RFC 2350

Version: 1.0
Date: Tue Jul  7 12:26:16 CEST 2020
Author: Otmar Lendl <lendl@cert.at>

1. Document information

This document contains a description of CERT.at according to RFC 2350. It provides basic information about the CERT, the ways it can be contacted, describes its responsibilities and the services offered.

1.1 Date of last update

Tue Jul 7 12:26:37 CEST 2020

1.2 Distribution list for notifications

There is no distribution list for notifications as of 2020/07.

1.3 Locations where this document may be found

The current version of this document can always be found at https://www.cert.at/about/rfc2350/rfc2350.html . For validation purposes, a GPG signed ASCII version of this document is located at https://cert.at/media/files/about/rfc2350/files/rfc2350.txt. The key used for signing is the CERT.at key as listed under 2.8.

2. Contact information

2.1 Name of the team

CERT.at
Computer Emergency Response Team Austria

2.2 Address

CERT.at
nic.at GmbH
Karlsplatz 1/9
1010 Vienna
Austria

2.3 Time zone

We are located in the central European timezone (CET) which is GMT+0100 (+0200 during day-light saving time).

2.4 Telephone number

+43 1 5056416 78

2.5 Facsimile number

+43 1 5056416 79 (deprecated, please use only if everything else has failed)

2.6 Other telecommunication

Members of the team are active in various online forums of the international CSIRT community.

2.7 Electronic mail address

Please send incident reports to reports@cert.at. Non-incident related mail should be addressed to team@cert.at.

2.8 Public keys and encryption information

CERT.at uses a master signing key to sign all keys used for operational purposes. This trust anchor is:

pub   rsa4096/D57E00EA00709A3D 2019-02-25 [SC] [expires: 2034-02-21]
      8555 0D8D 5236 BBF1 6A49  0DEB D57E 00EA 0070 9A3D
uid           CERT.at master key <signing-only-key-no-mail@cert.at>
sub   rsa4096 2019-02-25 [E] [expires: 2034-02-21]

and can be found on most key-servers. Please DO NOT use this key for communications with us. All official communication by CERT.at will be signed by the current team key, which is as of May 2020:

pub   rsa4096/A1DAC3EDFF4DFFB7 2019-02-25 [SC] [expires: 2024-02-24]
      0381 BEF5 6694 B532 5BF0  4DDC A1DA C3ED FF4D FFB7
uid           CERT.at (Incidents) <reports@cert.at>
uid           CERT.at (General Communications) <team@cert.at>
sub   rsa4096 2019-02-25 [E] [expires: 2024-02-24]

Encrypted communications with CERT.at should use this - and only this - operational key.

All keys (including the keys of individual team members) can be found at https://cert.at/media/files/about/rfc2350/files/pgpkeys.asc.

Since the team key and the master signing key expire regularly, CERT.at will always sign younger master signing keys with the older master signing keys as well. The current master signing key always signs the team key. See also the key transition documents at https://www.cert.at/static/key-transition-2014.txt and https://www.cert.at/static/key-transition-2019.txt.

2.9 Team members

The team leader of CERT.at is Otmar Lendl. Other team members are listed in the "About Us" / Team page on our webpage. Management, liaison and supervision are provided by Robert Schischka, Technical Manager of nic.at.

2.10 Other information

Since March 2019, CERT.at is the accredited national CSIRT according to the Austrian implementation of the EU NIS Directive. More information on the Austrian NIS law can be found at https://www.nis.gv.at/ (in German).

2.11 Points of customer contact

The preferred method for contacting CERT.at is via e-mail. For incident reports and related issues please use reports@cert.at. This will create a ticket in our tracking system and alert the human on duty. For general inquiries please send e-mail to team@cert.at.

If it is not possible (or advisable due to security reasons) to use e-mail, you can reach us via telephone at +43 1 5056416 78.

In order for reports to fall under the procedures of the NIS law, they should be submitted via https://nis.cert.at/ (for other reports, please use e-mail).

CERT.at's hours of operation are generally restricted to local regular business hours: Mon-Fri (except public holidays and Dec 24th/31st), 8 a.m. - 6 p.m. CET/CEST. Mandatory NIS reports by an authenticated OES/DSP can trigger a 24x7 response by CERT.at.

 

3. Charter

3.1 Mission statement

The purpose of CERT.at is to coordinate security efforts and incident response for IT-security problems on a national level in Austria. CERT.at fulfills the role of the national CSIRT within the NIS framework.

3.2 Constituency

The constituency of CERT.at is basically the whole country of Austria.

CERT.at will first try to coordinate with IT-security teams and more specific CERTs in Austria.

Note that usually no direct support will be given to end users; they are expected to contact their ISP, system administrator, network administrator, or department head for assistance. CERT.at will support the latter.

