RFC2350

1. Introduction

1.1.        Overview

This document is composed of several sections describing how works National centre for computer incident response – MKD-CIRT. Each section gives guidelines and procedures permitting to a constituent to report, in a good manner, a security incident.

1.2.        Purpose

This document contains a description of MKD-CIRT according to rfc2350. It provides information about the computer security incident response team (CSIRT), how to contact the team, and describes its responsibilities and the services offered by MKD-CIRT.

1.3.        Scope

This policy covers MKD-CIRT constituency.

1.4.        Reference

  • rfc2350 template
  • Incident reporting guidelines for constituents

1.5.        Definition and abbreviation

Abbreviation Description
PGP Pretty Good Privacy
CERT Computer Emergency Response Team
CSIRT Computer security incident response team

2.     Document information

2.1.                        Date of last update

This is version 1.0, published on 14.03.2016.

This version is valid until superseded by a later version.

2.2.        Distribution List for Notifications

Changes to this document are not distributed by a mailing-list, RSS or any other mechanism. Please address any specific questions or remarks to MKD-CIRT e-mail address (see paragraph 3.7).

2.3.        Locations where this document may be found

The current version of this document is always available on MKD-CIRT website at https://www.mkd-cirt.mk.

2.4.        Authenticating this document

This document has been signed with the PGP key of MKD-CIRT.

The signature is available on MKD-CIRT web site https://www.mkd-cirt.mk.

3.     Contact information

3.1.        Name of the team

National centre for computer incident response of Republic of Macedonia.

Short name: MKD-CIRT.

3.2.        Address

Agency for electronic communications

National centre for computer incident response

Kay Dimitar Vlahov 21

1000 Skopje

Republic of Macedonia

3.3.                        Time zone

CET / CEST

Central European Time / Central European Summer Time

3.4.        Telephone number

Hotline: +389 2 3091 232 (it doesn’t cover totally the range of outside business hours. The principle of best effort is applied)

3.5.        Facsimile number

+389 2 3224 611 (this is “not” a secure fax)

3.6.        Other telecommunication

Internet Website: https://www.mkd-cirt.mk.

3.7.        Email address

info@mkd-cirt.mk: this e-mail address is used for exchanging general information. The reporting of incidents (see below) using this email address should be avoided.

soc@mkd-cirt.mk: this e-mail address is used for reporting an incident to the Support and Operation Center team of MKD-CIRT.

3.8.        Public Keys and Encryption Information

E-mail addresses (info@mkd-cirt.mk and soc@mkd-cirt.mk) used by MKD-CIRT share the same PGP key, as documented below:

  • Key Id: 0x333C00DB
  • Key Type: RSA-4096
  • Key Fingerprint: 0FB9 3DA3 E008 FA8B FC6A 9C71 0741 17A1 333C 00DB

The public key and its signatures can be found on the usual large public key servers as well as on MKD-CIRT public web site (https://www.mkd-cirt.mk).

This key signs any communication from MKD-CIRT. It is also used for any confidential communication with MKD-CIRT (incident reports, alerts).

3.9.        Team members

MKD-CIRT team is operated by dedicated staff of IT security experts from Agency for electronic communications. The full list of MKD-CIRT team members is not publicly available. Team members will identify themselves to the reporting party with their full name in an official communication regarding an incident.

3.10.      Other information

General information about MKD-CIRT, as well as links to various recommended security resources, can be found on MKD-CIRT public web site (https://www.mkd-cirt.mk).

3.11.      Points of Customer Contact

Days/hours of operation are from 08:30 to 16:30 CET from Monday to Friday except during Republic of Macedonia’s public holidays.

All incidents reports should be sent to soc@mkd-cirt.mk. This e-mail address is preferred for reporting urgent, sensitive, critical or classified information, information security events and incidents.

On a general manner, use of phone and fax for reporting incidents should be avoided as much as possible.

MKD-CIRT encourages its constituents to use secure e-mail (for instance PGP) when exchanging any sensitive information.

4.               Charter

4.1.        Mission statement

The National Centre for Computer Incident Response has the following mission:

  • coordinate and help/assist the authorities and public sector institutions in the implementation of proactive services for reducing the risk of computer security incidents, as well as in dealing with incidents when they occur,
  • conduct activities for educating and raising awareness among the citizens on the negative effects of cyberthreats and cybercrime, and
  • provides timely advice for all its constituents.

