-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CSIRT Description for BCSC - - ---------------------------- 1. About this document This document contains a description of BCSC in according to RFC 2350 https://www.ietf.org/rfc/rfc2350.txt It provides basic information about the BCSC team, its channels of communication, and its roles and responsibilities. 1.1. Date of Last Update This is version 1.1 published 27-07-2023. 1.2. Distribution List for Notifications Notifications of updates are submitted to our constituency using established communication channels. 1.3. Locations where this Document May Be Found The current version of this document is available from the BCSC Web sites: https://www.ciberseguridad.eus/bcsc-files/rfc_2350.txt 1.4. Authenticating this Document This document has been signed with the BCSC’s PGP keys. The signatures are also on our Web site, under https://www.ciberseguridad.eus/contacta-con-bcsc 2. Contact Information 2.1. Name of the team “BCSC”: Basque CyberSecurity Centre 2.2. Address BCSC - Basque CyberSecurity Centre Parque Tecnológico de Álava Albert Einstein 46, 3ª planta - Edificio E7 01510 Vitoria-Gasteiz Spain 2.3. Time zone Central European Time – CET (GMT+0100, and GMT+0200 from April to October). 2.4. Telephone number +34 945 236 636 Available during normal working hours. From 08:15 to 17:00 from Monday to Thursday and from 08:00 to 15:00 on Friday. During summertime (1st of June to 30st of September) 08:00 to 15:00 Monday to Friday. This timetable is applicable except national holidays and holidays applicable in the city of Vitoria-Gasteiz. +34 900 104 891 After hours support for high/emergency priority incidents. 2.5. Facsimile Number Not Available 2.6. Other Telecommunication +34 944 037 000 2.7. Electronic Mail Address bcsc [@] bcsc.eus This is the mail to contact BCSC representatives for general purposes. Do not use for incidents reporting. csirt [@] bcsc.eus This is the mail to contact CSIRT representatives for general purposes. Do not use for incidents reporting. incidencias [@] bcsc.eus These are the mails to report a computer security incident related to our constituents. 2.8. Public Keys and Other Encryption Information The BCSC has the following PGP keys: BCSC representatives contact (do NOT use for incidents reporting) bcsc [@] bcsc.eus Key ID: 0xAFB37E74B8035F4A Fingerprint: 0892 7DE8 AADE F4A8 530C 54F1 AFB3 7E74 B803 5F4A CSIRT representatives contact (do NOT use for incidents reporting) csirt [@] bcsc.eus Key ID: 0x959DC3E47AD1A427 Fingerprint: 4C32 CBFF F2D8 5BEA 6798 AED2 959D C3E4 7AD1 A427 For constituents incidents incidencias [@] bcsc.eus Key ID: 0xD6DC320D2DC5C50A Fingerprint: 9EE7 86DA 1598 CF7C 3104 3338 D6DC 320D 2DC5 C50A The keys and its signatures can be found at the usual large public keyservers and under: https://www.ciberseguridad.eus/contacta-con-bcsc 2.9. Team Members Incidents Response Chair is Asier Martínez Asier Martínez Retenaga amartinez [@] bcsc.eus Key ID: 0x43A3DB3D466AA0E3 Fingerprint: 8B67 B4A8 4718 B0EB 069B AED9 43A3 DB3D 466A A0E3 Iratxe Martín Soriano imartin [@] bcsc.eus Key ID: 0x301FADE36022D3B5 Fingerprint: 2B5E 6A9B E180 4E80 AA57 BDF1 301F ADE3 6022 D3B5 2.10. Other Information General information about the BCSC, as well as links to various recommended security resources can be found at https://www.ciberseguridad.eus/ 2.11. Points of Customer Contact For reporting a computer security incident, the preferred method is by email at the BCSC incidents mailbox, incidencias [@] bcsc.eus. If possible, when submitting your report, use the template mentioned in section 6. 2.12. Operating hours Incident Response Team is available 24x7x365. 3. Charter 3.1. Mission Statement BCSC, which stands for "Basque Cybersecurity Centre", is the Organization appointed by the Basque Government (State of Spain) to promote cybersecurity in the Basque Country. Our mission is to promote and develop culture and awareness on cybersecurity in the Basque society, to streamline business activities concerning cybersecurity and to create a strong professional sector. 3.2. Constituency The BCSC supports incident response and security services for: - Incident response for the private sector of the Basque Country. - Security services for Government and Public Sector of the Basque Country. 3.3. Sponsorship and Affiliation The BCSC is sponsored by the Business Development Agency of the Basque Government (SPRI). 3.4. Authority BCSC operates as a regional CERT, under the auspices of the following departments of the Basque Government: - Department of Economic Development, Sustainability and Environment. - The Department of Security (regional police). - The Department of Public Governance and Self-Government. - The Department of Education. 