Pro-active and educational material are provided for the general public.

3.3 Sponsorship and/or affiliation

CERT.at is an initiative of nic.at, the Austrian domain registry and the Austrian Federal Chancellery.

Funding is provided by nic.at GmbH, https://www.nic.at/

3.4 Authority

The main purpose of CERT.at in incident handling is the coordination of incident response. As such, we can only advise our constituency and have no authority to demand certain actions.

We have indirect authority over AS30971 and AS1921.

Although CERT.at is hosted by nic.at, CERT.at has no take-down rights for malicious domains within the .at ccTLD.

 

4. Policies

4.1 Types of incidents and level of support

CERT.at is authorised to address all types of computer security incidents which occur, or threaten to occur, in our constituency (see 3.2) and which require cross-organisational coordination. The level of support given by CERT.at will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and our resources at the time. Special attention will be given to issues affecting critical infrastructure and designated operators of essential services / digital service providers (in the NIS context).

CERT.at is committed to keeping its constituency informed of potential vulnerabilities, and, where possible, will inform this community of such vulnerabilities before they are actively exploited.

Overall, the primary role of CERT.at during incidents is information exchange and coordination, and not on-site incident response.

4.2 Co-operation, interaction and disclosure of information

CERT.at will cooperate with other organisations in the field of computer security. This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. Nevertheless CERT.at will protect the privacy of reporters, partners and our constituents, and therefore (under normal circumstances) pass on information in an anonymised way only unless other contractual agreements or laws apply. CERT.at operates under the restrictions imposed by Austrian law. This involves careful handling of personal data as required by Austrian Data Protection law, but it is also possible that - according to Austrian law - CERT.at may be forced to disclose information due to a court order.

The designation of CERT.at as the national CSIRT according to the NIS law provides a legal framework for cooperation and information sharing. CERT.at participates in the national "operational cooperation" (OpKoord) and acts as the default reporting point for incident reporting under the NIS framework. On one hand, the NIS law explicitly allows the sharing of personal data (to CERT.at and from CERT.at to affected parties) for the purpose of reacting to, or preventing incidents. On the other hand, the law defines what information from the NIS reporting needs be passed by CERT.at to the Ministry of the Interior. For details on the law and related secondary legislation see https://nis.gv.at/ .

CERT.at treats all submitted information (except NIS reports, see above) as confidential per default, and will only forward it to concerned parties in order to resolve specific incidents when consent is implicit or expressly given.

For example: incoming report "Malware on www.example.com/malware, please get it cleaned up". In this case, we would forward the information only to the concerned parties (domain-holder, hoster/ISP, appropriate CERTs) to help them quickly fix the problem. We will not forward information about incidents to government authorities or the press without explicit prior permission by the submitting party.

CERT.at is an active participant in various collaboration mechanisms, e.g. the Austrian CERT Verbund (association of CERTs), the Austrian Trust Circle (ATC), the EU CSIRTs Network, the TF-CSIRT and FIRST.

4.3 Communication and authentication

For normal communication not containing sensitive information CERT.at might use conventional methods like unencrypted e-mail. For secure communication PGP-encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. FIRST, TI, CNW) or by other methods like call-back, mail-back or even face-to-face meeting if necessary.

 

5. Services

5.1 Incident response

CERT.at will assist IT-security teams in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:

5.1.1. Incident triage

  • determining whether an incident is authentic
  • assessing and prioritizing the incident

5.1.2. Incident coordination

  • determining the involved organizations
  • contacting the involved organizations to investigate the incident and take the appropriate steps
  • facilitating contact to other parties which can help resolve the incident
  • sending reports to other CERTs

We mainly see ourselves as information hub which knows where to send the right incident reports to in order to help and facilitate the clean-up of IT security incidents.

5.1.3. Incident resolution

  • advising local security teams on appropriate actions
  • following up on the progress of the concerned local security teams
  • asking for reports
  • reporting back

CERT.at will also collect statistics about incidents within its constituency.

5.2 Proactive activities

CERT.at tries to

  • raise security awareness in its constituency
  • collect contact information of local security teams
  • publish announcements concerning serious security threats
  • observe current trends in technology
  • distribute relevant knowledge to the constituency
  • provide forums for community building and information exchange within the constituency

5.3 Service levels

CERT.at will always strive to react to incoming incident reports from humans within one business day. Due to current staffing levels this can not be guaranteed, though. If you haven't received feedback to an incident report after two business days, we ask that you contact us again.
Auto-generated reports and data-feeds will be handled as automatically as possible.

 

6. Incident reporting forms

For reports within the NIS framework, use the portal at https://nis.cert.at/.

There are no forms available for informal reports to CERT.at.

 

7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CERT.at assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.