Description of the CSIRT for CERT PKP Informatyka ================================================= 1. Document Information This document contains a description of CERT PKP Informatyka in accordance with RFC 2350. It provides basic information about CERT PKP Informatyka, its channels of communication and its roles and responsibilities. 1.1 Date of Last Update Version 1.4, 06.04.2022 1.2 Distribution List for Notifications There is no distribution list for notifications. 1.3 Locations where this Document May Be Found The current version of the document describing the CSIRT is available on the website CERT PKP Informatyka website https://www.pkp-informatyka.pl/rfc2350_EN.txt Make sure you are using the latest version. 1.4 Authenticating this Document This document has not been signed with the CERT PKP Informatyka PGP certificate at the moment. 2. Contact Information 2.1 Name of The Team CERT PKP Informatyka Short name: CERT IT-PKP 2.2 Address PKP Informatyka Sp. z o.o. Al. Jerozolimskie 142A Warsaw, 02-305 Poland 2.3 Time Zone CET UTC + 1 CET UTC + 2 (The Summer Time is from the last Sunday in March to the last Sunday in October) 2.4 Telephone Number +48 22 392 45 67 2.5 Facsimile Number None available 2.6 Other Telecommunication None available 2.7 Electronic Mail Address It is an e-mail alias used for communication with the person on duty at CERT PKP Informatyka. 2.8 Public Keys and Other Encryption Information PGP key used by CERT PKP Informatyka Key ID: 0571E461 Fingerprint: 36CC 41CF 0ED3 A965 000A 65AF D359 0427 0571 E461 The public key can be found on CERT PKP Informatyka website https://www.pkp-informatyka.pl/cert_pgp.asc 2.9 Other Information General information about CERT PKP Informatyka can be found at: https://www.pkp-informatyka.pl/cyberbezpieczenstwo/cert.html 2.10 Customer Contact The preferred method of contact is email . To ensure integrity and confidentiality, we recommend using our cryptographic keys (section 2.8). If transmission of information by e-mail is not possible or is not advisable for security reasons, contact with CERT PKP Informatyka may be made using the number provided in section 2.4. Working hours of CERT PKP Informatyka department are as follows: during working hours (8AM -04PM), Monday to Friday except public holidays and 25 November). In case of emergency, call the SOC department, which operates 24 hours a day, 7 days a week on the phone number (section 2.4). 3. Charter 3.1 Mission Statement The mission of CERT PKP Informatyka team is to identify, analyze and mitigate threats directed to the group of users and customers served by PKP Informatyka. Advisory and educational services directed to the same group are also provided. 3.2 Consituency Consitituency of CERT PKP Informatyka is all users and services of the PKP Informatyka (contains all those systems connected to network AS41464 and AS196830). 3.3 Sponsorship and/or Affiliation CERT PKP Informatyka is financially maintained by the PKP Informatyka Sp. z o.o. 3.4 Authority The CERT PKP Informatyka operates under the auspices of, and with authority delegated by, the management of PKP Informatyka. Parts of that role, specifically addressing operational aspects such as: - monitoring of cyber security threats, - incident response, - information sharing, are fulfilled by CERT PKP Informatyka. 4. Policies 4.1 Types of Incidents and Level of Support CERT PKP Informatyka is authorized to address all types of computer security incidents which occur, or threaten to occur, in its constituency. The level of support provided by CERT PKP Informatyka will vary depending on the type or severity of the incidentor problem. The size of the user community and the availability of resources at any given time are also taken into account. Incidents will be prioritized according to their extent and severity. 4.2 Co-operation, Interaction and Disclosure of Information CERT PKP Informatyka exchanges all necessary information with other SOCs and CSIRTs, other entities included in the Polish national cyber security system, as well as with affected parties' administrators. CERT PKP Informatyka states that all incident handling information is handled confidentially. Information that is sensitive or may be harmful is only processed in a secure environment and is encrypted. We recommend, when reporting an incident and providing sensitive information, that you use encryption (section 2.8) or contact CERT PKP Informatyka directly (sections 2.4 and 2.7) to establish another secure communication channel. No personal information is shared by CERT PKP Informatyka to cooperating entities unless specifically authorized to do so. 4.3 Communication and Authentication In view of the types of information that CERT PKP Informatyka deals with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. In order to verify the authenticity of the information received or its source or to authenticate the person making the contact, it is possible to use available methods of such verification, such as searching the WHOIS database, community sites (e.g. Trusted Introducer, FIRST), calling back, meeting in person or sending an e-mail, using digital signatures (especially PGP). 5. Services 5.1 Incident Response CERT PKP Informatyka will respond to the incident by providing a wide range of services to specific groups of customers (section 4.1). 5.2 Incident Triage - Testing the reliability of incident information. - Classifying events as either a security incident or a false alarm. - Determining the extent and severity of the incident (including a potential impact on the constituency), etc. 5.3 Incident Coordination - Incident categorization and prioritization. - Determining the initial cause of the incident (vulnerability exploited) - Collaborate with other entities, including external CSIRT/SOCs, that may be involved in helping mitigate the incident. - Composing announcements to users, if applicable - Produce and communicate recommendations for security safeguards improvements to system administrators. - Facilitating contact with appropriate law enforcement officials, if necessary 5.4 Incident handling The extent of support provided will depend on the type and severity of the incident. This is based on the assessment of whether these activities are appropriate for the cost and risk involved. For selected cases, support will be provided for technical support including malware analysis, forensic analysis, threat hunting and evidence collection. 5.5 Proactive Services - Conduct cyber security communications in the form of reports and informational brochures for users and external customers. - Observing current security threats. - Detecting breaches in monitored infrastructure and systems. - Monitoring and analyzing cyber security threat data, known compromise rates from various information sources. 5.6 Reactive services - Alerts and messages. - Incident handling. - Handling of vulnerabilities. - Artifact support (malware reverse engineering). 6. Incident Reporting Forms There are no local forms developed yet for reporting incidents to CERT PKP Informatyka. We strongly encourage anyone reporting an incident by email (section 2.10). 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CERT PKP Informatyka assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.