4. Policies 4.1. Types of Incidents and Level of Support BCSC address all types of computers security incidents, which occurs at its constituency. BCSC may act upon requests of one of its constituents or may act if one of its constituents is involved in a computer security incident. The level of support given by BCSC will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the BCSC’s resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities: - Threats to the physical safety of human beings. - Threats to the critical assets impacting or causing losses in industry. - Root or system-level attacks on any Management Information, System or any part of the backbone network infrastructure. - Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose. - Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration. - Denial of service attacks on any of the above three items. - Any of the above at other sites, originating from the constituency of the BCSC. - Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks. - Threats, harassment, and other criminal offenses involving individual user accounts. - Compromise of individual user accounts on multi-user systems. - Compromise of desktop systems. - Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. netnews and e-mail forgery, unauthorized use of IRC bots. Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent. In some cases, BCSC might provide pointers to the information needed to implement appropriate measures or might scale the incident to another public service provided by one of its partners (e.g. INCIBE). The BCSC is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. 4.2. Cooperation, Interaction and Disclosure of Information The relationship with other teams is based on trust that is formalised though NDAs generally. If a relationship requires more than the generic NDA, then a specific bilateral contract will be defined. If necessary SLAs are also defined. The BCSC will cooperate with other organizations in the field of computer security. This cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities. Nevertheless, the BCSC will protect the privacy of its constituency and therefore (under normal circumstances) pass on information in an anonymized way only. Unless explicitly authorized, the identity or vital information of victims of computer security incidents will not be divulged. The BCSC will only provide information to other parties with the sole purpose of facilitating the tasks of containment, eradication and recovery of incidents under the general principle of providing the minimum information possible. The BCSC operates under the restrictions imposed by the law of Spanish Data Protection Authority. Therefore, it is also possible that the BCSC may be forced to disclose information due to a Court’s order. 4.3. Communication and Authentication Telephone and unencrypted e-mail are considered sufficient for the transmission of low-sensitivity data. If it is necessary to send high sensitivity data by e-mail, PGP will be used. Network file transfers will be considered similar to e-mail for these purposes. The BCSC contact template can be found in section 6. 5. Services 5.1. Reactive Activities Reactive services are designed to respond to requests for assistance, reports of incidents from our constituency, and any threats or attacks against our systems. 5.1.1. Incident Handling BCSC will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of the incident management: 5.1.1.1 Incident Analysis - Investigating whether indeed an incident occurred. - Determining the extent of the incident. - Establishing incidents prioritization. 5.1.1.2 Incident Response Support - BCSC offers phone and mail support to its constituents, in order to help them deal with security incidents. Support can take the form of advice, pointers to web sites or vendor patches, to other CERTs, etc. 5.1.1.3 Incident Response Coordination - Determining the initial cause of the incident. - Identifying the best partner or skill set needed to address the incident. - Facilitating contact with appropriate security teams. - Facilitating contact with Police Corps and law enforcement officials. - Making reports to other CSIRTs. 5.1.2. Vulnerability Handling 5.1.2.1 Vulnerability Response Coordination Vulnerability handling involves receiving information and reports about hardware and software vulnerabilities; analysing the nature, mechanics, and effects of the vulnerabilities; and developing response strategies for detecting and repairing the vulnerabilities. Activities include also facilitating the analysis of a vulnerability or vulnerability report; coordinating the release schedules of corresponding documents, patches, or workarounds; and synthesizing technical analysis done by different parties. 5.1.3. Artifact Handling An artifact is any file or object found on a system that might be involved in probing or attacking systems and networks or that is being used to defeat security measures. Artifacts can include but are not limited to computer viruses, Trojan horse programs, worms, exploit scripts, and toolkits. Artifact handling involves receiving information about and copies of artifacts that are used in intruder attacks, reconnaissance, and other unauthorized or disruptive activities. Once received, the artifact is reviewed. This includes analyzing the nature, mechanics, version, and use of the artifacts; and developing (or suggesting) response strategies for detecting, removing, and defending against these artifacts. 