LiU IRT CSIRT Profile

1. Document information

This document contains a description of LiU IRT according to RFC 2350.

1.1 Date of last update

March 6, 2024.

1.2 Distribution list for notifications

None.

1.3 Locations where this document may be found

The current version of this document may be found at the following locations:

https://liu.se/en/article/rfc2350

2. Contact information

2.1 Name of the team

Full name: Linköping University Incident Response Team
Short name: LiU IRT

2.2 Address

LiU IRT
Digitaliseringsavdelningen
Linköping University
SE-58183 Linköping
SWEDEN

2.3 Time zone

Europe/Stockholm (GMT+1; GMT+2 during daylight savings time).

2.4 Telephone number

During hours of operation: +46 13 281744.
Off-hours: an emergency telephone number can be provided upon request, at the team's discretion.

2.5 Facsimile number

None.

2.6 Other telecommunication

None.

2.7 Electronic mail address

infosec@liu.se (handled in request tracking system available to core team members).

The request tracking system is available only to core IRT team members. Email outside the request tracking system is stored on the university's email server (and hence cannot be considered fully secure).

2.8 Public keys and encryption information

LiU IRT supports the use of PGP encrypted and signed e-mail.

LiU IRT employs a simple key hierarchy. Individual team members may use personal keys in day-to-day operations. Each individual team member's key is signed with the current operations key. An operations key is created every year, typically in November/December, with an expiration date of January 31st approximately 14 months after key creation. The operations key is signed with LiU IRT's master key-signing key.

Current team keys are listed on https://liu.se/en/article/it-security and are available from hks://pgp.mit.edu/.

Email from the ticketing system may be signed with the current operations key. Email from individual members may be signed with the member's individual key. LiU IRT accepts email encrypted with the current operations key.

2.9 Team members

Management, liaison and supervision are provided by David Byers, head of IT infrastructure, Linköping University. 

2.10 Other information

LiU IRT compiles with the CSIRT Code of Practice.

LiU IRT supports the use of the Information Sharing Traffic Light Protocol (abbreviated ISTLP or TLP; versions currently sponsored by FIRST and TF-CSIRT).

LiU IRT employs the SIM3 - Security Incident Management Maturity Model for self-assessment.

2.11 Points of customer contact

The preferred method for contacting LiU IRT is through electronic mail to infosec@liu.se. This will create a ticket in our request tracking system.

If use of email is inadvisable, call +46 13 281744 during operating hours. An off-hours emergency telephone number can be provided upon request, at the team's discretion.

Operating hours are typically 9-17, Monday through Friday, holidays excluded.

3. Charter

3.1 Mission statement

IRT handles operational IT security for Linköping University. This includes discovery and investigation of IT security incidents, incident prevention, incident response and resolution, and information to and cooperation with the constituency. The main value provided by LiU IRT is to enable users at Linköping University to perform their daily work in a secure computing environment.

3.2 Constituency

The constituency of LiU IRT is Linköping University, its employees and students. LiU IRT services to individual users does not include issues that the regular IT support organization is able to handle. LiU IRT also provides limited services to organizations closely affiliated with the university (e.g. student organizations).

Requests from outside the team's constituency are handled at the team's discretion.

LiU IRT is associated with AS2843 and the following prefixes:

• 130.236.0.0/16
• 192.36.54.0/24
• 192.36.93.0/24
• 192.36.94.0/24
• 192.36.129.0/24
• 192.36.130.0/24
• 192.36.131.0/24
• 192.36.167.0/24
• 192.12.235.0/24
• 193.10.86.0/24
• 2001:6b0:17::/48
• 2001:6b0:4c::/48
• 2001:6b0:6f::/48

3.3 Sponsorship and/or affiliation

LiU IRT is part of the IT division at Linköping University. LiU IRT is recognized by Sunet CERT, whose constituency includes all organizations connected to Sunet, the Swedish University Network.

3.4 Authority

LiU IRT operates under authority delegated by the vice-chancellor of Linköping University, and may act independently of its organizational home. LiU IRT aims to work cooperatively with representatives of its constituency. However, when the situation warrants it, LiU IRT will exercise direct authority as necessary, up to and including forcible disconnection of users, systems and networks.

4. Policies

4.1 Types of incidents and level of support

LiU IRT handles or assists in handling any information security incident involving its constituency. The level of support and response time depends on the type and severity of the incident.

LiU IRT aims to resolve or respond to all issues within 8 working hours in at least 95% of all cases and within 16 working hours in at least 99% of all cases.

4.2 Co-operation, interaction and disclosure of information

LiU IRT routinely cooperates and/or interacts with CERT-SE, Sunet CERT, other individual CSIRT teams, and Linköping University security, legal, registrar, and IT operations staff.

LiU IRT participates in national and international CSIRT networks, is a member of FIRST, and is certified by Trusted Introducer.

