CSIRT OU profile established according to RFC 2350 1. Document Information This document contains a description of the CSIRT OU according to the RFC 2350. It provides basic information about the CSIRT OU, the ways it can be contacted, and it describes its roles, responsibilities and the services offered. 1.1 Date of Last Update This is the version 2.5 as published on April 13th, 2022. 1.2 Distribution List for Notifications This profile is kept up-to-date on the location specified in 1.3. E-mail notifications of updates are sent to: - All CSIRT OU members. - The Trusted Introducer for CERTs/CSIRTs in Europe (https://www.trusted-introducer.org/). 1.3 Locations where this Document May Be Found The current version of this document can always be found at https://dokumenty.osu.cz/csirt/CSIRT-OUrfc2350.txt. 1.4. Authenticating this Document This document has been signed with the CSIRT OU PGP key. The signature is also available on our web site, under: https://dokumenty.osu.cz/csirt/CSIRT-OUrfc2350.txt.sig. See section 2.8 for more details. 2. Contact Information 2.1 Name of the Team CSIRT OU: Computer Security Incident Response Team of the University of Ostrava 2.2 Address CSIRT OU Department of Informatics and Computers Faculty of Science University of Ostrava 30. dubna 22 701 03 Ostrava Czech Republic 2.3 Time Zone Central European Time: UTC+1, DST: UTC+2 (DST starts at 01:00 UTC on the last Sunday in March and ends at 01:00 UTC on the last Sunday in October.) 2.4 Telephone Number Incident reports: +420 734 163 004, Emergency: +420 734 163 003 2.5 Facsimile Number None. 2.6 Other Telecommunication None. 2.7 Electronic Mail Address Please send incident to csirt@helpdesk.osu.cz or security@helpdesk.osu.cz and non-incident-related mails to csirt@osu.cz. 2.8 Public Keys and Encryption Information PGP/GnuPG is supported for secure communication. CSIRT OU PGP Key ID: 8232B071317CEC81 CSIRT OU PGP Key Fingerprint: FF8C39250B3342BD8272BAA48232B071317CEC81 The current CSIRT OU team key can be found on https://dokumenty.osu.cz/csirt/CSIRT-OUpublicPGP.asc and is also present on the most key servers like https://keyserver.pgp.com/. Please use this key when you want/need to encrypt messages that you send to CSIRT-OU. When due, CSIRT OU will sign messages using the same key. When due, sign your messages using your own key please it helps when that key is verifiable using the public key servers. 2.9 Team Members The CSIRT OU team members are: Matej Zuzcak (Head of CSIRT OU), Jan Humpolik, Pavel Pomezny, Pavel Smolka and Martin Stachura. Basic information about team members: RNDr. Matej Zuzcak, Ph.D. (Head of CSIRT OU) email: matej.zuzcak@osu.cz PGP key: A1EB271D3CC790C2 Fingerprint: 55AC23D1BC67459BDD2B11CAA1EB271D3CC790C2 Telephone: +420 734 163 003 Mgr. Bc. Jan Humpolik email: jan.humpolik@osu.cz Telephone: +420 553 46 1042 Ing. Pavel Pomezny email: pavel.pomezny@osu.cz Telephone: +420 739 329 097 Mgr. Rostislav Fojtik, Ph.D. email: rostislav.fojtik@osu.cz Telephone: +420 553 46 2176 Bc. Martin Stachura email: martin.stachura@osu.cz Telephone: +420 734 286 030 Tomas Mazal email: tomas.mazal@osu.cz Telephone: +420 731 681 882 2.10 Other Information General information about the CSIRT OU can be found at https://csirt.osu.cz/. 2.11 Points of Customer Contact The preferred method for contacting CSIRT OU is via e-mail. For incident reports and related issues please use security@helpdesk.osu.cz or csirt@helpdesk.osu.cz. For general inquiries please send an e-mail to csirt@osu.cz. If it is not possible (or advisable due to security reasons) to use the e-mail, you can reach us via telephone at +420 734 163 004. The CSIRT-OU's hours of operation are generally restricted to 09:00-16:00 Monday to Friday except for public holidays. 3. Charter 3.1 Mission Statement CSIRT OU is a workgroup for helping with and solving cyber security incidents of, or related to, the information systems and networks of the University of Ostrava (OU). We conduct research, educate, represent the University of Ostrava at national and international organizations associating CSIRT teams, and helps with application of legislation related to cyber security. The main goals of CSIRT OU are: - Responding to cyber security incidents: In cooperation with the Centre for Information Technology of the University of Ostrava. - International cooperation: CSIRT OU develops international cooperation primarily with other CSIRT teams within the Czech Republic and the EU. - Educational activity: CSIRT OU provides education and specialized training for technicians of the Centre for Information Technology of OU, OU employees and OU students. - Scientific activity: In cooperation with the Department of Informatics and Computers (KIP), CSIRT OU conducts scientific research based on, for example, technical and statistical analysis of cyber security incidents. It participates in publication of scientific papers. In the case of need, it issues recommendations, procedures and guidelines, or specific White Papers. - Support with implementation of legislation, for example implementation of General Data Protection Regulation (EU) 2016/679. CSIRT OU provides analyses, advice, and suggestions related to implementation of obligations resulting from the current and the newly introduced Czech and EU legislation. 