Report incident

RFC 2350

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

RFC 2350

1. About this document
This document describes the incident response coordination service from Centro Nacional de Cibersegurança (CNCS), which is the Portuguese National Cybersecurity Center, according to the RFC2350.

1.1 Date of Last Update
This is version 1.7 published 2020/04/06.

1.2 Distribution List for Notifications
There is no existing distribution channel for notifications of updates.

1.3 Locations where this Document May Be Found
The Portuguese version of this document is available at https://www.cncs.gov.pt/certpt/rfc-2350/
The English version of this document is available at https://www.cncs.gov.pt/en/certpt_en/rfc-2350/

1.4 Authenticating this Document
This document is signed with CERT.PT PGP key.

2.Contact Information

2.1 Name of the Team
CERT.PT

2.2 Address
CNCS - Centro Nacional de Cibersegurança
Rua da Junqueira, 69
1300-342 Lisboa
Portugal

2.3 Time Zone
Portugal/WEST (GMT+0, GMT+1 in Summer Time)

2.4 Telephone Number
+351 210 497 399 (regular response hours - 09h00 - 18h00)
+351 910 599 284 (emergency contact, outside regular response hours)

2.5 Facsimile Number
+351 210 497 398

2.6 Other Telecommunication
Nonexistent.

2.7 Electronic Mail Address
Email address for incident reporting:
cert@cert.pt
Email address for other business related to CERT.PT's services:
info@cert.pt

2.8 Public Keys and Other Encryption Information
PGP Key ID: 0xA0F7ACFB
PGP Fingerprint: B83E AA3C F80B 25C8 7C65 184E 3AC9 DECE A0F7 ACFB
The key is available at: https://www.cncs.gov.pt/en/certpt_en/pgp-certcertpt/

2.9 Team Members
Manager: Rogério Raposo
Members: Duarte Sousa, Eduardo Barros, Gonçalo Silva, Ivo Vacas, João Meira, Nuno Marques, Ricardo Campos.

2.10 Other Information
General information about CERT.PT can be found at https://www.cncs.gov.pt/.

2.11 Points of Customer Contact
CERT.PT can be contacted by the means specified on section 2.2 and 2.4 to 2.7.

3. Charter

3.1 Mission Statement
To contribute to a free, trusted and secure Portuguese cyberspace through the continued improvement of national cybersecurity and international cooperation.

3.2 Constituency
CERT.PT coordinates incident response concerning State entities, operators of Critical Infrastructures, operators of Essential Services, Digital Service Providers and, in general, all Portuguese cyberspace of interest, including any device belonging to a network or address space attributed to a telecommunications operator, institution, collective or singular person with its base or physical location in Portuguese territory.

3.3 Sponsorship and/or Affiliation
CERT.PT is a service integrated into CNCS.

3.4 Authority
CERT.PT is a service from CNCS, whose competence as a national cybersecurity authority is defined in the Decree-Law 3/2012, of January 16th, in its latest version, and in the Law 46/2018, of August 13th. By that same Law, CERT.PT is the National Computer Security Incident Response Team (National CSIRT).

4. Policies

4.1 Types of Incidents and Level of Support
CERT.PT handles every type of cybersecurity incident, namely, those that result in a security violation of the following types:
a) Malicious Code
b) Availability
c) Information Gathering
d) Intrusion Attempt
e) Intrusion
f) Information Content Security
g) Fraud
h) Abusive Content
i) Vulnerable

The level of support offered by CERT.PT depends on the type, severity and scope of the ongoing incident and available resources. In regular circumstances CERT.PT tries to give an initial answer within one business day.
The level of support offered by CERT.PT, under regular conditions, also varies on the type of entity from its constituency that is affected, being ensured all services described under (5.) to State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers. To the remaining entities and individual of its constituency, CERT.PT ensures Incident response coordination and Security Alerts services.
In cases of significant severity and scope, or large-scale incidents, priority will be given to security incidents affecting State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers.

4.2 Co-operation, Interaction and Disclosure of Information
The privacy and data protection policies of CERT.PT ensure that sensitive data is only shared with third parties on a need-to-know basis and with the previous authorization of the owner of that information.

4.3 Communication and Authentication
- - - - From the communication means made available by CERT.PT, telephone and clear text email are considered safe for non-sensitive information. For sensitive information transmission, the use of PGP encryption is required.
CERT.PT recognises and adopts TLP (Traffic Light Protocol) for sharing and dissemination of information.

