1. Document information
This document contains a description of LiU IRT according to RFC 2350.
1.1 Date of last update
October 11, 2018
1.2 Distribution list for notifications
1.3 Locations where this document may be found
The current version of this document may be found at the following locations:
2. Contact information
2.1 Name of the team
Full name: Linköping University Incident Response Team
Short name: LiU IRT
2.3 Time zone
Europe/Stockholm (GMT+1; GMT+2 during daylight savings time).
2.4 Telephone number
During hours of operation: +46 13 281744.
Off-hours: an emergency telephone number can be provided upon request, at the team's discretion.
2.5 Facsimile number
2.6 Other telecommunication
2.7 Electronic mail address
email@example.com (handled in request tracking system available to core team members).
The request tracking system is available only to core IRT team members. Email outside the request tracking system is stored on the university's email server (and hence cannot be considered fully secure).
2.8 Public keys and encryption information
LiU IRT supports the use of PGP encrypted and signed e-mail.
LiU IRT employs a simple key hierarchy. Individual team members may use personal keys in day-to-day operations. Each individual team member's key is signed with the current operations key. An operations key is created every year, typically in November/December, with an expiration date of January 31st approximately 14 months after key creation. The operations key is signed with LiU IRT's master key-signing key.
Current team keys are listed on https://liu.se/en/article/it-security and are available from hks://pool.sks-keyservers.net/.
Email from the ticketing system may be signed with the current operations key. Email from individual members may be signed with the member's individual key. LiU IRT accepts email encrypted with the current operations key.
2.9 Team members
Management, liaison and supervision are provided by David Byers, head of IT infrastructure, Linköping University.
All team members, including contact information are presented at https://liu.se/en/article/it-security.
2.10 Other information
LiU IRT compiles with the CSIRT Code of Practice.
LiU IRT supports the use of the Information Sharing Traffic Light Protocol (abbreviated ISTLP or TLP; versions currently sponsored by FIRST and TF-CSIRT).
LiU IRT employs the SIM3 - Security Incident Management Maturity Model for self-assessment.
2.11 Points of customer contact
The preferred method for contacting LiU IRT is through electronic mail to firstname.lastname@example.org. This will create a ticket in our request tracking system.
If use of email is inadvisable, call +46 13 281744 during operating hours. An off-hours emergency telephone number can be provided upon request, at the team's discretion.
Operating hours are typically 9-17, Monday through Friday, holidays excluded.
3.1 Mission statement
IRT handles operational IT security for Linköping University. This includes discovery and investigation of IT security incidents, incident prevention, incident response and resolution, and information to and cooperation with the constituency. The main value provided by LiU IRT is to enable users at Linköping University to perform their daily work in a secure computing environment.
The constituency of LiU IRT is Linköping University, its employees and students. LiU IRT services to individual users are limited to issues that the regular IT support organization is unable to handle. LiU IRT also provides limited services to organizations closely affiliated with the university (e.g. student organizations).
Requests from outside the team's constituency are handled at the team's discretion.
LiU IRT is associated with AS2843 and the following prefixes:
3.3 Sponsorship and/or affiliation
LiU IRT is part of LiU-IT, the central IT operations group for Linköping University. LiU IRT is recognized by Sunet CERT, whose constituency includes all organizations connected to Sunet, the Swedish University Network.
LiU IRT operates under authority delegated by the vice-chancellor of Linköping University, and may act independently of its organizational home. LiU IRT aims to work cooperatively with representatives of its constituency. However, when the situation warrants it, LiU IRT will exercise direct authority as necessary, up to and including forcible disconnection of users, systems and networks.
4.1 Types of incidents and level of support
LiU IRT handles or assists in handling any information security incident involving its constituency. The level of support depends on the type and severity of the incident and the workload of the team. Incidents designated EMERGENCY by the team are handled as soon as they are received by a team member.
Current service levels:
- EMERGENCY: response within 4 working hours; resolution or mitigation typically within one working day.
- NORMAL: response within 16 working hours.
Priority is given to incidents that involve loss of confidentiality, integrity, or availability of critical systems, incidents that can potentially lead to such compromise, and incidents generated by the constituency.
Upon receipt of information concerning vulnerabilities or information disclosure, LiU IRT strives to evaluate the potential impact of such vulnerabilities, inform affected members of its constituency, and where appropriate take direct action to mitigate such consequences.
4.2 Co-operation, interaction and disclosure of information
LiU IRT routinely cooperates and/or interacts with:
- Sunet CERT and other individual incident response teams.
- Linköping University IT operations staff.
- Linköping University registrar, legal team and physical security team.
