-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 RFC-2350: CSIRT Description for SWITCH-CERT - - - - - - ------------------------------------------- 1. About this document 1.1 Date of Last Update This is version 1.12, 2022-11-15. 1.2 Distribution List for Notifications Members of the constituency are informed of changes through their closed channels. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the SWITCH website; its URL is http://www.switch.ch/security/SWITCH-CERT.txt Please make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed with SWITCH-CERT's PGP key. 2. Contact Information 2.1 Name of the Team "SWITCH-CERT": the SWITCH Computer Emergency Response Team. 2.2 Address SWITCH-CERT SWITCH P.O. Box CH-8021 Zurich Switzerland 2.3 Time Zone Central European: Winter GMT+0100 Summer GMT+0200 Change date: Winter -> Summer: 1 am UTC last Sunday of March Summer -> Winter: 1 am UTC last Sunday of October 2.4 Telephone Number +41 44 268 15 40 2.5 Facsimile Number +41 44 268 15 78 (this is *not* a secure fax) 2.6 Other Telecommunication Video conferencing is available on request. Members of the constituency have access to closed, secure communication and collaboration platforms. 2.7 Electronic Mail Address This address will reach our team mailbox which is monitored during working hours. 2.8 Public Keys and Other Encryption Information SWITCH-CERT has a PGP key, whose KeyID is 7441E0AE5A7B015B and whose fingerprint is 53CE 1FA9 2E0B 1D3D 6DCA 22B6 7441 E0AE 5A7B 015B. The key and its signatures can be found at the public keyservers as well as on the Web site: http://www.switch.ch/security/contact/ 2.9 Team Members SWITCH-CERT is operated by dedicated staff. It can fall back to other employes of SWITCH for special needs. 2.10 Other Information General public information about SWICH-CERT is found on the Web site: http://www.switch.ch/security/ 2.11 Points of Customer Contact Normal contact is through e-mail using the address . In urgent cases and emergencies customers as well as other CERTs can use the phone numbers given above. SWITCH-CERT follows standard Swiss office-hours on working days: 8:00 - 18:00 Outside of these hours as well as on weekends, public holidays in Zurich and the days between Dec. 23 and Jan. 3, services are offered on a best effort basis and are not guaranteed. 3. Charter 3.1 Mission Statement SWITCH-CERT supports members of its constituency (see below) with reactive and proactive services in the field of IT security. SWITCH-CERT provides support to third parties for problems originating in AS559 (the Swiss research and education network). SWITCH-CERT supports the .ch and .li registries with reactive and proactive services in the field of IT security. SWITCH-CERT provides best-effort services for incidents involving .ch and .li domains or with other links to Switzerland. 3.2 Constituency SWITCH-CERT serves the following customers: - All sites part of AS559, the Swiss research and education network. - Selected organizations which have SLAs with SWITCH-CERT in the sectors Banks, Industry & Logistics, Energy. - The .ch and .li ccTLD registry. - The Swiss Grid Community, in particular the members of SWING. 3.3 Sponsorship and/or Affiliation SWITCH-CERT is operated by SWITCH. 3.4 Authority SWITCH-CERT coordinates security incidents for its constituency. It does not have any formal authority over constituency members. Rather, it is operating in an advisory capacity. 4. Policies 4.1 Types of Incidents and Level of Support Incidents are prioritised according to their severeness. Incidents directly affecting members of the constituency are treated with higher priority. 4.2 Co-operation, Interaction and Disclosure of Information All requests to SWITCH-CERT are treated with due care. SWITCH-CERT adheres to the traffic light protocol (TLP). See https://www.trusted-introducer.org/ISTLPv11.pdf for a description. Classified messages should be tagged in the subject as [TLP Color]. A similar stamp should be clearly visible in other documents, such as PDF files etc, sent to SWITCH-CERT. If contact is through phone or video conference, the TLP classifications should be stated prior to the delivery of the information. It is recommended to encrypt sensitive information with the PGP key mentioned above. Unless required by law, SWITCH-CERT will never release information provided by third parties without their consent. Other encryption methods are available upon request. 4.3 Communication and Authentication See 4.2. To ensure authenticity of information use PGP signatures. 5. Services 5.1 Incident Response SWITCH-CERT will assist its customers in the following areas. SWITCH-CERT requires an official security contact from each member of its constituency, typically the site security team. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1 Incident Triage - Investigating whether indeed an incident occurred. - Does the incident belong to our constituency. - Determining the extent of the incident. 5.1.2 Incident Coordination - Analyzing available information. - Contact the organization affected. - Facilitating contact with other sites which may be involved. - Support the organization affected with intelligence and additional information related to the incident. - Performing specialized tasks, such as forensic analysis, malware reverse engineering etc. if requested. 5.1.3 Incident Resolution - Resolving incidents is primarily the customers' responsibility. SWITCH-CERT will provide support, where applicable. 5.2 Monitoring - SWITCH-CERT monitors the AS559 backbone for malicious traffic. - Where feasible SWITCH-CERT monitors attack infrastructure. 5.3 Proactive Activities SWITCH-CERT provides the following proactive services: - Information services - Closed mailing-lists. - Alerts for highly critical threats. - Awareness materials. - Proof of Concept demonstrations. - Training services - SWITCH-CERT conducts trainings on current issues for members of its constituency. - Meetings - SWITCH-CERT organizes periodic meetings for members of its constituency to facilitate information exchange and inform about latest trends. 6. Incident Reporting Forms There are no forms available. The preferred way of reporting incidents is by email. 7. Disclaimer While every precaution will be taken in the preparation of information, notifications and alerts, SWITCH-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. All information in this document is Copyright 2010-2020, SWITCH. This document may not be redistributed, in whole or in part, without the explicit, written permission of SWITCH. Please use the URL given under 1.3 for redistribution. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEU84fqS4LHT1tyiK2dEHgrlp7AVsFAmILp5QACgkQdEHgrlp7 AVs6Ww/9HJ84eWeY1fINHKIMFq4Lv0JyHu6tQAPeu90QelNn1Llta1hDGFRM/y0W C09gycmpbHmUkkVYnwSZxBZ/cUI3Sl8Tawm2vlB7D4KmUE0HMTbQFrz1nqz8QjSd b6Rh7gWL4O1vGcNofy793FAb5+SxHPCMPZHV9gj7bEa/SeKW7ARzM3tDtqdrAikX l/4G/EtNiJ1oHfiqc6MD0JrIz5/eNo75BvMXwfAz2wplK6VcE9Ufn51LDcbUtXvi PEYyFxeE9CflTblIpWNnt28Lc0/9R7lGTPJ4d0wyeiasNyqzQb8+15HHRzcYmveY IxEFToDXOoT/7T65ucIy4DNTfffaMK/wxJSboGbGKEVadFWw8hdJ8+wQG3mczfVl v2/G4IIyHPu9esIuoBFmOG10CGWKNnxtWgly7rsOcGoX3G+VTq+RzUklIPBgwZ5e lhGYvmu6xt79Z4RFIm55Df8DmPaHhE5POiF/HLKacDH73+VBdvwtSrsiBhvmJNPh 0SGaD37XWyoXhzZx7nVP7RX+Yyod5/pxOCoYSyLX3I5gieiDsPNk5JzxC2cDIz04 fX/sZy/b0R+kKxKigtbq9BPVg3bQzMfRieC4JwEvEBWDle852YzrUV0bZwNsaZqU dmiVSZXcvPEifQvjUtNymemDgl5itGa4MOMARYzQTCsBAGHnvfM= =mQnr -----END PGP SIGNATURE-----