5.1.3.1 Artifact analysis We perform a technical examination and analysis of any artifact found on a system. The analysis done might include identifying the file type and structure of the artifact, comparing a new artifact against existing artifacts or other versions of the same artifact to see similarities and differences, or reverse engineering or disassembling code to determine the purpose and function of the artifact. 5.1.3.2 Artifact response This service involves determining the appropriate actions to detect and remove artifacts from a system, as well as actions to prevent artifacts from being installed. This may involve creating signatures that can be added to antivirus software or IDS. 5.1.3.3 Artifact response coordination This service involves sharing and synthesizing analysis results and response strategies pertaining to an artifact with other researchers, CSIRTs, vendors, and other security experts. Activities include notifying others and synthesizing technical analysis from a variety of sources. 5.1.4. Alerts and Warnings The BCSC will collect statistics concerning incidents, which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks. 5.2. Proactive Activities Proactive services provide means to reduce the number of actual incidents by giving proper and suitable information concerning potential incidents to the constituency. The BCSC additional proactive services include: 5.2.1. Announcements The BCSC will provide its constituency with information about ongoing attacks, security vulnerabilities, alerts in the general sense, and short-term recommended course of action for dealing with the resulting problems. 5.2.2. Security-Related Information Dissemination The BCSC will collect and disseminate computer and internet security related information. 5.3. Security Quality Management Services In order to supervise and to increase the quality of the offered services, the following services are performed: 5.3.1. Awareness Building BCSC works to increase security awareness of its constituents through developing informational resources that explain security best practices and provide advice on precautions to take. We also schedule seminars to keep constituents up to date with ongoing security procedures and potential threats to organizational systems. 5.3.2. Education / Training BCSC provides information to its constituents about computer security issues through seminars and workshops. 5.3.3. BCSC Team members Education & Training Team members are constantly trained to enhance their skills and capacities. 5.3.4. Documentation A documentation is maintained, dealing with the following topics: - The procedures being part of the services are documented. - Results of Incident Management and Incident Analysis are documented, resulting in suggestions how to improve the services or systems, respectively. 6. Incident Reporting Forms Use the following template and send it by email to the appropriate address. Please, provide as much detail as possible and attach any relevant file (log, email, image...): ============================================================ INCIDENT REPORT Your contact and organizational information - Name: - Organisation name, if necessary: - Specify sector type (such as banking, education, energy or public safety), if necessary: - Email address: - Telephone number: - Other (fax, ...): Have you reported this incident to other individuals or organizations?: - Type of incident detected (Phishing, Malware, DDoS, Unauthorized use/access...): - When was this incident detected? (Provide datetime and timezone): - Incident Details (Provide a short description of the incident): Complete the following information about affected system and attacker host. --- Affected System (Duplicate if needed) --- - Hostname: - Domain: - IP Address: - Port: - Operating System: - Primary purpose of the affected system (Workstation, Web/DNS/ - FTP/Application/Database server, Router, Firewall...): --- End Affected System --- --- Attacker Host (Duplicate if needed) --- - Hostname: - Domain: - IP Address: - Port: - Protocol: --- End Attacker Host --- Description of the incident (duplicate in case of multiple incidents) - Dates: - Methods of intrusion: - Tools involved: - Software versions: - Other relevant information ========================================================== This is the most effective way to report a computer security incident to BCSC via email. Via phone should also be required, asked and pursued the cited data. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, the BCSC assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETDLL//LYW+pnmK7SlZ3D5HrRpCcFAmTCGP0ACgkQlZ3D5HrR pCdvZQ/+JBmzydGSQAMhA+ZyFePgE6SWO/R/hzLlqiAphHTEyPtmZYR9Uwesbn6l 04QfLHxCHhgs/Z8HYGGdz5PbVnz/WfEP81Myt652Gx9IvvJWRka8qTJ3zcGuGwyb HYU4zBcYIxnGigs62EehR6BkJ9fCZZWIZ21++eD4qF61iB3NXeXg0a89aKnSG+cR QkS09fSUk8ESsACMIshLz1rzhphoI/I4FBBcZuDI0Gt1EWivPaOyQnsciry25Uje V3KjaNaCBnA8iCQ3A5iPb3nN6rJxX0uj1quAyb2YgWIkKVs5K1/EOG/E4twQISWB kF4woBxDcYUusDqsaLn/l15Ux5/4Gqv6QVp5t/Z/5EdZ2U5X0a0gGRaKouZC+Yaw iucWXqmBDMvr7Sn6GPtVSjmIGJ0Ci5liPNEKSR5xWuwf+kSSZ7iVXoXPh+ymCBUh aDuwinX6PuLlr17y+erheA5SQdgAlGu8CWy1wRnlyoPmTu1iIhawW18zlPb23SF5 V0Oo2ZIu4fRdLUPkEBJpcW3lDxaDDmRG2Zj/TJz3JWVHpCROkRN54fEbItNih4qD TSOtUOM/s0fr/xCbzjkwHXn6kLITH752NgzZwA+WoMN8oNLjNhw8z4mSyxbfvPy6 lZd/B2KAhvjGeAN10pOD3rqGN0X+l8EAfGHUTYc3CTmfzF0ERXU= =G6Bi -----END PGP SIGNATURE-----