3.2 Constituency The constituency are staff, students and co-workers of the University of Ostrava, Ostrava, Czech Republic and the University of Ostrava network. The area is defined by the following IP address ranges and domain names: - 195.113.102.0/23, - 195.113.104.0/21, - 195.113.112.0/25, - 78.128.128.0/20, - 78.128.144.0/23, - 78.128.146.0/24, - 195.113.209.56/29, - 2001:718:1005::/48, - domain *.osu.cz, - domain *.osu.eu, - domain *.fakultaumeni.cz, - domain *.jsmeostravska.cz 3.3 Sponsorship and/or Affiliation CSIRT OU has a statute of a workgroup of the University of Ostrava. Its members and responsibilities are defined in the founding document 142/2021 (OU-43106/90-2021) issued by the rector of the University of Ostrava. CSIRT OU was founded in cooperation with Department of Informatics and Computers, Faculty of Science and Centre for Information Technology University of Ostrava. 3.4 Authority CSIRT OU is primarily an academic, research, and educational team. Its primary responsibilities also include assisting the Centre for Information Technology of the University of Ostrava with resolving cyber security incidents related to the University of Ostrava, coordinating resolving of the incidents and investigating them. It acts within the entire university. It was established in the founding document 142/2021 (OU-43106/90-2021) issued by the rector of the University of Ostrava. 4. Policies CSIRT OU acts in accordance to the valid regulations and its founding documents issued by the rector of the University of Ostrava. CSIRT OU also recognizes and uses the best practices formulated by the European community of CSIRTs (TF-CSIRT, Trusted Introducer) and the EU Agency for Network and Information Security (ENISA), for example the Trusted Introducer CSIRT Code of Practice or ENISA CSIRT Setting up Guide. 4.1 Types of Incidents and Level of Support CSIRT OU can participate in resolving cyber security incidents, if it is directly or indirectly notified of the incident, or if the Centre for Information Technology of The University of Ostrava requests the CSIRT OU participation. The level of support given by CSIRT OU will vary depending on the type and severity of the incident or issue, the size of the user community affected, and the CSIRT-OU's resources at the time. Direct support to the end users of the information systems of the University of Ostrava will be provided directly or with cooperation or on request of the appointed representatives of the Centre for Information Technology of the University of Ostrava. CSIRT OU is committed to keep the users in the constituency informed of any potential vulnerabilities and existing threats, and whenever possible, will inform the users of such threats and vulnerabilities before they are actively exploited. The exact description of the services is defines in the section 5. 4.2 Cooperation, Interaction and Disclosure of Information CSIRT OU will cooperate with other relevant organizations in the computer security field (mainly other CERT/CSIRT teams that are members of TF-CSIRT community). This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. CSIRT OU supports the Information Sharing Traffic Light Protocol (ISTLP - https://www.trusted-introducer.org/ISTLP.pdf). CSIRT OU will protect the privacy of their customers (staff, students, co-workers). CSIRT OU operates under restrictions imposed by the University of Ostrava, Czech law, and EU legislation. 4.3 Communication and Authentication For normal communication not containing sensitive information, CSIRT OU uses conventional methods like unencrypted e-mail or telephone calls. For secure communication (that contains, for example, more sensitive information): PGP-encrypted e-mails. