Description for eduGAIN CSIRT
REMARK: This needs to be synced with https://edugain.org/edugain-security/
in particular the
- Constituency
- Incident response procedure is a link to a AARC deliverable which has an a bit generic irp for distributed infras
About this document
This is version 0.1, draft 2021/07/14
Distribution List for Notifications
Notifications of updates are submitted to the eduGAIN Steering Group mailing list edugain-sg@lists.geant.org. The eduGAIN Steering Group mailing list is composed of all the delegates and deputies of the eduGAIN participants, the subscription is managed by the eduGAIN Service. The mailing list is not moderated.
Locations where this Document May Be Found
The current version of this CSIRT description document is available from the eduGAIN CSIRT WWW site; its URL is https://edugain.org/edugain-security/
Please make sure you are using the latest version.
Authenticating this Document
This document has been signed with the eduGAIN CSIRTs PGP key. The signatures are also on our Web site, under: https://edugain.org/edugain-security/
Contact Information
Name of the Team
eduGAIN CSIRT: The eduGAIN Computer Security Incident Response Team.
Address
eduGAIN CSIRT
Hoekenrode 3
6th floor
1102 BR Amsterdam
The Netherlands
Time Zone
Europe/Amsterdam (GMT+0100, and GMT+0200 from April to October)
Telephone Number
+44 1223 733033
Facsimile Number
Blank
Other Telecommunication/Instant messaging
Not applicable
Electronic Mail Address
abuse@edugain.org This address can be used to report all security incidents which relate to the eduGAIN participants. This is a mail alias that relays mail to the human(s) on duty for the eduGAIN CSIRT.
Public Keys and Other Encryption Information
The eduGAIN CSIRT has a PGP key, whose KeyID is CE43BCB8 and whose fingerprint is
F9FF B82B 9700 72D1 F753 25CF 5E3C 31D7 CE43 BCB8.
The key and its signatures can be found at the usual large public keyservers.
Team Members
The eduGAIN CSIRT team is coordinated by the eduGAIN CSIRT security officer and it is composed by security officers and experts from the constituent participants. The current team consists of the following persons:
- Sven Gabriel, NIKHEF (Team Member)
- Daniel Kouril, CESNET (Team Member)
- Davide Vaghetti, GARR (Security Officer)
- Romain Wartel, CERN (Team Member)
Other Information
General information about eduGAIN security is in https://edugain.org/edugain-security/
The eduGAIN CSIRTs hours of operation are generally restricted to regular business hours (09:00-17:00 (CET/CEST)) Monday to Friday except holidays).
The eduGAIN CSIRT may also provide support outside business hours on a best effort basis.
Charter
Mission Statement
The eduGAIN CSIRT provides a central contact and support point for security incidents, and it will work in close collaboration with Federation Operators to coordinate the investigation and resolution of suspected security incidents at the inter-federation level.
Constituency
eduGAIN consists of Federations whose primarily target is to provide authentication and authorisation service to the research and education sectors. The eduGAIN Service provides an infrastructure for establishing trusted communications between Entities, such as Identity and Service Providers, in different Federations.
Please refer to the eduGAIN Constituion for further details: https://technical.edugain.org/doc/eduGAIN-Constitution-v3ter-web.pdf
For an up to date list of the current eduGAIN Participants you can refer to: https://technical.edugain.org/status
Sponsorship and/or Affiliation
eduGAIN CSIRT is part of the eduGAIN Service which is co-funded by the European Commission through the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 731122 (GN4-2).
Authority
eduGAIN CSIRT is authorized by the eduGAIN Steering Group to coordinate incident response at the inter-federation level.
Policies
The eduGAIN policy framework consists of:
- The eduGAIN Declaration: https://technical.edugain.org/doc/eduGAIN-Declaration-v2bis-web.pdf
- The eduGAIN Constitution: https://technical.edugain.org/doc/eduGAIN-Constitution-v3ter-web.pdf
- The eduGAIN SAML Profile: https://technical.edugain.org/doc/eduGAIN-saml-profile.pdf
- The Metadata Aggregation Practice Statement: https://wiki.geant.org/display/eduGAIN/Metadata+Aggregation+Practice+Statement
- The Best Current Practice: https://wiki.geant.org/display/eduGAIN/Best+Current+Practice
Types of Incidents and Level of Support
eduGAIN CSIRT aims to respond to incident reports within 4 office hours.
Co-operation, Interaction and Disclosure of Information
The eduGAIN CSIRT closely collaborates with the Federations’ operators, security officers and the National Research and Education Network CSIRTs and CERTs to ensure that all the parties affected by a security incident at the inter-federation level are timely alerted and supported in the investigation, limitation and remediation process.
The roles and interactions of the different entities relevant to incident response within eduGAIN are described in the
Security Incident Response Handbook Feedback
<the link needs to be updated to point to the official version of the handbook>
eduGAIN CSIRT reports to the eduGAIN Steering Group (eSG).
Communication and Authentication
ALL incoming information is handled confidentially by eduGAIN CSIRT, regardless of its priority.
eduGAIN CSIRT supports the Information Sharing Traffic Light Protocol (ISTLP – see https://www.trusted-introducer.org/ISTLPv11.pdf) - information that comes in with the tags WHITE, GREEN, AMBER or RED will be handled appropriately.
eduGAIN CSIRT will use the information you provide to help solve security incidents affecting eduGAIN. This means that by default the information will be distributed further to the appropriate parties – but only on a need-to-know base, and preferably anonymized.
Services
Incident Response
eduGAIN CSIRTs major IT security incident management function is incident coordination across eduGAIN federations.
Incident Triage
eduGAIN CSIRT will support the eduGAIN participants investigating whether indeed an incident occurred and in case, determining the extent of the incident. This ranges from a single entity registered in one or more federations, to multiple entities from different federations affected.
Incident Response Coordination
eduGAIN's participants are Research and Education Federations, in which different organizations operate SPs and IdPs. Usually the mandate and scope of the SPs and IdPs security teams are limited to the home organization. The same holds for the federations participating in eduGAIN. eduGAN-CSIRT will organize the security incident communications across affected participants and coordinate the response activities to allow for an efficient containment and subsequently resolution of security incidents.
Incident Resolution
The incident resolution is ultimately the task of the organizations responsible for the end entities in eduGAIN (SPs and IdPs). If possible and on request, eduGAIN CSIRT will support the end entities in coordination with the Federations.
Proactive Activities
The eduGAIN CSIRT will maintain the security communication channels with all the eduGAIN participants. In order to do that, from time to time, the eduGAIN CSIRT will organize communication challenges to assess the reliability and responsiveness of the communication infrastructure.
The eduGAIN CSIRT will occasionally share information about prominent security threats and vulnerabilities that may affect the eduGAIN community .
Incident Reporting Forms
Incident Report templates can be found in: https://aarc-project.eu/wp-content/uploads/2017/02/DNA3.2-Security-Incident-Response-Procedure-v1.0.pdf
< THE TEMPLATES SHOULD BE EXTRACTED/EDITED FROM THE PDF AND PUT ON THE WEBSITE (WITH A REFERENCE TO THE ORIGINAL DOC) >
Disclaimers
While every precaution will be taken in the preparation of information, notifications and alerts, eduGAIN CSIRT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.