CSIRT Description for RENU-CERT ------------------------------- 1. About this document * 1.1 Date of Last Update This is version 2, published 2020/04/26. Version 1 can be found: https://cert.renu.ac.ug/renu-cert--csirt-descr-v1.txt The English version of this document has been signed with the RENU-CERT's PGP key. The signature is also on our Web site, under: https://cert.renu.ac.ug/renu-cert--csirt-descr-v1.asc * 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the RENU-CERT WWW site; its URL is https://cert.renu.ac.ug/renu-cert--csirt-descr-v2.txt Please make sure you are using the latest version. * 1.4 Authenticating this Document The English version of this document has been signed with the RENU-CERT's PGP key. The signature is also on our Web site, under: https://cert.renu.ac.ug/renu-cert--csirt-descr-v2.asc 2. Contact Information 2.1 Name of the Team "RENU-CERT": the Research and Education Network for Uganda - Computer Emergency Response Team. 2.2 Address RENU-CERT Research and Education Network for Uganda House No.31 | The Edge Makerere University - Main Campus P. O. Box 35009, Kampala Uganda 2.3 Time Zone Eastern Africa Time (EAT) +0300 UTC/GMT 2.4 Telephone Number +256-783-979515 (ask for the RENU-CERT) 2.7 Electronic Mail Address This is a mail alias that relays mail to the staff on-duty for the RENU-CERT. * 2.8 Public Keys and Other Encryption Information The RENU-CERT has a PGP key, whose KeyID is 12345678 and whose fingerprint is 11 22 33 44 55 66 77 88 88 77 66 55 44 33 22 11. The key and its signatures can be found at the usual large public keyservers. 2.9 Team Members Hellen Nakawungu, from the RENU Systems and Services Team, is the RENU-CERT coordinator. Other team members, along with their areas of expertise and contact information, are listed in the RENU-CERT web pages, at http://cert.renu.ac.ug/cert-team.html 2.10 Other Information General information about the RENU-CERT, as well as links to various recommended security resources, can be found at http://cert.renu.ac.ug/index.html 2.11 Points of Customer Contact The preferred method for contacting the RENU-CERT is via e-mail at ; e-mail sent to this address will notify the RENU-CERT member on-duty, or be forwarded to the appropriate backup person. If you require urgent assistance, call. If it is not possible (or not advisable for security reasons) to use e-mail, the RENU-CERT can be reached by telephone during regular office hours. Telephone messages (SMS) are checked less often than e-mail. The RENU-CERT's hours of operation are generally restricted to regular business hours (08:00 to 17:00 hrs EAT, Monday to Friday except public holidays). If possible, when submitting your report, use the form mentioned in section 6. 3. Charter 3.1 Mission Statement The purpose of the RENU-CERT is to provide a secure environment for collaboration among Uganda's research and education institutions, as well as provide an effective and efficient response to their computer security incidents. 3.2 Constituency The RENU-CERT's constituency is the entire RENU community. This is further broken down into two sub-constituencies: - RENU Member Institutions - all institutions/entities connected to or served by the Research and Education Network for Uganda (RENU). - RENU Secretariat - the entire staff/team that run the operations of the Research and Education Network for Uganda (RENU). In this document, phrases like "entire RENU constituency" or simply "RENU" refer to both sub-constituencies mentioned above, unless otherwise stated. For the sake for simplicity, the two groups will henceforth be collectively called "RENU". When specifying one sub-constituency, it will be stated explicitly as done above. 3.3 Sponsorship and/or Affiliation The RENU-CERT is a sub-section of the RENU Technical team at the RENU Secretariat. It is affliated with the sectorial CERT; UG-CERT (UCC) and the national CERT; CERT.UG/CC (NITA-U). 3.4 Authority The RENU-CERT has shared authority over its constituency. This means the RENU-CERT can only advise and influence constituents to disconnect from the network until the incident has been resolved. Additionally, it might assist the constituency by helping with coordination and response to the advice. 3.5 Operated Network Numbers RENU-CERT will operate on the following public IPv4 networks: - 196.43.128.0/18 - 137.63.128.0/17 - 102.34.0.0/16 RENU-CERT will operate on the following IPv6 networks: - 2c0f:f6d0::/32 RENU-CERT is assigned to the autonomous network of Research and Education Network for Uganda (RENU), AS327687. 4. Policies * 4.1 Types of Incidents and Level of Support The level of support given by the RENU-CERT will vary depending on the Criticality Level and Reporting Time of incoming incident reports. The category of incidents the RENU-CERT handles are: - Denial of Service - Compromised Asset - External Hacking - Internal Hacking - Malware - Email - Policy Violation Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent. The severity is termed as the Criticality Level. - Criticality Level 1 - resolved under 3 days - Criticality Level 2 - resolved under 1 week - Criticality Level 3 - resolved under 2 weeks For more information, visit https://cert.renu.ac.ug/incident-handling-service.html 4.2 Co-operation, Interaction and Disclosure of Information Constituents' information will be availed to the RENU-CERT via a report form, (See Section 6), and typically contains sensitive information such as IP addresses and personal contact information, and therefore must be securely transferred to the RENU-CERT. To aid in investigations and response, some information from the constituent provided in the report might need to be disclosed to other involved parties or other CSIRTs. Therefore, a disclaimer on exactly what information will be disclosed will be included along with the report form. This information to disclose might include: - Incident tracking number - Incident category - Criticality level Other information will only be disclosed on a need-to-know basis depending on the situation and authorisation from the reporter of the incident. 4.3 Communication and Authentication In view of the types of information that the RENU-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to the RENU-CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within RENU, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported). * 5. Services Visit https://cert.renu.ac.ug/cert-services.html 5.1 Reactive Services These services are triggered by an event or request, such as a report of a compromised host, wide-spreading malicious code, software vulnerability, or something that was identified by an intrusion detection or logging system. Reactive services are the core component of RENU-CERT work. Reactive services are designed to respond to requests for assistance, reports of incidents from the RENU-CERT constituency, and any threats or attacks against constituent systems. Some services may be initiated by third-party notification or by viewing monitoring or intrusion detection system (IDS) logs and alerts. * 5.1.1 Incident Handling This is the RENU-CERT's first and most important service it renders to RENU. Incident handling involves receiving, triaging, and responding to requests and reports, and analyzing incidents and events. Particular response activities can include: - taking action to protect systems and networks affected or threatened by intruder activity - providing solutions and mitigation strategies from relevant advisories or alerts - looking for intruder activity on other parts of the network - filtering network traffic - developing other response or workaround strategies Visit https://cert.renu.ac.ug/incident-handling-service.html * 5.1.2 Security-related Information Dissemination This service provides RENU with a comprehensive and easy-to-find collection of useful information that aids in improving security. Such information might include: - reporting guidelines and contact information for the RENU-CERT - archives of alerts, warnings, and other announcements - documentation about current best practices - general computer security guidance - vendor links - other information that can improve overall security practices This information is developed and published by the RENU-CERT, and can include information from external resources such as other CSIRTs, vendors, and security experts. This service includes maintaining a public or private archive or knowledge base of vulnerability, artifact or other incident information and corresponding response strategies. Visit https://cert.renu.ac.ug/security-related-info-dissemination-service.html * 6. Incident Reporting Forms Find the appropriate incident reporting forms via the RENU-CERT website at https://cert.renu.ac.ug/incident-reporting-forms/. Fill them in and send them to . If email is insecure or inconvenient, call and ask for the RENU-CERT. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, RENU-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.