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. TF-CSIRT, Trusted Introducer) or by other methods like call-back, mail-back or even face-to-face meeting if necessary. X.509 standard can be used too. CSIRT OU uses CESNET PKI services (https://pki.cesnet.cz/en/ch-intro.html) too. 4.4 Code of Ethics and Conduct CSIRT OU employees will act in accordance with the basic ethical norms and good manners. While conducting research, the CSIRT OU members follow the rector's directive number 88/06 (90910-533/2006), defining the Ethical codex of OU research staff. 5. Services 5.1 Incident Response CSIRT OU will handle the technical and organizational aspects of incidents. In particular, it will provide assistance, or advice, with respect to the following aspects of incident management: - Provide advanced technical support to the Centre for Information Technology of the University of Ostrava. - Coordinate responses to incident handling. - Response to and analysis of malicious activities. 5.2. Incident Response Coordination - Determine the organizations involved. - Contact the organizations involved to investigate the incident and take the appropriate steps. - Facilitate contact with other parties which can help resolve the incidents (for example, the ISP or other CERTs/CSIRTs etc.). 5.3 Incident Resolution Technical help with: - Removing the vulnerability. - Securing the system from the effects of the incident. - Collecting evidence in case a criminal prosecution is contemplated. 5.4 Proactive Activities CSIRT OU proactively advises their constituency in regard to recent vulnerabilities and trends in cyber attacks: - Announcements about existing vulnerabilities. - Technical assistance with configuring, maintaining and securing the infrastructure. - Information dissemination. - Threats Monitoring in the field of ICT. 5.5 Alerts, Warnings, Announcements CSIRT OU monitors various channels and communities to gain information about current events in the threat landscape that may affect ICT of the University of Ostrava and its users. Based on the expected impact of such information and a group of potentially affected users, CSIRT OU issues immediate alerts via suitable communication channel, or provide technical training courses for credential staff. 5.6 Education, Training, Awareness Building CSIRT OU provides education and professional training for Centre for Information Technology of the University of Ostrava technicians, OU employees (for example during the labor risk training), and students (for example during the introduction to the studies, teaching specific subjects). In the case of a current cyber security threat, it issues recommendations, and, if necessary, provides training aimed specifically at the threat. 5.7 Research In cooperation with the Department of Informatics and Computers, CSIRT OU conducts scientific research based on, for example, technical and statistical analysis of cyber security incidents, and it participates in publication of scientific papers. According to the cyber threat situation of the moment, it issues proactive, or preventive, recommendations and guidelines, or even announcements describing captured cybernetic threats within the OU and containing information explaining how to avoid them in the future. 5.8 International cooperation CSIRT OU develops an international cooperation primarily with other CSIRT teams within the Czech Republic and the EU. It participates in meetings on both the national level (for example the Czech and Slovak CSIRT community) and the international level (for example the TF-CSIRT group meeting). 5.9 Assistance with the legislative aspects related to cyber security CSIRT OU provides analyses, advice, and suggestions related to the implementation of obligations resulting from the current and the newly introduced Czech and EU legislation, for example during the drafting and updating the directives at the University level. 6. Incident Reporting Forms The form and a detailed guide for reporting incidents is available at https://csirt.osu.cz. Incident report should contain the following: - Your contact and your organization's information - name and organization name, e-mail, optionally telephone number. - IP address and the incident type (spam, scanning, DOS attack, etc.). - A report about scanning must contain a part of a log showing the problem. - A report about malware message must contain a copy of the entire mail header from the e-mail message, which is considered to be a spam or malware. - A report about phishing or pharming must contain URL. - Scanning results (if any) - an extract from the log showing the problem. - In the case you wish to forward any emails to CSIRT OU, please make sure that all email headers, body and any attachments are included. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CSIRT OU assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.