CERT - official description

Below, you will find the document giving the official description of our CERT services according to the recommendations of The Internet Engineering Task Force and Trusted Introducer, which is supported by the European CERT community.

Document Information

Date of Last Update

Version 2.0: March 2018

Distribution List for Notifications

Notifications of updates are published on the official Belnet website http://www.belnet.be/cert

Locations where this Document May Be Found

The current version of this document is available on the Belnet website http://www.belnet.be/cert

Contact Information

Name of the Team

Belnet Security Team

Address

Belnet
Boulevard Simon Bolivar 30 Simon Bolivarlaan
1000 Brussel
Belgium

Time Zone

Central European Time (GMT+0100 in winter time, GMT+0200 during summer time).

Telephone Number

+32 2 790 33 33

Email

cert@belnet.be

PGP Keys

Purpose: This key is to be used for any confidential communication with the Belnet Security Team: communicating vulnerabilities, incidents, …
Name: Belnet CERT <cert@belnet.be>
Key ID: 0x76D6596526E65126
Fingerprint: E008 4D28 7D02 F67A C438 3A77 76D6 5965 26E6 5126
Length: 4.096
Expires: 2021-03-28

Points of Contact

Preferred method is by email. Otherwise, by telephone during office hours (09:00 to 17:00), from Monday to Friday, except Belgian public holidays.

Charter

Mission Statement

Our mission is to secure the Belnet Network and infrastructure, and to assist Belnet customers by providing information and advice about incidents.

Constituency

Our constituency is Belnet's staff and systems and, in an informational role, Belnet's customers.

Sponsoring organization

The Belnet Security Team is operated by Belnet.

Authority

The Belnet Security Team is responsible for handling incidents concerning Belnet.

Belnet customers are not obliged to act upon information provided by the Belnet Security Team, unless it relates to violations of Belnet's Acceptable Use policy.

Policies

Types of Incidents and Level of Support

The Belnet Security Team is authorized to address all types of computer security incidents which occur in Belnet's infrastructure. For customers, the Security Team's actions are limited to giving information and advice. The Belnet Security Team may act upon request of one of its constituents or may act if one of its constituents is involved in a computer security incident.

The highest priority will be given to incidents that threaten the availability of Belnet's network.

Co-operation, Interaction and Disclosure of Information

While there are legal and ethical restrictions on the flow of information from The Belnet Security Team, it acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites where necessary, The Belnet Security Team will otherwise share information freely when this will assist in resolving or preventing security incidents.

In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorised users, including otherwise authorised users making unauthorised use of a facility; such intruders may have no expectation of confidentiality from The Belnet Security Team. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist. The Belnet Security Team may release information to any third party or to governing authorities whenever there is a legal obligation to do so. However, The Belnet Security Team may in some cases delay this action until such a circumstance has been established irrevocably, e.g. by court order. The Belnet Security Team will in such cases always notify the affected persons or organisations.

Classified information, as defined by the Law of December 11th, 1998 on Information Classification and Security Clearances, will be treated according to the Law. Personal information, as defined by the Law of December 8th, 1992 on Protection of privacy with regard to handling of personal data, will also be treated according to the Law.

In general, specific information regarding particular incidents will only be shared with those who need to know it in order to handle the incident. The Belnet Security Team might share such specific information with closed groups that deal with large scale incidents, where anonymising information would not be practical or counter productive with regard to the handling of the incident. Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will be trusted with restricted information. This will only happen when these sites or CSIRTs’ bona fide can be verified. In its contact with other CSIRT's, The Belnet Security Team will see to it that the information which is made available to others, will be signed (so as to provide for non-repudiation), and, whenever deemed necessary, encrypted.

Law enforcement officers will receive full cooperation, as permitted by law, from The Belnet Security Team, including any information they require to pursue an investigation, notwithstanding the earlier statements made about confidentiality.

Communication and Authentication

In view of the types of information that The Belnet Security Team will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted before transmission.

Where it is necessary to establish trust, for example before relying on information given to The Belnet Security Team, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within the constituency, and with known neighbour sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported).

The Belnet Security Team will append Traffic Light Protocol information when sharing information with teams that support it, and will honour such information if present.

Services

Reactive Services

These services are offered in reaction to an occurring incident, be it detected by The Belnet Security Team staff, other CSIRTs, or a constituency's staff. They focus on short-term issues.

Incident Analysis

After a large incident concerning Belnet's infrastructure, The Belnet Security Team analyses the systemic causes of the incident (lack of process, vulnerable systems, lack of resiliency, …). This analysis is based on information collected during the incident and if necessary on interviews with the actors. The result of this analysis is an independent report, with guidelines and possible improvements for the future. The report is communicated to the relevant parties.

Incident Response Coordination

The Belnet Security Team can acts as a relay between our constituents and the National CERT. Our team can also contact members of groups/organisations that we are part of for additional information about an ongiong incident or threat (while respecting each group's distribution restrictions).

The Belnet Security Team handles incident reports that come from its constituency or third parties (like other CSIRTs), and finds the most appropriate correspondents to coordinate efforts in dealing with the incident.

Incident Response Support

The Belnet Security Team will actively participate in the resolution of incidents within Belnet's infrasctructure. Additionally, our team can provide support on tickets opened through the Belnet Service Desk by Belnet Customers.

Proactive Services

These services aim to prevent incidents from happening and reduce their impact when they occur. They focus on medium- to long-term issues.

Monitoring

The Belnet Security Team monitors Belnet's systems and network for vulnerabilities, irregularities, indicators of compromise... Our team will act to resolve these issues before they are exploited, or contact the relevant people to do so.

Additionaly, our team collects information about vulnerabilities from third party sources. We may contact those affected if deemed necessary.

Security Quality Management Services

The Belnet Security Team works to ensure that Belnet services are designed, built, and operated with security in mind. Our team also provides information to ensure policies and procedures are developped in accordance with security best practices.

Incident Reporting Forms

If possible, please use the following Incident Reporting Form.

The Belnet Security Team Incident Reporting Form

The following form has been developed to ease gathering incident information. If you believe you have been involved in an incident,
please complete - as much as possible - the following form, and send it to cert@belnet.be. If you are unable to send email, please fax it to +32 2 790 33 34

This information will be treated confidentially, as per our Information Disclosure Policy.

This form is an adaptation of CERT/CC's incident reporting form, version 5.2.

Your contact and organizational information

1.   Name: _________________________

2.   Organisation name: _________________________

3.   Are you a Belnet Customer: _________________________

4.   Email address: _________________________

5.   Telephone number: _________________________

6.   Other (fax, ...): _________________________

Affected Machines:

(Duplicated for each host) 

7.   Hostname and IP: _________________________

8.   Timezone: _________________________

9.   Purpose of function of the host (please be as specific as possible):

__________________________________________________

__________________________________________________

__________________________________________________

10. Hostname or IP: _________________________

11. Timezone: _________________________

12. Been in contact?: _________________________

Description of the incident (duplicate in case of multiple incidents)

13. Dates: _________________________

14. Methods of intrusion:

__________________________________________________

__________________________________________________

__________________________________________________

15. Tools involved: 

__________________________________________________

__________________________________________________

__________________________________________________

16. Software versions:

__________________________________________________

17. Intruder tool output:

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

18. Vulnerabilities exploited:

__________________________________________________

__________________________________________________

__________________________________________________

19. Other relevant information:

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, The Belnet Security Team assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained within.

Copyright © 2020 Belnet.