RFC 2350 1. Document Information This document contains a description of MASTER.CZ-CSIRT according to RFC 2350. It provides basic information about the CSIRT, the ways it can be contacted, describes its responsibilities and the services offered. 1.1 Date of Last Update This is version 1.0 as of 2017/09/01. 1.2 Distribution List for Notifications There is no distribution list for notifications as of September 2017. 1.3 Locations where this Document May Be Found The current version of this document can always be found at https://csirt.master.cz/rfc_2350 2. Contact Information 2.1 Name of the Team MASTER.CZ-CSIRT: Computer Security Incident Response Team of Master Internet 2.2 Address MASTER.CZ-CSIRT Master Internet s.r.o. Cejl 20 602 00 Brno Czech Republic 2.3 Time Zone Central European Time: GMT+1, DST: GMT+2 (DST starts at 01:00 UTC on the last Sunday in March and ends at 01:00 UTC on the last Sunday in October.) 2.4 Telephone Number +420 515 919 805 (ask for the MASTER.CZ-CSIRT) 2.5 Facsimile Number +420 515 919 805 2.6 Other Telecommunication jabber contact: podporabrno@master.cz 2.7 Electronic Mail Address Please send incident reports to abuse@master.cz. Non-incident-related mail should be addressed to csirt@master.cz. 2.8 Public Keys and Encryption Information MASTER.CZ-CSIRT does sign outgoing messages. Furthermore, MASTER.CZ-CSIRT can decrypt messages and verify digital signature of a message. For these purposes MASTER.CZ-CSIRT uses following PGP key: pub: rsa4096/0x10CA23A2 2017-06-22 Fingerprint: 833A 01BD 033B 4F8D 2C18 B5DD FCAE CA83 10CA 23A2 User ID: MASTER.CZ-CSIRT (Computer Security Incident Response Team of Master Internet) sub: rsa4096/0xF1802227 2017-06-22 This key can be found on most key-servers. 2.9 Team Members The CSIRT team leader is Jan Hrnčíř. Other team members, along with their areas of expertise and contact information, are listed at http://csirt.master.cz/. 2.10 Other Information General information about the MASTER.CZ-CSIRT can be found at http://csirt.master.cz/. 2.11 Points of Customer Contact The preferred method for contacting MASTER.CZ-CSIRT is via e-mail. For incident reports and related issues please use abuse@master.cz. This will create a ticket in our tracking system and alert the human on duty. For general inquiries please send e-mail to csirt@master.cz. If it is not possible (or advisable due to security reasons) to use e-mail, you can reach us via telephone at +420 515 919 805 (ask for the MASTER.CZ-CSIRT). The MASTER.CZ-CSIRT's hours of operation are generally restricted to 09:00-16:00 Monday to Friday except for holidays. 3. Charter 3.1 Mission Statement The purpose of MASTER.CZ-CSIRT is: - detection of computer security incidents, - coordination of security effort and appropriate incident response, - research and development of expert tools and procedures based on team's unique operational and research experience, - dissemination of basic IT knowledge among end users. 3.2 Constituency The constituency is the Master Internet s.r.o. and its network: - all IPv4 addresses within ranges 77.93.192.0/19 80.79.16.0/20 81.31.32.0/20 85.118.128.0/21 83.167.224.0/19 89.185.224.0/19 149.62.144.0/21 178.238.32.0/20 185.58.40.0/22 - all IPv6 addresses within range 2a01:430::/32 - domain *.master.cz. 3.3 Sponsorship and/or Affiliation MASTER.CZ-CSIRT is part of Master Internet s.r.o. 3.4 Authority The MASTER.CZ-CSIRT operates under the auspices of, and with authority delegated by, the Master Internet company. The MASTER.CZ-CSIRT expects to work cooperatively with system administrators and users at Master Internet. 4. Policies 4.1 Types of Incidents and Level of Support MASTER.CZ-CSIRT is authorized to address all types of computer security incidents which occur, or threaten to occur, in our Constituency (see 3.2). The level of support given by MASTER.CZ-CSIRT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and MASTER.CZ-CSIRT's resources at the time. Special attention will be given to issues affecting critical infrastructure. Note that no direct support will be given to end users; they are expected to contact their system and/or network administrator at their department for assistance. MASTER.CZ-CSIRT will support the latter people. MASTER.CZ-CSIRT is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information MASTER.CZ-CSIRT will cooperate with other organisations in the field of computer security. This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. Nevertheless MASTER.CZ-CSIRT will protect the privacy of their customers. MASTER.CZ-CSIRT operates under the restrictions imposed by Czech law. This involves careful handling of personal data as required by Personal Data Protection Act, but it is also possible that - according to Czech law - MASTER.CZ-CSIRT may be forced to disclose information due to a Court's order. 4.3 Communication and Authentication For normal communication not containing sensitive information MASTER.CZ-CSIRT will use conventional methods like unencrypted e-mail or telephone. For secure communication PGP-encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. TI, FIRST) or by other methods like call-back, mail-back or even face-to-face meeting if necessary. All team members are also obliged to use a X.509 certificates to sign e-mail communication. 5. Services 5.1 Incident Response MASTER.CZ-CSIRT will handle the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1. Incident Triage - Determining whether an incident is authentic. - Assessing and prioritizing the incident. 5.1.2. Incident Coordination - Determine the involved organizations. - Contact the involved parties to investigate the incident and take the appropriate steps. - Facilitate contact to other parties which can help resolve the incident. - Send reports to other CSIRTs if needed. 5.1.3. Incident Resolution - Advise local security teams on appropriate actions. - Follow up on the progress of the concerned local security teams. - Ask for reports. - Report back. MASTER.CZ-CSIRT will also collect statistics about incidents within its constituency. 5.2 Proactive Activities - Automatic and real-time intrusion detection. - MASTER.CZ-CSIRT tries to raise security awareness in its constituency. - Collect contact information of local administrators and teams. - Publish announcements concerning serious security threats. - Observe current trends in technology and distribute relevant knowledge to the constituency. 5.3 Research and Development Major part of MASTER.CZ-CSIRT activities is focused on expert research and development in the field of IT security. The team often works on several research projects simultaneously. The team also benefits from it's operational experience in development on dedicated and highly specialized expert tools, methods or approaches. More information regarding MASTER.CZ-CSIRT R&D activities can be found at https://csirt.master.cz. 6. Incident Reporting Forms There are no official forms available yet. For reporting incident please follow these basic rules: - A report must contain your contact and organizational information - name and organization name, e-mail, optionally telephone number. - A report must contain an IP address and and incident type (spam, scanning, DOS etc.). - A report about scanning must contain part of a log showing the problem - A report about spam or malware must contain a copy of the entire mail header from the e-mail, which is considered to be a spam or malware. - A report about phishing or pharming must contain URL. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, MASTER.CZ-CSIRT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.