5. Services

5.1 Incident Response Coordination
To the whole Constituency.
Whenever requested, CNCS through CERT.PT service, coordinates incident response between involved parties. This coordination typically involves the victims and ISPs or other CSIRTs when necessary. The coordination includes:
1) triage of incident reports and its technical and forensic analysis;
2) articulation with involved national and international entities;
3) as well as the production of mitigation and/or resolution recommendations.

The incident response coordination can initiate from CNCS, such as in the case of a large-scale incident, or be requested by the provided channels.

5.2 On-Site Support
For State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers.
On-Site Support is a service where CNCS's specialized personal offers support on the premises of the requestor and aids with the incident analysis and response. Depending on the requirements of the incident, this support can, among others, include:
1) forensic analysis of the machine or hardware;
2) traffic analysis;
3) malware analysis;
4) articulation with other national or international CSIRTs;
5) production of recommendations;
6) support on the application of mitigation or resolution measures.

CNCS does not perform any of the before mentioned measures. This responsibility is entirely of the participating entities.

5.3 CSIRT Capability Building
For State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers.
Aims to improve the national incident response capabilities by creating new CSIRTs or developing the capabilities or already established CSIRTs. To achieve this, CNCS promotes and provides activities that foment the CSIRT capability building in the national territory, namely:
1) Training sessions to both technical and decision level personal that integrate a CSIRT;
2) Coordination of national exercises and promotion of Portuguese participation in international cybersecurity exercises;
3) Definition of a baseline of technical, operational and human capabilities of a CSIRT;
4) Definition of good practices to cybersecurity incident management;
5) Consultancy for the creation of new CSIRTs.

5.4 Security Alerts
To the whole Constituency.
Alert interested parties, including the public in general, to new cybersecurity risks, providing the necessary information to mitigate it or protect from it. To that effect CNCS has two activities:
1) Articulating with other national authorities, it issues a single national security level;
2) Creates and disseminates security alerts to interested parties.

6. Disclaimers
Although all precautions are taken in the preparation of information presented both in the Internet portal, and in the mailing lists, CERT.PT does not take any responsibility for errors, omissions, or damage resulting from the use of this information.
CNCS is not a Law Enforcement entity, thus any Incident notification to CNCS does not replace the lawful communication of Security Incidents to any competent law enforcement authority whenever those Security Incidents are considered a crime that depends on the victim’s complaint for proper prosecution.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEuD6qPPgLJch8ZRhOOsnezqD3rPsFAl6LHPcACgkQOsnezqD3
rPvy8w//dNKytQEaYP7UB9l+li8crr0YPoyh4wTLi5AlpXiSGKXAwBVzIIeTLhFs
iM0sNrKRMYbrPfg7e4MvUxgK9/7gKH/YH5jD81RJhrLHQ41uhkzYkQ4LHIKprH/V
8rs8ckSFOvMVNLPLVWyzPSS0GAT7DX0caBM9wmjppqenG6bvSznnWT/Bw1mME+fq
3KGeUg8dHuPaIFYIcFCbUi+fBEkJKBsqADChvGP48otIf4wk84NOEyBZrHNE1D5A
MSoj/mdWmsT7+h1TciPXZWfDqWgdAaR6PT81MHy8Gl/wcB/Pa1AqA5MAzOECOiwG
dCe/CgR3gUZmwERmcNP+98CSqKfEZXFQU5vP7C+UIRcFUwRfZlHzu2bPyqF/fn31
tW+0rU0uxq/CZiGNYHli+iUqqcvCuPlaApeLEV79guM37kzxdVukqu1K+/3jAG8M
gY8S1v9Y7F9ZAiuutjqgluy9XpIm7RLDLRit3t2MOtB59CtA3y/ZBV5F5tRTqpgo
4hkJoie+TzgfIF1hzVLU4SyDMpHTG0qLqXrqdrFUVo0YYEIDwnzN8sZcZtesxh3P
Yyy3joKeEOeTsU6xQiRQSeSppXLXwqongxAWkqP8j4LP6yG1+rlrxzdagQGCPmYD
IhRO9905dlYvUmrSNI7cjfkAGZCi+88YsW1fPiNPhs/zikj5XqY=
=4/1h
-----END PGP SIGNATURE-----