CSIRTs and CERTs
3. Legislative framework of CSIRT/CERT
3.2. Poland
CERT Polska is Computer Emergency Response Team which operates within the structures of Naukowa i Akademicka Sieć Komputerowa (Scientific and Academic Computer Network or NASK) – a research institute which conducts scientific activity, operates the national .pl domain registry and provides advanced IT network services. CERT Polska is the first Polish computer emergency response team. Active since 1996 in the environment of response teams, it became a recognised and experienced entity in the field of computer security. Since its launch, the core of the team's activity has been handling security incidents and cooperation with similar units worldwide. It also conducts extensive R&D into security topics.
In 1997, CERT Polska became a member of the international forum of response teams – FIRST, and since 2000 it has been a member of the working group of European response teams – TERENA TF-CSIRT and an associated organisation Trusted Introducer. In 2005 on the initiative of CERT Polska, a forum of Polish abuse teams was created - Abuse FORUM, while in 2010 CERT Polska joined Anti-Phishing Working Group, an association of companies and institutions which actively fight on-line crime.
The main tasks of CERT Polska include:
o registration and handling of network security incidents for Poland and the “.pl” domain name space;
o providing watch & warning services to Internet users in Poland;
o active response in case of direct threats to users;
o cooperation with other CERT teams in Poland and worldwide;
o participation in national and international projects related to IT security;
o research activity in relation to methods of detecting security incidents, analysis of malware, systems for exchanging information on threats;
o development of proprietary tools for detection, monitoring, analysis, and correlation of threat;
o regular publication of CERT Polska Report on security of Polish on-line resources;
o information/education activities aimed at increasing the awareness in relation to IT security;
o performing independent analyses and testing solutions related to IT security.
Below is the full description of CERT Polska in accordance with RFC 2350 "Expectations for Computer Security Incident Response":
CSIRT Description for CERT Polska
=================================
1. About this document
1.1 Date of Last Update
This is version 2.0, published on 04 March 2019.
1.2 Distribution List for Notifications
Currently CERT Polska does not use any distribution lists
to notify about changes in this document.
1.3 Locations where this Document May Be Found
The current version of this CSIRT description document is
available from the CERT Polska WWW site; its URL is
https://www.cert.pl/wp-content/uploads/2017/12/rfc2350.txt
Please make sure you are using the latest version.
1.4 Authenticating this document
This document has been signed with the CERT Polska PGP
key. The signatures are also on our Web site, under:
2. Contact Information
2.1 Name of the Team
CERT Polska
2.2 Address
CERT Polska
NASK
ul. Kolska 12
01-045 Warszawa
Poland
2.3 Time Zone
Central European Time (GMT+0100, GMT+0200 from April
to October)
2.4 Telephone Number
+48 22 3808 274
2.5 Facsimile Number
+48 22 3808 399 (note: this is *not* a secure fax)
2.6 Other Telecommunication
None available.
2.7 Electronic Mail Address
<cert@cert.pl> This is a mail alias that serves
the human(s) on duty for CERT Polska.
2.8 Public keys and Other Encryption Information
CERT Polska has a PGP key, which KeyID is 969C0EB8 and
which fingerprint is
DC34 CB6E CD73 C0B1 DC8C 8AE7 FD58 C59E 969C 0EB8
The key and its signatures can be found at the usual large
public keyservers.
2.9 Other Information
General information about CERT Polska, as well as links
to various recommended security resources, can be found
CERT Polska uses the following Facebook page to publish
news about current activities http://www.facebook.com/CERT.Polska
CERT Polska posts short messages on current events to
the following twitter accounts
http://www.twitter.com/cert_polska
http://www.twitter.com/cert_polska_en
2.10 Points of Customer Contact
The preferred method for contacting CERT Polska is via
e-mail at <cert@cert.pl>; e-mail sent to this address
will be handled by the responsible human. We encourage our
customers to use PGP encryption when sending any
sensitive information to CERT Polska.
If it is not possible (or not advisable for security
reasons) to use e-mail, CERT Polska can be reached by
telephone during regular office hours. Off these hours
incoming phone calls are transmitted to an aswering
machine. All messages recorded are checked ASAP.
CERT Polska operates 24 hours a day, every day of the year.
If possible, when submitting your report, use the form
mentioned in section 6.
3. Charter
3.1 Mission Statement
The mission of CERT Polska is to identify, analyse and
mitigate threats targeting Polish internet users. As an
essential part of the national cyber security system, CERT
Polska contributes to ensuring cyber security at the
national level.
3.2 Consituency
Consitituency of CERT Polska is defined in Article 26 (1) of
the Act of 5 July 2018 on the national cyber security system.
All legal entities and natural persons in Poland, with the
exceptions of:
- entities subordinate to or supervised by the Minister of
National Defence, including entities whose ICT systems or ICT
networks are covered by a single list of facilities,
installations, devices and services included in the critical
inrastructure referred to in Article 5b, paragraph 7,
subparagraph 1 of the Act of 26 April 2007 on crisis
management,
- companies of significant importance in terms of economy and
defence, for whom the authority organising and supervising
their performance of tasks for the defence of the state is
the Minister of National Defence,
- public finance sector entities referred to in Article 9,
items 1, 8 and 9 of the Act of 27 August 2009 on public
finance, with the exception of: research institutes, Office of
Technical Supervision, Polish Air Navigation Services Agency,
Polish Centre for Accreditation, National Fund for
Environmental Protection and Water Management and regional
funds for environmental protection and water management,
- National Bank of Poland,
- National Development Bank,
- entities than listed in items 1 to 4 and paragraph 5, whose
ICT systems or ICT networks are covered by a single list of
facilities, installations, devices and services included in
the critical infrastructure referred to in Article 5b,
paragraph 7, subparagraph 1 of the Act of 26 April 2007 on
crisis management.
