to the participants.
  • evaluation is done based on analysis of web server logs (access times of the unique urls) and the timestamps of the mail send to the participants.
  • the anonymized results will be available  in graphical format on the webserver.

Input

Recipients list

The security contacts email addresses will be retrieved from the eduGAIN Database using the APIs published on the technical site.

The addresses will be provided in a CSV file with the following format: <Identity Federation Name>,<Email>.

The script that parses the API is available on the GEANT gitlab:

https://gitlab.geant.org/edugain/edugain-contacts/-/blob/master/identity_federations_security_contacts.py

Mail template (participants)

Dear {NAME},

you have received this message to verify the security contact data set in
the eduGAIN Database for your Identity Federation.

Please confirm that this contact is still correct by clicking the following 
URL and following the instructions:
  https://challenge.edugain.org/{UNIQUE_URL}

No further action is required except for the above. 

Sincerely yours, eduGAIN Security Team

The content in "{ }" will be automatically filled by the communication challenge tool-set based on the participants csv file.

Make sure to replace "< >" with meaningful input.

Communication challenge process

  1. prepare input files (see Needed input)
  2. announcement of the challenge by the entity coordinating the activities in the challenged community, ca 1 week before the run (optional)
  3. start the challenge, send the messages with the instructions (see mail template).
  4. close the challenge 1 week after sending the message, any reply taking more then a week is probably useless in incident response.
  5. Send the result graphic (anonymized) to recipients
  6. Follow up on non reacting participants, wrong contact addresses mentioned within the challenge related communications, or unexpected effects of different ticket systems eventually used by different participants.

Expected results

  • list of valid contact addresses
  • list of invalid contact addresses
  • reaction times of the participants

FAQ

1. There are no references to other sites or branding or contacts or even to eduGAIN.

True statement. No branding at all. Deliberately kept simple to minimize the risk of programming mistakes and vulnerabilities. I'd argue that the fact that the web site is running TLS and lives within the edugain.org domain space attests to its association with eduGAIN, but of course, it is debatable whether that is enough.


2. The text suggests you are timing a response and ranking us.   I do have an issue with this because someone aimlessly clicking a link in an email without checking with colleagues or checking it's validity, is a potential information security risk to organisation.  Quick responses are not necessarily the best, and also we prioritise calls as I'd expect any service desk to, and responding to an automated check would figure much lower than a real security incident.   Similarly, they could be categorised as spam by less experienced staff or someone who may not be aware of this security challenge, particularly as our calls to security@ are part of a wider ticketing system.

Ranking: True statement. The wording is possibly or even probably poor. We probably should not use the phrase "rank" anywhere. We took this from similar campaigns in other environments of collaborating CERT/CSIRT's. In fact this "scoring" will stay anonymous and will only be used to discuss desirable reaction times with the community in which this challenge was run. Nevertheless it has proven to add a gamification component to it :-) You will only get your own scoring. The results of other teams will only be used to check if we have an issue with the registered contact addresses, and, or if the foreseen communication methods do not work as expected.

3. There was no prior notice on any channels that my team or I use.

Too bad! The notices have been sent to your eduGAIN delegate and deputy through the eduGAIN Steering Group mailing list. Next time we'll make sure that the information arrive to the right people.


4. Maybe sharing something that says you will get an email "like this" beforehand would be useful.

Good point and it is exactly what we've done, but once again only with the eduGAIN Steering Group mailing list.


5. I got an out of office message into our helpdesk from one of the members of the abuse@edugain.org team.   I guess you are using an email forward to deal with abuse@edugain.org.  However, getting out of office message is not a great situation for service addresses.

True again, this is a miss-configuration at our end, its of course useless if team members have an autoreply for a team address configured in their personal mail settings.
In fact this campaign is also about detecting these kind of flaws and we deem to have a baseline which can be used in a follow up campaign to check the improvements

  • No labels