Service Definition Document

Below, you will find the document giving the official description of our CERT services according to the recommendations of The Internet Engineering Task Force and Trusted Introducer, which is supported by the European CERT community.

Document Information

Date of Last Update

Version 1.01: December 2010

Distribution List for Notifications

Notifications of updates are published on the official CERT.be web site https://www.cert.be/.

Locations where this Document May Be Found

The current version of this document is available on the CERT.be web site https://www.cert.be/

Contact Information

Name of the Team

CERT.be: Belgian National Computer Emergency Response Team

Address

CERT.be
Hertogsstraat 4
1000 Brussel
Belgium

Time Zone

Central European Time (GMT+0100 in winter time, GMT+0200 during summer time).

Telephone Number

+32 2 501 05 60

Email

cert [at] cert [dot] be

PGP Keys

cert [at] cert [dot] be
Purpose: This key will sign any communication from CERT.be. It is also to be used for any confidential communication with CERT.be: communicating vulnerabilities, incidents, …
Key ID: 0x52982D62
Key Type: RSA-4096
Key Fingerprint: 59FC 9F8A 4EE8 8BCF 6558 597E 2AFB E221 5298 2D62

Points of Contact

Preferred method is by email. If not email, telephone during office hours (08:00 to 18:00), from Monday to Friday, except Belgian public holidays.

Charter

Mission Statement

CERT.be’s mission is to help Belgian key resources and critical information providers protect their IT infrastructure, by

  • Providing information about incidents,
  • Giving support in handling incidents,
  • Coordinating the response to large-scale incidents, and
  • Helping them to develop CSIRT activities.

Constituency

CERT.be’s constituency is providers of key resources and critical infrastructures:

  • Banks or bank sector CSIRT
  • ISPs or ISP sector CSIRT
  • Energy providers or energy sector CSIRT
  • Transport providers or transport sector CSIRT
  • Any institution or company identified as CIP
  • Federal, Regional and Community Public bodies or public sector CSIRT

Sponsoring organization

CERT.be is operated by Belnet, according to the financial budget attributed by Fedict. In agreement with Art 113 of the Telecom Law, actions are coordinated with the Belgian Telecom Regulator, BIPT.

Authority

Constituents have to take CERT.be’s advice in consideration, even though the decision to implement certain measures or not will remain their decision. The constituents have to report incidents of a certain scale to CERT.be (virus outbreak in their infrastructure, for example), and also have to provide contact information with regards to security incidents.

Policies

Types of Incidents and Level of Support

CERT.be is authorized to address all types of computer security incidents which occur in its constituency. CERT.be may act upon request of one of its constituents or may act if one of its constituents is involved in a computer security incident.

The highest priority will be given to incidents that may threaten Belgian Critical Infrastructure providers, that may threaten Belgium’s access to the internet, or that involve financial fraud.

Co-operation, Interaction and Disclosure of Information

While there are legal and ethical restrictions on the flow of information from CERT.be, it acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites where necessary, CERT.be will otherwise share information freely when this will assist in resolving or preventing security incidents.

In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorised users, including otherwise authorised users making unauthorised use of a facility; such intruders may have no expectation of confidentiality from CERT.be. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist. CERT.be may release information to any third party or to governing authorities whenever there is a legal obligation to do so. However, CERT.be may in some cases delay this action until such a circumstance has been established irrevocably, e.g. by court order. CERT.be will in such cases always notify the affected persons or organisations.

Classified information, as defined by the Law of December 11th, 1998 on Information Classification and Security Clearances, will be treated according to the Law. Personal information, as defined by the Law of December 8th, 1992 on Protection of privacy with regard to handling of personal data, will also be treated according to the Law.

In general, specific information regarding particular incidents will only be shared with those who need to know it in order to handle the incident. CERT.be might share such specific information with closed groups that deal with large scale incidents, where anonymising information would not be practical or counter productive with regard to the handling of the incident. Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will be trusted with restricted information. This will only happen when these sites or CSIRTs’ bona fide can be verified. In its contact with other CSIRT's, CERT.be will see to it that the information which is made available to others, will be signed (so as to provide for non-repudiation), and, whenever deemed necessary, crypted. See also 1.18 for more details.

Information about known software vulnerabilities will be shared with the general public, including the press, under the form of advisories, when a patch or workaround is available. Information about not yet publically known vulnerabilities will only be shared with those who need to know about it in order to solve it or protect their users.

Law enforcement officers will receive full cooperation, as permitted by law, from CERT.be, including any information they require to pursue an investigation, notwithstanding the earlier statements made about confidentiality.

Communication and Authentication

In view of the types of information that CERT.be will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted before transmission.

Where it is necessary to establish trust, for example before relying on information given to CERT.be, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within the constituency, and with known neighbour sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported).

CERT.be will append Traffic Light Protocol information when sharing information with teams that support it, and will honour such information if present.

Services

Reactive Services

These services are offered in reaction to an occurring incident, be it detected by CERT.be staff, other CSIRTs, or a constituency's staff. They focus on short-term issues.