- Researchers and educators at Linköping University.
LiU IRT aims to participate in one SUSEC meeting per year, and at least three other IT security networking activities per year. LiU IRT is a member of FIRST and TF CSIRT.
LiU IRT will always comply with Swedish law with respect to releasing information. In particular, LiU IRT is bound by the Public Access to Information and Secrecy Act of 2009. which grants the public extensive access to most information stored at, received by, or created by any government body (which includes Linköping University). There are a number of exceptions to the right of public access, some of which can apply to LiU IRT. All LiU employees are also protected by Swedish law concerning freedom of expression and freedom of the press.
LiU IRT will always, to the best of its ability and in compliance with local law and university regulations, honor the Information Sharing Traffic Light Protocol or other classification of information it receives.
Observations from within the constituency that indicate potential and confirmed incidents outside the constituency will be reported directly to the appropriate CSIRT, its parent CSIRT, and to Sunet CERT and CERT-SE at our discretion. LiU IRT will act on reports of incidents from outside the constituency, and where appropriate give feedback to parties reporting incidents or vulnerabilities. LiU IRT will pass information about vulnerabilities to vendors, partner CSIRTs, or other parties in accordance with LiU IRTs vulnerability disclosure policy. Apart from what is explicitly stated, the source of information does not affect how LiU IRT handles it.
Regardless of any specific policy or entitlement stating otherwise, LiU IRT may withhold information if releasing the information would be likely to compromise an ongoing investigation or the handing of an incident.
LiU IRT has implemented logical and physical controls to assure the confidentiality of any information stored in LiU IRT's systems, and the integrity of said systems.
Classification of information
LiU IRT recognizes the following classes of information:
Private information is personally identifiable information about specific users and systems that must be considered confidential for legal, contractual or ethical reasons.
Anonymized private information is private information that has been rendered personally unidentifiable.
Intruder information is information, including personally identifiable information, concerning threat agents, such as (potential) attackers and intruders. Intruder information will not be released to the public except as required by law, but may be shared freely with, and as directed by, university management, registrar and legal department. Intruder information may also be freely shared with IT operations within the constituency and with those CSIRTs and other security-related groups that LiU IRT cooperates with.
Site information is technical information about systems within the constituency. Site information that does not threaten the security or reliability of such systems or sites, or is already publicly available, may be shared freely. Other site information will not be shared except as described below.
Vulnerability information is technical information about vulnerabilities or attacks. Information about previously unknown vulnerabilities is subject to LiU IRT's vulnerability disclosure policy. Other vulnerability information will be shared freely.
Incident information is the information that an incident has occurred and information about its extent or severity. Incident information will be shared only with those who need to know for operational or security reasons, unless permission for wider dissemination has been given by the site or users affected. Anonymized incident information may be shared freely.
Contact information is information concerning how to reach system administrators and CSIRTs. Contact information will be released freely, except where the contact person or entity has requested that this be not the case, or where LiU IRT has reason to believe that the dissemination of this information would not be appreciated.
How information is shared with specific recipients
Because of their responsibility and consequent expectations on confidentiality the senior management of Linköping University (vice chancellor, prorector, university director and deputy university director) are entitled to receive any information they request. LiU IRT will attempt to limit the amount of information released to ISTLP GREEN information, and information generated by LiU IRT.
The CIO of Linköping University is ultimately responsible for information security at Linköping University. Because of this responsibility and the consequent expectations on confidentiality, the CIO is entitled to receive any information they deem necessary to fulfil their obligation to the constituency.
Requests for information from other entities within Linköping University (with exceptions for system administrators and users within the constituency) will be directed to the CIO's office together with a recommendation concerning how to respond. In general, LiU IRT will not object to releasing anonymized private information, incident and intruder information concerning past incidents, site information concerning Linköping University, as well as any information that can be released to the general public. LiU IRT will also make every effort possible to comply with ISTLP classifications in such cases. LiU IRT is also required to comply with explicit instructions from the CIO, university director, vice-chancellor and board of directors.
System administrators within the constituency are entitled to receive any private information, intruder information, site information, vulnerability information and incident information that is required in order to enable them to assist with an investigation or secure their systems provided such information has not been received by LiU IRT with ISTLP classification that prohibits this.
Users within the constituency are entitled to information that pertains to the security of their personal computer accounts, even if this means revealing intruder or incident information, provided such information was not received by LiU IRT with ISTLP classification that prohibits this. Users within the constituency are entitled to be notified if their account is believed to have been compromised.
The general public is entitled to no information from LiU IRT. Any requests for information that is not publicly available may be forwarded to the CIO's office or the university registrar.
