RFC 2350

Description of Government Incident Response Team (GovCERT-Hungary)

RFC 2350

About this document:
Latest update:

This is version 1.1, published on February 16, 2016.

Update notifications:
Notifications of updates to this documents are published on GovCERT-Hungary's website, www.cert-hungary.hu.

Contact Information:
Name of the Team:

GovCERT-Hungary: Government Incident Response Team of Hungary.

Address:
GovCERT-Hungary is located at:
Munkácsy Mihály street 22.
Budapest, Hungary

GovCERT-Hungary's mailing address is:
Special Service for National Security

GovCERT-Hungary
P.O. Box 710/37.
Budapest 62,
H-1399

Time Zone:
UTC+0100 in winter (CET) and UTC+0200 in summer (CEST).

Telephone Number:
+36-1-336-4840
+36-1-336-4833 (night duty)

Facsimile Number:
+36-1-269-1706; +36-1-336-4886 (this is *not* a secure fax)

Other Telecommunication:
None available.

Electronic Mail Address:
cert [at] govcert [dot] hu (incident report)
info [at] govcert [dot] hu

Public Keys and Other Encryption Information?
GovCERT-Hungary team has a PGP key, its KeyID is 0x1D16DFE7 and its fingerprint is
601B 71A8 338D 5181 58A9 6788 D4E6 00D9 1D16 DFE7. This key can be found on GovCERT-Hungary's website under PGP menu.

Other Information:
General information about GovCERT-Hungary can be found on its website at http://www.cert-hungary.hu/ in Hungarian and English languages.

Points of Customer Contact:
The preferred method for contacting GovCERT-Hungary is via e-mail. To contact our team, and for general inquiries use the info [at] govcert [dot] hu e-mail address. Computer security incidents should be reported to cert [at] govcert [dot] hu. We kindly ask members of the media to direct their questions toward our public relations department at info [at] govcert [dot] hu during regular business hours (Monday-Thursday 8:00-16:30, Friday 8:00-14:00). GovCERT-Hungary provides a 24/7 service with a night duty , therefore incidents can be reported off business hours as well.

Charter
Mission Statement
Our Mission:

GovCERT-Hungary's goal is to assist the development of the Hungarian information society, by making the use of computers and the Internet safer.

Our Vision:
GovCERT-Hungary builds on strong national and international cooperation, to develop a knowledge base, which could be used in this new field of security: the protection of e-services are supervised by a professional team capable of providing quick intervention and effective assistance.
Our goal is to make the Internet secure, to develop a world-class security and information base, and to become a publicly accessible forum for Internet and computer security.

Constituency:
GovCERT-Hungary provides services for the entire Hungarian government administration and the municipalities. The security of computer systems in particular the government backbone system owned by the government and critical infrastructures receive special attention from our organization.

Sponsorship and/or Affiliation:
The Government Incident Response Team (GovCERT-Hungary) operates within the organization of the Special Service for National Security, under the direction and control of the Minister of Interior. GovCERT-Hungary is the Hungarian governments network and information security center. Its task is provide network and information security support to the entire Hungarian government administration and the local municipalities. The center has a vital role in Hungary's critical information infrastructure protection. GovCERT-Hungary also acts as a knowledge base for IT professionals and the Hungarian public.

Authority:
The GovCERT-Hungary expects to work cooperatively with system administrators within its constituency, and, insofar as possible, to avoid authoritarian relationships. However, if necessary and requested by a constituent, GovCERT-Hungary may assist in initiating legal proceedings.

Policies:
Types of Incidents and Level of Support:
GovCERT-Hungary is authorized to address all types of computer security incidents which occur, or threaten to occur, in Hungary.

The level of support given by GovCERT-Hungary will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and GovCERT-Hungary's resources at the time, though in all cases some response will be made within one working day. Computer security incidents at organizations registered at GovCERT-Hungary will always receive priority over incidents at unregistered organizations. Resources will be assigned according to the following priorities, listed in decreasing order:

Computer security incidents at registered organizations.

  • Root or system-level attacks on any Management Information System, or any part of the backbone network infrastructure.

  • Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.

  • Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration.

  • Denial of service attacks on any of the above three items.

  • Any of the above at other sites, originating from Hungarian Internet service provider's sites.

  • Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks.

  • Threats, harassment, and other criminal offenses involving individual user accounts.

  • Compromise of individual user accounts on multi-user systems.

  • Compromise of desktop systems.

  • Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. netnews and e-mail forgery, unauthorized use of IRC bots.

  • Denial of service on individual user accounts, e.g. mail bombing.

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.

Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance. GovCERT-Hungary will support the latter people. End-users are advised to make use of information about network security published on GovCERT-Hungary's web pages.

While GovCERT-Hungary understands that there exists great variation in the level of system administrator expertise, and while GovCERT-Hungary will endeavor to present information and assistance at a level appropriate to each person, GovCERT-Hungary cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, GovCERT-Hungary will provide pointers to the information needed to implement appropriate measures.

Co-operation, Interaction and Disclosure of Information
While there are legal and ethical restrictions on the flow of information from GovCERT-Hungary, GovCERT-Hungary acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighboring sites where necessary, GovCERT-Hungary will otherwise share information freely when this will assist others in resolving or preventing security incidents.

In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from GovCERT-Hungary. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist.

Information being considered for release will be classified as follows:

  • Private user information is information about particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual, and/or ethical reasons. Private user information will not be released in identifiable form outside GovCERT-Hungary, except as provided for below. If the identity of the user is disguised, then the information can be released freely (for example to show a sample .cshrc file as modified by an intruder, or to demonstrate a particular social engineering attack).