Alerts and Warnings

CERT.be collects information about ongoing security incidents (ongoing attacks, new vulnerabilities, …), either automatically (collected from CERT.be’s sensor systems, honeypots, darknets and other such systems) or through information provided by third parties like other CSIRTs. It publishes alerts about these ongoing incidents on the secure www.cert.be site, and sends cryptographically protected email to a CERT.be-operated mailing list and RSS feeds. The alerts include CERT.be’s assessment of the threat, as well as advice for further action (patches to apply, software to avoid, ports to block at the firewall level, …).
Ongoing attacks include virus outbreaks, denial of service attacks on Belgian infrastructure, … With regard to viruses, CERT.be will not routinely analyze every new virus.

Alerts and Warnings are in French and Dutch for the summary part, and contain the original advisory (if any) for authoritative reference.

Incident Handling

Incident Analysis

After a large incident, involving several actors, CERT.be analyses the systemic causes of the incident (lack of process, vulnerable systems, lack of resiliency, …). This analysis is based on information collected during the incident and if necessary on interviews with the actors. The result of this analysis is an independent report, with guidelines and possible improvements for the future. The report is communicated to the relevant parties.

Incident Response Coordination

CERT.be acts as a crisis management centre for large-scale incidents involving one or more of its constituents. CERT.be will register as National CSIRT with the CERT/CC, TF-CSIRT, FIRST and if possible with EGC (the European Governmental CSIRT group), since these groups are the most likely sources of advance information about big incidents.

CERT.be handles incident reports that come from its constituency or third parties (like other CSIRTs), and finds the most appropriate correspondents to coordinate efforts in dealing with the incident.

Incident Response Support

CERT.be offers phone or mail support to its constituents, in order to help them deal with incidents. Support can take the form of advice, pointers to web sites or vendor patches, … The secure www.cert.be web site also provides best practices to handle certain common incidents, such as Denial of Service attacks.

Proactive Services

These services aim to prevent incidents from happening and reduce their impact when they occur. They focus on medium- to long-term issues.

Announcements

Through the secure www.cert.be web site, mailing lists and RSS feeds, CERT.be issuess advisories about existing vulnerabilities and ways to address them.
The web site conveys all advisories, and the multiple RSS feeds allow those who are only interested in certain technologies, software or operating systems to filter out the other advisories. The home page of www.cert.be displays current advisories, and gives access to an archive page.

Technology Watch

This service is absolutely necessary to allow the CERT.be team members to stay current in their field. Technology Watch is in some way the default task of any CSIRT member whenever they are not dealing with incidents. Technology Watch is the activity that allows CERT.be to provide Alerts and Warnings as well as Announcements in a timely and relevant manner. Technology Watch includes following specialized web sites, magazines, conference proceedings,

Security-Related Information Dissemination

CERT.be produces documents such as Best Practices, Guidelines to set up a CSIRT, Technical Reports, … New reports and best practices are published as frequently as the security situation requires it, but it is expected that a new document should be published every two months (report on specific subjects or new Best Practices documents). The documents are accessible from the secure www.cert.be web site.

Security Quality Management Services

These services leverage CERT.be's expertise and focus on long-term issues.

Education / Training

CERT.be organizes trainings for its constituents, whose goal is to provide information on how to develop CSIRT activities. This training is based on the TRANSITS training, developed by TF-CSIRT members.

Awareness Building

CERT.be identifies what information its constituents need more in order to better conform with security Best Practices and security policies. It makes sample policies available on a section of the secure www.cert.be web site.

Incident Reporting Forms

As far as possible, please use the following Incident Reporting Form. An electronic version of the document can be found on Belnet CERT's web site.

CERT.be Incident Reporting Form

The following form has been developed to ease gathering incident information. If you believe you have been involved in an incident, please complete - as much as possible - the following form, and send it to cert [at] cert [dot] be.

This information will be treated confidentially, as per our Information Disclosure Policy.

This form is an adaptation of CERT/CC's incident reporting form, version 5.2.

Your contact and organizational information
1. name......................:
2. organisation name.........:
3. are you a Belnet customer.: 
3.a if no:
    sector type (such as banking, education, energy or
    public safety)...........:
4. email address.............:
5. telephone number..........:
6. other (fax, ...)..........:

Affected Machine(s) 
(duplicate for each host)
7. hostname and IP...........:
8. timezone..................:
9. purpose or function of the host (please be as specific
    as possible).............:

Source(s) of the Attack
(duplicate for each host)
10. hostname or IP...........:
11. timezone.................:
12. been in contact?.........:

Description of the incident (duplicate in case of multiple incidents)
13. dates....................:
14. methods of intrusion.....:
...............................................................
...............................................................
...............................................................
15. Tools involved...........:
...............................................................
...............................................................
...............................................................
16. Software versions........:
...............................................................
17. Intruder tool output
...............................................................
...............................................................
...............................................................
...............................................................
...............................................................
...............................................................
18. Vulnerabilities exploited
...............................................................
...............................................................
...............................................................
19. Other relevant information
...............................................................
...............................................................
...............................................................
...............................................................
...............................................................
...............................................................
...............................................................

Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CERT.be assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained within.