General policy

LiU IRT will always comply with Swedish law with respect to releasing information. In particular, LiU IRT is bound by the Public Access to Information and Secrecy Act of 2009. which grants the public extensive access to most information stored at, received by, or created by any government body (which includes Linköping University). There are a number of exceptions to the right of public access, some of which can apply to information held by LiU IRT. All LiU employees are also protected by Swedish law concerning freedom of expression and freedom of the press.

LiU IRT will always, to the best of its ability and in compliance with local law and university regulations, honor the Information Sharing Traffic Light Protocol or other classification of information it receives.

Observations from within the constituency that indicate potential and confirmed incidents outside the constituency will be reported directly to an appropriate CSIRT and at our discretion also to Sunet CERT and CERT-SE. Information concerning vulnerabilities will be shared with vendors, partner CSIRTs, or other parties in accordance with LiU IRT's vulnerability disclosure policy.

Regardless of any specific policy or entitlement stating otherwise, LiU IRT may withhold information if releasing the information would be likely to compromise an ongoing investigation or the handing of an incident.

LiU IRT has implemented logical, physical, and administrative controls to assure the confidentiality of any information stored in LiU IRT's systems, and the integrity of said systems.

Classification of information

LiU IRT classifies information according to Linköping University's information classification scheme. Information relating to incidents, weaknesses, and vulnerabilities are given a classification that reflects a very high level of confidentiality.

How information is shared with specific recipients

Because of their responsibility and consequent expectations on confidentiality the top management of Linköping University (e.g. the vice chancellor and university director) and the CIO of Linköping University are entitled to receive most information held by LiU IRT should they request it.

LiU IRT disseminates information within the constituency in a way that complies with both the ISTLP and internal regulations.

With the exception of information shared with other CSIRTs and information about vulnerabilities shared with vendors, LiU IRT is restrictive in disseminating information outside the constituency. Requests for information are generally forwarded to the university registrar, data protection officer, legal, CIO, or press offices.

Law enforcement will receive due cooperation from LiU IRT, similar to how another CSIRT would be treated. Furthermore, LiU IRT will comply with any lawful order compelling information that would not otherwise be released. 

4.3 Communication and authentication

For most operational purposes, LiU IRT considers telephones to be a sufficiently secure channel. When this is not the case, encrypted email communication can be established with individual team members. Contact details and team keys are listed at https://liu.se/en/article/it-security

When it is necessary to authenticate a communicating party, LiU IRT will use various methods, including irt objects in whois, team directories at FIRST and Trusted Introducer, referrals from trusted individuals or organizations, and so forth.

5. Services

5.1 Incident response

LiU IRT receives incident reports from external parties. Incidents involving organizations within the constituency that have IT security capability are forwarded to those organizations but monitored by LiU IRT.

5.1.1 Incident triage

All incidents reported to LiU IRT that are classified by type and urgency and upon request, LiU IRT will assist members of its constituency with incident triage.

5.1.2 Incident coordination

LiU IRT coordinates incident response in certain cases where the incident is not handled directly by LiU IRT.

• LiU IRT typically coordinates all serious incidents until they have been contained. Coordination is then passed to those responsible for the affected systems, and LiU IRT reverts to monitoring and advising.
• Incidents that involve disparate parts of the university organization are typically coordinated by LiU IRT.
• Incidents that involve law enforcement are typically coordinated by LiU IRT.

5.1.3 Incident resolution

LiU IRT provides the following services. The availability of a service is governed by the severity of an incident, as well as the availability of the team.

• Advice on the process of incident resolution.
• Technical assistance in eradication of the cause of a compromise.
• Technical assistance in recovery of a system to pre-compromise state.
• Forensic analysis of (potentially) compromised systems.

In addition, LiU IRT may perform or direct incident resolution if the affected member of the constituency is unable to do so.

5.2 Proactive activities

LiU IRT engages in the following proactive activities:

• Network intrusion detection and monitoring to discover security issues.
• Regular vulnerability scanning of the university network.
• Searching for indications of compromise.
• Advice and recommendations on information security issues to members of the constituency.
• Forwarding of information on critical vulnerabilities or other developments related to information security.
• Information security training on request from the constituency.

6. Incident reporting forms

No incident reporting forms are used.

7. Disclaimers

None.

8. Changelog

• March 6 2024: updated 3.2

• September 11, 2023: updated 2.2.

• January 14, 2022: updated 2.8, 4.2.

• August 19, 2021: updated 4.1, 4.2. and 5.1.

• March 24 2021: updated an email address; minor updates.

• September 1, 2020: updated constituency and minor details.

• May 25, 2020: updated contact information.
• October 10, 2018: general updates.
• October 23, 2017: update document title, LiU IRT CSIRT Profile.
• February 27, 2017: removed mention of parent csirt from general policy; conform to new styles; minor updates.
• December 8, 2016: minor updates; added searching for indications of compromise.
• October 6, 2016: added 2001:6b0:4c::/48 to network list.
• November 24, 2015: minor updates.
• November 25, 2014: minor updates.
• August 30, 2013: update e-mail address, correct typos.
• July 11, 2013: update concerning incident coordination. 
• May 22, 2013: update broken links, make changelog prettier.
• September 6, 2012: conform to university style guide.