1. Document Information 1.1 Date of Last Update Version 1.4, updated on 2021-06-14. 1.2 Distribution Channel for Notifications Update notifications are sent to - our announce mailing list nb-cert@lists.netzbegruenung.de - our homepage https://cert.netzbegruenung.de/ - channel #netzbegruenung-cert-info on https://chatbegruenung.de 1.3 Locations where this Document May Be Found This document is published at https://cert.netzbegruenung.de/nb-cert-rfc2350.txt 2. Contact Information 2.1 Name of the Team NB-CERT: Netzbegruenung Computer Emergency Response Team. 2.2 Address NETZBEGRUENUNG - Verein fuer gruene Netzkultur e.V. c/o Nico Ach Heilig-Kreuz-Straße 16 86609 Donauwoerth 2.3 Time Zone Central European Time (GMT+01:00) and Central European Summer Time (GMT+02:00). 2.4 Telephone Number +49 30 62938124 2.5 Facsimile Number None available. 2.6 Other Telecommunication For members of BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG we respond to messages in the #netzbegruenung-cert-info channel on https://chatbegruenung.de. Announcements are made on the mailing list nb-cert@lists.netzbegruenung.de. 2.7 Electronic Mail Address We respond to e-mails to mail@cert.netzbegruenung.de. 2.8 Public Keys and Encryption Information Download our public key from PGP key servers or from https://cert.netzbegruenung.de/nb-cert.asc. The fingerprint is 4022 D320 172C 69F6 349E 7BAD 9286 C3DC 747C 6E90 2.9 Team Members The NB-CERT is publicly represented by the chair of NETZBEGRUENUNG. Single team members may choose to be publicly named on the NB-CERT web site. 2.10 Other Information Information about NB-CERT is available on https://blog.netzbegruenung.de/cert/. 2.11 Points of Customer Contact Please contact us via e-mail to mail@cert.netzbegruenung.de or via https://chatbegruenung.de in the #netzbegruenung-cert-info channel. If you have an urgent request, please put an "URGENT" into the subject line. 3. Charter 3.1 Mission Statement The purpose of the NB-CERT is, first, to assist BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG in responding to computer security incidents when they occur, and second, to assist members of the BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG community in implementing proactive measures to reduce the risks of such incidents. 3.2 Constituency NB-CERT's constituency are BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG. This means, primarily, that NB-CERT supports IT systems owned by both groups and persons holding office for and in the both groups. 3.3 Sponsorship and/or Affiliation NB-CERT is sponsored by NETZBEGRUENUNG – Verein für gruene Netzkultur e.V. 3.4 Authority NB-CERT has no official mandate for oversight or incident mangement for BUENDNIS 90 / DIE GRUENEN. The involvement of NB-CERT is purely optional for members of BUENDNIS 90 / DIE GRUENEN. NB-CERT is part of NETZBEGRUENUNG and participates as a partner in the associations' activities. The NB-CERT takes action when asked to do so by affected organizations or persons. If this is not the case, NB-CERT only forward information to the correct recipients while protecting confidential information. 4. Policies 4.1 Types of Incidents and Level of Support The level of support given by NB-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the NB-CERT's resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities, listed in decreasing order: - Root or system-level attacks on any Management Information System, or any part of the backbone network infrastructure. - Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose. - Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration. - Denial of service attacks on any of the above three items. - Any of the above at other sites, originating from BUENDNIS 90 / DIE GRUENEN or NETZBEGRUENUNG IT infrastructure. - Compromise or leak of any confidential or personal information concerning or originating from BUENDNIS 90 / DIE GRUENEN or NETZBEGRUENUNG IT infrastructure. - Large-scale attacks of any kind, e.g. sniffing attacks, "social engineering" attacks, phishing, password cracking attacks. - Compromise of individual user accounts on multi-user systems. - Compromise of desktop systems. 4.2 Co-operation, Interaction and Disclosure of Information The NB-CERT acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites where necessary, the NB-CERT will otherwise share information freely when this will assist others in resolving or preventing security incidents. In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from the NB-CERT. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist. Information being considered for release will be classified as follows: - Private user information is information about particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual, and/or ethical reasons. Private user information will not be released in identifiable form outside the NB-CERT except as provided for below. If the identity of the user is disguised, then the information can be released freely (for example to show a sample configuration file as modified by an intruder, or to demonstrate a particular social engineering attack). - Intruder information is similar to private user information, but concerns intruders. While intruder information, and in particular identifying information, will not be released to the public (unless it becomes a matter of public record, for example because criminal charges have been laid), it will be exchanged freely with system administrators and CSIRTs tracking an incident. - Private site information is technical information about particular systems or sites. It will not be released without the permission of the site in question, except as provided for below. - Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds. Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed. - Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or group of users. Embarrassing information will not be released without the permission of the site or users in question. - Statistical information is embarrassing information with the identifying information stripped off. Statistical information will be released at the discretion of the originating IT department. - Contact information explains how to reach system administrators and CSIRTs. Contact information will be released as freely as possible in compliance with law. Potential recipients of information from the NB-CERT will be classified as follows: - Because of the nature of their responsibilities and consequent expectations of confidentiality, constituency management members are entitled to receive whatever information is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions. - Data Protection Officers are entitled to receive whatever information they request concerning a computer security incident or related matter in their jurisdictions. - System administrators at NETZBEGRUENUNG and IT contractors for BUENDNIS 90 / DIE GRUENEN are, by virtue of their responsibilities, trusted with confidential information. However, unless such people are also members of NB-CERT, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems. - Users at BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG are entitled to information which pertains to the security of their own computer accounts, even if this means revealing "intruder information", or "embarrassing information" about another user. For example, if account aaaa is cracked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was cracked, and how the attack on the bbbb account was executed. User bbbb is also entitled, if she or he requests it, to information about account aaaa which might enable bbbb to investigate the attack. For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa. Users at BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG are entitled to be notified if their account is believed to have been compromised. - The BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG community will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG community. There is no obligation on the part of the NB-CERT to report incidents to the community, though it may choose to do so; in particular, it is likely that the NB-CERT will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so. - The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though the NB-CERT recognizes that, for all intents and purposes, information made available to the BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG community is in effect made available to the community at large, and will tailor the information in consequence. - The computer security community will be treated the same way the general public is treated. While members of NB-CERT may participate in discussions within the computer security community, such as newsgroups, mailing lists (including the full-disclosure list "bugtraq"), and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from NB-CERT experience will be disguised to avoid identifying the affected parties. - The press will also be considered as part of the general public. The NB-CERT will not interact directly with the press concerning computer security incidents, except to point them toward information already released to the general public. If necessary, information will be provided to the BUENDNIS 90 / DIE GRUENEN or NETZBEGRUENUNG Public Relations Department. All incident-related queries will be referred to these two bodies. The above does not affect the ability of members of NB-CERT to grant interviews on general computer security topics; in fact, they are encouraged to do to, as a public service to the community. - Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites well known to NB-CERT. For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident. - Vendors will be considered as foreign CSIRTs for most intents and purposes. The NB-CERT wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties. - If required by law, law enforcement officers will receive full cooperation from the NB-CERT, including any information they require to pursue an investigation. If information is shared proactively, affected persons or organisations are asked for permission. 4.3 Communication and Authentication The preferred method of communication is via PGP encrypted e-mail. NB-CERT considers the following communication methods secure for transmitting confidential information by descending order of trustworthyness and priority: - PGP or S/MIME encrypted e-mail - Encrypted VOIP call, e.g. via Signal, Threema - Encrypted messengers, e.g. Signal, Threema The following communication channels should only be used for non-sensitive information: - Chat - Telephone - Unencrypted (normal) e-mails - SMS 4.4 Membership Requirements for becoming a NB-CERT team member are: - Membership in BUENDNIS 90 / DIE GRUENEN for more than 1 year. - Membership in NETZBEGRUENUNG. - Recommendation of the originating chapter (Kreisverband). - Personal meeting with existing NB-CERT members. - Expertise in at least one of NB-CERT's areas of activity. 5. Services 5.1 Incident Response NB-CERT will assist system administrators and end users in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1. Incident Triage - Investigating whether indeed an incident occured. - Determining the extent of the incident. 5.1.2. Incident Coordination - Determining the initial cause of the incident (vulnerability exploited). - Facilitating contact with and between administrators of affected sytems. - Facilitating contact with other sites which may be involved. - Facilitating contact with BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG data protection officers and/or appropriate law enforcement officials, if necessary. - Making reports to other CSIRTs. - Composing announcements to users, if applicable. 5.1.3. Incident Resolution - Supporting system administrators in securing the system from the effects of the incident. - Facilitating the removal of leaked private information from publicly accessible sources. - Evaluating whether certain actions are likely to reap results in proportion to their cost and risk, in particular those actions aimed at an eventual prosecution or disciplinary action: collection of evidence after the fact, observation of an incident in progress, setting traps for intruders, etc. - Supporting system administrators in collecting evidence where criminal prosecution is contemplated. In addition, NB-CERT will collect statistics concerning incidents which occur within or involve the BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG community, and will notify the community as necessary to assist it in protecting against known attacks. To make use of NB-CERT's incident response services, please send e-mail as per section 2.11 above. Please remember that the amount of assistance available will vary according to the parameters described in section 4.1. 5.2 Proactive Activities The NB-CERT coordinates and maintains the following services to the extent possible depending on its resources: - Information services - Chat channels on https://chatbegruenung.de to inform security contacts of new information relevant to their computing environments. - Important announcements and advisories are sent to the mailing list nb-cert@lists.netzbegruenung.de. - These lists will be available only to BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG members. - Training services - Members of the NB-CERT will give periodic seminars on computer security related topics; these seminars will be open to BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG members. - Auditing services - Auditing is only done if free resources are available. - Archiving services - Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the BUENDNIS 90 / DIE GRUENEN and NETZBEGRUENUNG community. Detailed descriptions of the above services, along with instructions for joining chat channels, downloading information, or participating in certain services, are available on the NB-CERT web site, as per section 2.10 above. 6. Incident Reporting Forms No form is required for reporting incidents to NB-CERT. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, NB-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.