The press and media are considered part of the general public, and hence entitled to no information from LiU IRT. Unless otherwise directed by the CIO or senior university management, LiU IRT will not discuss the specifics of any incident, user, site, intruder, threat or vulnerability with the press. All queries will be directed to the CIO or press office. However, members of LiU IRT are welcome, even encouraged, to discuss general matters of computer security with the press, as a public service to the community.
The IT security community in general will be treated the same way the general public is treated. Mailing lists, conferences and other forums in which LiU IRT participates are considered public. While technical issues may be discussed at any level of detail, any examples taken from LiU IRT experience will be disguised to avoid identification of the affected parties.
Trusted CSIRTs are those with whom LiU IRT has or is able to establish a trust relationship, and where their handling of information is known beforehand. This includes Sunet CERT and CERT-SE, as well as several other CSIRTs. Private information, intruder information, site information, vulnerability information, incident information and contact information may be released to trusted CSIRTs, insofar as permitted by law and to the extent required for them to assist in an investigation or to fulfil their obligations to their constituency.
Other CSIRTs are entitled to receive the minimum intruder, site, vulnerability and incident information to the extent that is necessary in order to assist in an investigation or stop an attack.
Vendors are entitled to receive vulnerability information in accordance with LiU IRTs vulnerability disclosure policy. With respect to other kinds of information, vendors are treated the same as other CSIRTs.
Law enforcement will receive due cooperation from LiU IRT. For the purposes of information sharing, law enforcement will be considered a (non-trusted) CSIRT. Furthermore, LiU IRT will comply with any lawful order compelling information that would not otherwise be released.
Should the circumstances so warrant, LiU IRT may share less information with a specific recipient in than is indicated above.
4.3 Communication and authentication
For most operational purposes, LiU IRT considers telephones to be a sufficiently secure channel. When this is not the case, encrypted email communication can be established with individual team members. Contact details and team keys are listed at https://liu.se/en/article/it-security
When it is necessary to authenticate a communicating party, LiU IRT will use various methods, including irt objects in whois, team directories at FIRST and Trusted Introducer, referrals from trusted individuals or organizations, and so forth.
5.1 Incident response
LiU IRT receives incident reports from external parties. Incidents involving organizations within the constituency that have IT security capability are forwarded to those organizations.To ensure rapid response to emergencies, incidents that are designated EMERGENCY will be coordinated by, and may be handled entirely by, LiU IRT regardless of which parts of the constituency are involved.
5.1.1 Incident triage
All incidents reported to LiU IRT that are not resolved immediately are designated either NORMAL (the default) or EMERGENCY. All incidents are also categorized as copyright, virus, spam or other.
Upon request, LiU IRT will assist members of its constituency with incident triage.
5.1.2 Incident coordination
LiU IRT coordinates incident response in certain cases where the incident is not handled directly by LiU IRT.
- When the incident is designated EMERGENCY, LiU IRT will coordinate the response until the incident is no longer considered an emergency.
- When the incident involves multiple organizations within the constituency.
- When the incident involves shared resources (e.g. the wireless network).
- When the incident involves law enforcement.
5.1.3 Incident resolution
LiU IRT provides the following services. The availability of a service is governed by the severity and type of an incident, as well as the workload of the team.
- Advice on the process of incident resolution.
- Technical assistance in eradication of the cause of a compromise.
- Technical assistance in recovery of a system to pre-compromise state.
- Forensic analysis of (potentially) compromised systems.
In addition, LiU IRT may perform or direct incident resolution if the affected member of the constituency is unable to do so.
5.2 Proactive activities
LiU IRT engages in the following proactive activities:
- Network intrusion detection and monitoring to discover security issues.
- Regular vulnerability scanning of the university network.
- Searching for indications of compromise.
- Advice and recommendations on information security issues to members of the constituency.
- Forwarding of information on critical vulnerabilities or other developments related to information security.
- Information security training on request from the constituency.
6. Incident reporting forms
No incident reporting forms are used.
- September 6, 2012: conform to university style guide.
- May 22, 2013: update broken links, make changelog prettier.
- July 11, 2013: update concerning incident coordination.
- August 30, 2013: update e-mail address, correct typos.
- November 25, 2014: minor updates.
- November 24, 2015: minor updates.
- October 6, 2016: added 2001:6b0:4c::/48 to network list.
- December 8, 2016: minor updates; added searching for indications of compromise.
- February 27, 2017: removed mention of parent csirt from general policy; conform to new styles; minor updates.
- October 23, 2017: update document title, LiU IRT CSIRT Profile.
- October 10, 2018: general updates.