You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Description for eduGAIN-CSIRT

This needs to be synced with https://edugain.org/edugain-security/

in particular the

  • Constituency
  • Incident response procedure is a link to a AARC deliverable which has an a bit generic irp for distributed infras

About this document

This is version 0.1, draft 2021/07/14

Distribution List for Notifications

Notifications of updates are submitted to the eduGAIN Steering Group mailing list edugain-sg@lists.geant.org. The eduGAIN Steering Group mailing list is composed by all the delegates and deputies of the eduGAIN participants, the subscription is managed by the eduGAIN Service. The mailing list is not moderated.

Locations where this Document May Be Found

The current version of this CSIRT description document is
available from the eduGAIN-CSIRT WWW site; its URL is https://edugain.org/edugain-security/
 
Please make sure you are using the latest version.

Authenticating this Document

This document has been signed with the eduGAIN-CSIRTs PGP key.  The signatures are
also on our Web site, under: https://edugain.org/edugain-security/

Contact Information

Name of the Team

eduGAIN-CSIRT: The eduGAIN Computer Security Incident Response Team.

Address

eduGAIN-CSIRT

PROBABLY THE GEANT

POSTAL ADDRESS

Time Zone

Europe/Amsterdam (GMT+0100, and GMT+0200 from April to October)

Telephone Number

+31 12345679 (SOME GEAN OFFICE NUMBER, where the Opertor at least knows what to do when contacted on security issues related to eduGAIN)

Facsimile Number

+31 12345679 (SOME GEANT OFFICE  FAX NUMBER, where the Opertor at least knows what to do when contacted on security issues related to eduGAIN)

Other Telecommunication/Instant messaging

OTHER METHODS MONITORED BY THE eduGAIN CSIRT (keybase? slackchannel?) 

Electronic Mail Address

abuse@edugain.org This address can be used to report all security incidents which relate to the eduGAIN participants. This is a mail alias that relays mail
to the human(s) on duty for the eduGAIN-CSIRT.

Public Keys and Other Encryption Information

The eduGAIN-CSIRT has a PGP key, whose KeyID is CE43BCB8 and whose fingerprint is

F9FF B82B 9700 72D1 F753 25CF 5E3C 31D7 CE43 BCB8.

The key and its signatures can be found at the usual large public keyservers.

Team Members

eduGAIN-CSIRT is coordinated by the eduGAIN-CSIRT security officer. Other team members along with their contact information are listed at the eduGAIN-CSIRT web page: https://edugain.org/edugain-security/ , team member section needs to be added/maintained. I'm fine with having my name there>

Other Information

General information about eduGAIN security is in https://edugain.org/edugain-security/

The eduGAIN-CSIRTs hours of operation are generally restricted to regular business hours (09:00-17:00 (CET/CEST)) Monday to Friday except holidays). <ADD A STATEMENT ABOUT "BEST EFFORT" OUTSIDE BUSINESS HOURS ?>

Charter

Mission Statement

The eduGAIN-CSIRT provides security incident coordination for eduGAIN on the federation level and ensures that security incident resolution process does not stall. Details are laid-out in eduGAIN-CSIRTs Term of References available at <HERE A LINK TO THE TOR>

Constituency

eduGAIN consists of identity federations, which which members are the federation participants,  an association of organisations that exchange information as appropriate about their users and resources to enable collaborations and transactions.  With regard to security incident response the identity and service providers (IdP and SP)  registered in a federation.

The eduGAIN constituency  consists of the eduGAIN participants, see https://technical.edugain.org/status

Sponsorship and/or Affiliation

eduGAIN-CSIRT is part of eduGAIN.org.

Authority

eduGAIN-CSIRT is authorized by the eduGAIN Steering Group to coordinate incident response at the inter-federation level.

Policies

The eduGAIN policy framework is in:

https://technical.edugain.org/doc/eduGAIN-Declaration-v2bis-web.pdf

The constitution of the eduGAIN service is in https://technical.edugain.org/doc/eduGAIN-Constitution-v3ter-web.pdf

Types of Incidents and Level of Support

eduGAIN-CSIRT aims to respond to incident reports within 4 office hours.

Co-operation, Interaction and Disclosure of Information

The eduGAIN Security Team closely collaborates with the Identity Federations’ security operators and the National Research and Education Network CSIRTs and CERTs in eduGAIN to ensures that all security incidents are investigated as fully as possible.

The roles and interactions of the different entities relevant to incident response within eduGAIN are described in the

Security Incident Response Handbook Feedback

eduGAIN-CSIRT reports to the eduGAIN Steering Group (eSG)

Communication and Authentication

ALL incoming information is handled confidentially by eduGAIN-CSIRT, regardless of its priority.

eduGAIN-CSIRT supports the Information Sharing Traffic Light Protocol (ISTLP – see https://www.trusted-introducer.org/ISTLPv11.pdf) - information that comes in with the tags WHITE, GREEN, AMBER or RED will be handled appropriately.

eduGAIN-CSIRT will use the information you provide to help solve security incidents affecting eduGAIN. This means that by default the information will be distributed further to the appropriate parties – but only on a need-to-know base, and preferably anonymized.


Services

Incident Response

eduGAIN-CSIRTs major IT security incident management function is incident coordination across eduGAIN federations.

Incident Triage

eduGAIN-CSIRT will support the eduGAIN participants investigating whether indeed an incident occurred and in case, determining the extent of the incident. This ranges from a single entity, to multiple federations affected.

Incident Coordination

eduGAIN is a federation of identity federations, in which different organisations operate SPs and IdPs. Usually the mandate and scope of the SPs IdPs  security teams are  limited to the home organisation. The same holds for the federations participating in eduGAIN. eduGAN-CSIRT will organise the security incident communications across affected participants and coordinate the local response activities to allow for an efficient containment and subsequently resolution of security incidents.

Incident Resolution

The incident resolution is ultimately the task of the organizations responsible for the end entities in eduGAIN (Service providers (SP), Identity Providers (IdP)). If possible, edugain-CSIRT will support the end entities with in coordination with the Federations  on request.

Proactive Activities

<THIS HAS A RISK OF GETTING TIME CONSUMING MORE THEN WE CAN SQUEZE IN>

Incident Reporting Forms

Incident Report temlates can be found in:  https://aarc-project.eu/wp-content/uploads/2017/02/DNA3.2-Security-Incident-Response-Procedure-v1.0.pdf

< THE TEMPLATES SHOULD BE EXTRACTED/EDITED FROM THE PDF AND PUT ON THE WEBSITE (WITH A REFERENCE TO THE ORIGINAL DOC) >


Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, eduGAIN-CSIRT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.





  • No labels