Operational Activities and Policies

We have three classes of information: internal, confidential internal, and external. esCERT-UPC members use a secure communication channel when the nature of information requires it. Thus, esCERT-UPC has two pairs of public keys, one for singing purposes -the sign key- and another for contact purposes -the contact key-. In addition, every member has his own key pair.

Language used in internal information is Catalan, but public information is produced in English and/or Spanish language as well, Since esCERT-UPC gives service to Spanish Internet community.

Public Keys . Each member has his own key pair, and the other members public keys. While esCERT-UPC has its own key pairs, only esCERT-UPC kernel members can use them. These keys are used through PGP mail, and are published through the Spanish PGP-key server, managed by UPC.

Incident Numbers and Database . When new incidents are reported, they are logged into an incident database. The incident form reported by the involved site is stored into the database, and marked as confidential information. Also, a unique identification number and an alias are assigned to the incident. The format of the unique number is YYYYMMDDNN, where YYYY stands for year, MM for month number, DD for day number and NN for incident number of the day.

The information in the database is used to generate statistics such as number of incidents, as open and closed, number of calls for help desk, number of queries received, number of phone calls received, number of electronic mails processed, average time to solve the problems, breakdown of severity of incidents, and others to be proposed.

Confidential Internal Information . This information is available only for esCERT-UPC kernel members. It mainly consists of incident information, points of contact and vulnerability information.

Internal Information . This information is available for esCERT-UPC members -kernel and specialized members-. It is mainly a vulnerabilities database, contact information and security internal bulletins. Authorized members can use this information through a https interface.

External Information . It comprises public information. Everyone with a web browser and FTP client has access to it, i.e. the information is intended to reach all the Spanish speaking community, and not only our explicit constituency.

Incident Handling . As a CERT, we contribute and co-ordinate the resolution of security incidents where Spanish organizations are involved, establishing also the recommendations to the attacked Spanish computers' system managers to avoid further similar problems, and reporting the incident (with the required confidentiality and non-disclose) to organizations potentially able to become victims of the same kind of attack.

There are many kinds of incidents, but all of them have a common general handling procedure. esCERT-UPC has no authority upon sites involved on a incident, the task is just helping the involved site(s) to solve the incident. When an incident is received the following steps are followed:

• Ask for the incident report through a secure channel
• Mark this information as confidential, and open the new incident.
• Select all the information available about to the incident (historic, vulnerabilities, reference books and so on).
• Establish a strategic reaction plan for the attacked site.
• If necessary alert other sites or other IRTs, or law enforcement agencies.
• Follow up the implementation of the plan and improve it if necessary.
• Close the incident, once reestablished the adequate security level in the attacked site.
• If a new threat is found, report it to the Internet society the society through the opportune channels. Asking for a incident reporting form

The incident reporting form helps to gather incident information. The information the reporting form gives is:

• Names of host(s) compromised at involved site
• Information about architecture and OS (operating system and revision) of compromised host(s) of the site
• Patches applied. Before or after the incident.
• Account name(s) compromised
• Other host(s)/site(s) involved in the incident.
• Other contacted involved site(s) and contact information.
• Ask for permission for giving information to other involved sites in case if were necessary (i.e., name, e-mail address, and phone number).
• Law representants contacted
• Appropriate log extracts.
• Which kind of assistant its expected from esCERT-UPC