MKD-CIRT is mandated:

  • to cover classified and non-classified infrastructures,
  • to react and to coordinate in case of incidents,
  • to prevent and detect major incidents, and
  • to improve coordination of governmental actors within the frame of the management and response to incidents.

4.2.        Constituency

The Constituency of MKD-CIRT is made of:

  • all ministries, administrations and services of the Republic of Macedonia government,
  • critical infrastructure operators in Republic of Macedonia, and
  • large organizations in the banking, transport, communications, health, energy and other strategic sectors in Republic of Macedonia

Detailed list and more information about the constituency of MKD-CIRT can be found on the website https://www.mkd-cirt.mk.

4.3.        Sponsorship and/or Affiliation

MKD-CIRT is sponsored by the following entities in Republic of Macedonia:

  • Agency for electronic communications,
  • Ministry of information society and administration

MKD-CIRT maintains affiliations with CERT / CSIRT community by attending to international and European meetings such as FIRST, TF-CSIRT and other international organizations.

4.4.                        Authority

Pursuant to Article 26a, paragraphs 2 and 3, of the Law on Electronic Communications (Official Gazette number 39/2014, 188/2014, 44/2015 and 193/2015), National Centre for Computer Incident Response is established as a separate organizational unit within the Agency for Electronic Communications in Republic of Macedonia.

The main objectives and tasks of the National Centre for Computer Incident Response are as follows:

  • Play a key role in coordinating the handling of incidents among the stakeholders at a national level.
  • Respond to computer incidents by providing the necessary services to its constituent/user, allowing it to efficiently deal with the incidents.
  • Continuously monitor the risks, receive information about computer threats and incidents (automatically or via third parties) and continuously have at its disposal the indicators of incoming or outgoing malicious traffic in the country.
  • Is an official national point of contact and exchange of information (incidents, vulnerability reports, etc.). within the country and abroad with the National/Governmental CIRTs of the countries in the region and beyond.
  • Timely inform and notify its constituents. Provide for its constituents security advice, information for early warning and act as a focal point for issues related to cybersecurity.
  • Fully cooperate and exchange information with the state institutions in charge of law enforcement, a particularly those in the field of cybercrime, and adequately address the legal issues that may arise during the incident.
  • Continuously exchange information, know-how and experience with the constituents, establish best security practices/guidelines and publish them accordingly, as well as continuously provide education and training for the constituents and for the employees of the Centre.
  • Provide assistance when establishing internal centres for computer incident response of large organizations that manage key/critical information infrastructures (public and private) in the Republic of Macedonia.
  • Continuously raise the awareness among the citizens on the negative effects of cyberthreats and cybercrime.

MKD-CIRT expects to work cooperatively with system administrators from its Constituency.

Members of MKD-CIRT community who wish to appeal the actions of MKD-CIRT should contact the Managing Director of MKD-CIRT.

All members of MKD-CIRT team have necessary security clearances. As a consequence, they have wide possibilities of interacting with systems, services and system administrators from the constituency of MKD-CIRT.

MKD-CIRT operates within the confines imposed by Republic of Macedonia’s legislation.

5.     Policies

5.1.        Types of incidents and level of support

The level of support given by MKD-CIRT varies depending on the type and severity of the incident, vulnerability or issue as determined by MKD-CIRT staff, the type of asset, the part of the constituent affected, and MKD-CIRT’s resources at the time.

Information security incidents at constituents registered at MKD-CIRT will always priority over incidents at unregistered constituents.

MKD-CIRT may act upon request of one of its constituents or may act if one of its constituents is involved in an information security incident.

Information security incidents are prioritized according to their apparent severity and extent. Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance. MKD-CIRT will give full support to the system administrator, network administrator, or department head. Only limited support can be given to end users by MKD-CIRT.

While MKD-CIRT understands that there exists great variation in the level of system administrator expertise, and while MKD-CIRT will endeavor to present information and assistance at a level appropriate to each person, MKD-CIRT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, MKD-CIRT will provide pointers to the information needed to implement appropriate measures.