Note that ANY incident regarding any host, network, legal
entity or natural person in Poland MAY be reported to CERT
Polska. Reports of incident beyond CERT Polska's constituency
will be forwarded without undue delay to the relevant CSIRT,
according to Article 26 (8) of the Act of 5 July 2018 on the
national cybersecurity system.
3.3 Sponsorship and/or Affiliation
CERT Polska is financially maintained by the National Research
Institute NASK which it is formally a part of.
NASK receives a specified-user subsidy from the part of the
state budget assigned to the minister compenent for
digitalisation to fund operations of CERT Polska.
3.4 Authority
The Act of 5 July 2018 on the national cyber security system
defines competencies and authority of "CSIRT NASK" - a role
assigned to NASK in the national cyber security system.
Parts of that role, specifically addressing operational
aspects such as:
- monitoring of cyber security threats at the national level,
- incident response,
- information sharing,
- participation in CSIRTs Network
are fulfilled by CERT Polska.
4. Policies
4.1 Types of Incidents and Level of Support
CERT Polska is authorized to address all types of
computer security incidents which occur, or threaten to
occur, in its constituency.
The level of support given by CERT Polska will vary
depending on the type and severity of the incident or
issue, the type of constituent, the size of the user
community affected, and the availability of CERT Polska's
resources at the time, though in all cases some response
will be made within two working days.
Incidents will be prioritized according to their
apparent severity and extent.
Critical, significant and substantial incidents, as well as
incidents in a public entity (as defined in Article 2 of the
Act of 5 July on the national cyber security system) are
coordinated by respective CSIRTs - including CERT Polska,
according to their constituency.
Incident handling is the responsibility of individual entities.
However, under Article 26 of the Act of 5 July on the national
cyber security system, in reasonable cases, at the request of
operator of essential services, digital service providers, or
public entities, CERT Polska may provide support in incident
handling.
4.2 Co-operation, Interaction and Disclosure of Information
CERT Polska exchanges all necessary information with
other CSIRTs, other entities included in the Polish national
cyber security system, as well as with affected parties'
administrators. No personal nor overhead data are
exchanged unless explicitly authorized.
All sensitive data (such as personal data, system
configurations, known vulnerabilities with their locations)
are encrypted if they must be transmitted over unsecured
environment as stated below.
4.3 Communication and Authentication
In view of the types of information that CERT Polska
deals with, telephones will be considered sufficiently
secure to be used even unencrypted. Unencrypted e-mail
will not be considered particularly secure, but will be
sufficient for the transmission of low-sensitivity data.
If it is necessary to send highly sensitive data by e-mail,
PGP will be used. Network file transfers will be considered
to be similar to e-mail for these purposes: sensitive data
should be encrypted for transmission.
Where it is necessary to establish trust, for example
before relying on information given to CERT Polska, or
before disclosing confidential information, the identity
and bona fide of the other party will be ascertained to
a reasonable level of trust. Within NASK, and with known
neighbor sites, referrals from known trusted people will
suffice to identify someone. Otherwise, appropriate
methods will be used, such as a search of FIRST members,
the use of WHOIS and other Internet registration
information, etc, along with telephone call-back or e-mail
mail-back to ensure that the party is not an impostor.
Incoming e-mail whose data must be trusted will be checked
with the originator personally, or by means of digital
signatures (PGP in particular is supported).
5. Services
5.1 Incident Response
CERT Polska will provide incident response capabilities in
the following areas:
5.1.1 Incident Triage
- Investigating whether indeed an incident occured.
- Determining the extent of the incident.
5.1.2 Incident Coordination
- Determining the initial cause of the incident
(vulnerability exploited)
- Facilitating contact with other sites which may be
involved.
- Facilitating contact with appropriate law enforcement
officials, if necessary.
- Making reports to other CSIRTs
- Composing announcements to users, if applicable
5.1.3 Incident handling
In some cases, limited support may be provided in technical
incident handling, including malware and forensic analysis,
threat hunting, evidence collection.
The extent of this support will depend on the type and severity
of the incident, and the type of the affected entity.
5.2 Proactive Services
CERT Polska coordinates and mantaines the following services
to the extent possible depending on its resources:
- Network security information sharing platform ("n6")
available to all network administrators:
- Information services through the following channels:
= website: https://www.cert.pl/
= Facebook website: https://facebook.com/CERT.Polska
= twitter: https://twitter.com/CERT_Polska (PL) and
https://twitter.com/CERT_Polska_en (EN)
- Training and educational services
CERT Polska organizes an annual SECURE conference covering
current important security issues which is open for all
interested parties.
CERT Polska contributes to NASK's activities in the area
of awareness rising and education on cyber security.
5.3 Research and Development
CERT Polska provides tools and facilities to monitor and
analyze threats.
https://github.com/CERT-Polska
https://www.cert.pl/en/projekty/
6. Incident Reporting Forms
CERT Polska had created a local form designated for
reporting incidents to the team. We strongly encourage
anyone reporting an incident to fill it out, although
this is never required. The current version of the form
is available from:
7. Disclaimers
While every precaution will be taken in the preparation of
information, notifications and alerts, CERT Polska assumes
no responsibility for errors or omissions, or for damages
resulting from the use of the information contained within.