  • Intruder information is similar to private user information, but concerns intruders. While intruder information, and in particular identifying information, will not be released to the public (unless it becomes a matter of public record, for example because criminal charges have been laid), it will be exchanged freely with system administrators and CSIRTs tracking an incident.

  • Private site information is technical information about particular systems or sites. It will not be released without the permission of the site in question, except as provided for below.

  • Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds if they are available. Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed.

  • Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or group of users. Embarrassing information will not be released without the permission of the site or users in question, except as provided for below.

  • Statistical information is embarrassing information with the identifying information stripped off. Statistical information will be released and used in publications and other educational papers.

  • Contact information explains how to reach system administrators and CSIRTs. Contact information will be released freely, except where the contact person or entity has requested that this not be the case, or where GovCERT-Hungary has reason to believe that the dissemination of this information would not be appreciated.

Potential recipients of information from GovCERT-Hungary will be classified as follows:

  • Registered members of GovCERT-Hungary are entitled to information which pertains to the security of their own computer systems, even if this means revealing "intruder information", or "embarrassing information" about another system. For example, if account aaaa is cracked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was cracked, and how the attack on the bbbb account was executed. User bbbb is also entitled, if she or he requests it, to information about account aaaa which might enable bbbb to investigate the attack. For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa. Registered members of GovCERT-Hungary are entitled to be notified if their computer systems are believed to have been compromised.

  • Unregistered constituents of GovCERT-Hungary will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the constituents of GovCERT-Hungary. There is no obligation on the part of GovCERT-Hungary to report incidents to the community, though it may choose to do so; in particular, it is likely that GovCERT-Hungary will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so.

  • The public at large will receive no restricted information. GovCERT-Hungary communicates with the public mainly through its website www.cert-hungary.hu. Members of the public may find vulnerability, statistical, and contact information, other public data, and news on GovCERT-Hungary's website. Any concerns about, or objections to information published on GovCERT-Hungary's website should be addressed to the GovCERT-Hungary team at info [at] govcert [dot] hu.

  • The computer security community will be treated the same way the general public is treated. While members of GovCERT-Hungary may participate in discussions within the computer security community, such as newsgroups, mailing lists (including the full-disclosure list "Bugtraq"), and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from GovCERT-Hungary experience will be disguised to avoid identifying the affected parties.

  • Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites registered at GovCERT-Hungary, unless they have objected to such information exchange at registration.

  • For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident.

  • Vendors will be considered as foreign CSIRTs for most intents and purposes. GovCERT-Hungary wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor withoufor most intents and purposest the permission of the affected parties.

  • Law enforcement officers will receive full cooperation from GovCERT-Hungary, including any information they require to pursue an investigation, in accordance with the law.

Communication and Authentication:
In view of the types of information that GovCERT-Hungary will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP encryption will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission or encrypted channels should be used during the transfer.

Where it is necessary to establish trust, for example before relying on information given to GovCERT-Hungary, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (in particular PGP is supported).

Services
Incident Response :
GovCERT-Hungary will assist system administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:

Incident Triage:

  • Investigating whether indeed an incident occurred.

  • Determining the extent of the incident.

Incident Coordination

  • Determining the initial cause of the incident (vulnerability exploited).

  • Facilitating contact with other sites which may be involved.

  • Facilitating contact with law enforcement, if necessary.

  • Making reports.

  • Composing announcements to users, if applicable.

Incident Resolution:

  • Analyzing and if possible removing the vulnerability.

  • Securing the system from the effects of the incident.

  • Collecting evidence where criminal prosecution, or community disciplinary action, is contemplated.

In addition, GovCERT-Hungary will collect statistics concerning incidents which occur within or involve its constituency, and will notify the community as necessary to assist it in protecting against known attacks.

To make use of GovCERT-Hungary's incident response services, please send e-mail as per section 2.11 above. Please remember that the amount of assistance available will vary according to the parameters described in section 4.1.

Proactive Services
Intrusion Detection Services
GovCERT-Hungary's intrusion detection service can keep a watchful eye on a client's system and can give you an early alert about successful virus or hacker attacks, thus security issues can be handled, before they become a serious problem.

Security Audits
GovCERT-Hungary offers security audits on information technology systems. We will provide valuable information in determining the risk related to any specific IT system or we can actually perform the risk assessment of a supported organization. Such an assessment can find the balance between maximizing security and minimizing costs, resulting in substantial savings. GovCERT-Hungary will help its clients get ready for the worst by providing business continuity and disaster recover planning solutions, so when a problem disrupts normal business operations, they will be among the first ones to get back on their feet.

Development of Security Applications
GovCERT-Hungary can also be commissioned to install, configure, maintain or even develop security applications. Our experts can evaluate the security of software applications, hardware, or IT services to help supported organizations choose the best products available.

Malware Analysis
Malicious code can reduce work efficiency and system security, but only an expert can determine the threat of a software or document for an IT system. Any software, document or other suspicious code sent to GovCERT-Hungary will be analyzed by our experts to find malicious code.

Technology Watch
IT security tools are developing at a fast pace, keeping up with upcoming threats. GovCERT-Hungary can determine the need for a new security tool, and develop effective deployment methods for its clients.

Security Consultancy
GovCERT-Hungary, with the support of its external experts, can give advice on any security issue to its clients. The 70-30 rule is still effective, which means that most Security threats are coming from inside the organization, GovCERT-Hungary can provide educational materials and hold training sessions for their constituents, so employees and managers become part of the security, instead of being a security risk.

Notification of Incident:
Computer security incidents should be reported to cert [at] govcert [dot] hu.

Disclaimers
While every precaution will be taken in the preparation of information, notifications and alerts, GovCERT-Hungary assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.