5.2.        Co-operation, Interaction and Disclosure of information

While there are legal and ethical restrictions on the flow of information from MKD-CIRT, it acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighboring sites where necessary, MKD-CIRT will otherwise share information freely when this will assist in resolving or preventing security incidents.

MKD-CIRT highly regards the importance of operational cooperation and information- sharing between computer security incident response teams (CSIRTs), and also with other organizations which may contribute towards or make use of their services.

MKD-CIRT protects sensitive information in accordance with relevant regulations and policies within Republic of Macedonia. In particular, MKD-CIRT respects the sensitivity markings allocated by originators of information communicated to MKD-CIRT (“originator control”).

MKD-CIRT appends Traffic Light Protocol information when sharing information with teams that support it, and will honor such information if present.

The Information Disclosure Policy applicable to MKD-CIRT can be found at https://www.mkd-cirt.mk.

5.3.        Communication and Authentication

The preferred method of communication is via e-mail. If it is not possible (or not advisable for security reasons) to use electronic communication (e-mail / web form), MKD-CIRT can be reached by telephone during time of operation. Off these hours a Hotline phone is available but it doesn’t cover totally the range of outside business hours. The principle of best effort is applied.

In view of the types of information that MKD-CIRT deals with, telephones may be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of unclassified / low-sensitivity data.

Where it is necessary to establish trust, for example before relying on information given to MKD-CIRT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within the constituency, and with known neighbor sites, referrals from known trusted people will suffice to identify someone.

Communication security (encryption and authentication) is achieved by various means: PGP or other agreed means, depending on the sensitivity level and context.

If it is necessary to send highly sensitive data by e-mail, encryption (for instance PGP) will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. In such situation, all sensitive communication to MKD-CIRT should be encrypted against the team’s PGP key.

All e-mail or data communication related to an incident originating from MKD-CIRT are digitally signed using PGP keys mentioned above, or MKD-CIRT agents’ own signature keys.

Use of encryption / digital signature is encouraged when reporting information to MKD-CIRT, especially when sending sensitive information.

When submitting a report, (1) provide the operator with notice on the urgency along with the report, (2) your need for feedback, and (3) use where possible the form provided in section 7.

6.     Services

MKD-CIRT is authorized to handle and to address all types of information security incidents, involving both classified and un-classified information, which occur, or threaten to occur, in the constituents’ networks, systems and services that fall into its mandate.

MKD-CIRT supports members of its constituency with a set of reactive and proactive services in the field of information / IT security.

MKD-CIRT will gradually roll out its services, starting with Incident Handling.

6.1.        Incident Response

MKD-CIRT coordinates all activities related to incident response within its constituency. We provide support, help, and advice with respect to the following aspects of incident management:

Service Description
1 Notifications and alerts Disclose the details of current threats and steps that can be undertaken to protect against these threats. It includes notification or warning of newfound information on cyberthreats and vulnerabilities to the constituents with a recommended course of action and guidance on how to protect the system. The notifications may be preventive, warning, advisory, and guiding.
2 Remote incident response Provide technical assistance to address the security incidents when they occur, in order to mitigate the damage and recover from the incident. Advice and technical assistance is usually provided by telephone or e-mail.
3 On-site incident response Provide on-site technical assistance and advice to address the security incidents when they occur, in order to mitigate the damage and recover from the incident. This service is usually related or implemented for critical level incidents.
4 Vulnerability response. Assess the adequate measures necessary to respond to newly discovered vulnerabilities; assess their seriousness and impact, decide whether to issue warnings thereof or verify or further investigate their weight/impact. Overall, this approach applies to information on vulnerabilities that are publicly known.
5 Basic awareness, education and training Implement small-scale programmes for raising public awareness. Conduct basic training on computer incident response and main cybersecurity best practices.

7.     Incident reporting forms

Reporting an incident can be done following two manners:

  • Anonymous manner: reporting an incident using the online form (https://www.mkd-cirt.mk). All incident reported by this means is done in an anonymous manner. Incidents submitted by means of this form are encrypted prior transmission.
  • General manner: reporting an incident using the incident reporting form folowing “Incident reporting guidelines for constituent” available on https://www.mkd-cirt.mk by email to the following address: soc@mkd-cirt.mk.