3. Legislative framework of CSIRT/CERT

3.2. Poland

CERT Polska is Computer Emergency Response Team which operates within the structures of Naukowa i Akademicka Sieć Komputerowa (Scientific and Academic Computer Network or NASK) – a research institute which conducts scientific activity, operates the national .pl domain registry and provides advanced IT network services. CERT Polska is the first Polish computer emergency response team. Active since 1996 in the environment of response teams, it became a recognised and experienced entity in the field of computer security. Since its launch, the core of the team's activity has been handling security incidents and cooperation with similar units worldwide. It also conducts extensive R&D into security topics.

In 1997, CERT Polska became a member of the international forum of response teams – FIRST, and since 2000 it has been a member of the working group of European response teams – TERENA TF-CSIRT and an associated organisation Trusted Introducer. In 2005 on the initiative of CERT Polska, a forum of Polish abuse teams was created - Abuse FORUM, while in 2010 CERT Polska joined Anti-Phishing Working Group, an association of companies and institutions which actively fight on-line crime.

The main tasks of CERT Polska include:

o   registration and handling of network security incidents for Poland and the “.pl” domain name space;

o   providing watch & warning services to Internet users in Poland;

o   active response in case of direct threats to users;

o   cooperation with other CERT teams in Poland and worldwide;

o   participation in national and international projects related to IT security;

o   research activity in relation to methods of detecting security incidents, analysis of malware, systems for exchanging information on threats;

o   development of proprietary tools for detection, monitoring, analysis, and correlation of threat;

o   regular publication of CERT Polska Report on security of Polish on-line resources;

o   information/education activities aimed at increasing the awareness in relation to IT security;

o   performing independent analyses and testing solutions related to IT security.

 

Below is the full description of CERT Polska in accordance with RFC 2350 "Expectations for Computer Security Incident Response":

CSIRT Description for CERT Polska

=================================

1. About this document

 

            1.1 Date of Last Update

                        This is version 2.0, published on 04 March 2019.

 

            1.2 Distribution List for Notifications

                        Currently CERT Polska does not use any distribution lists

                    to notify about changes in this document.

 

            1.3 Locations where this Document May Be Found

                        The current version of this CSIRT description document is

                        available from the CERT Polska WWW site; its URL is

https://www.cert.pl/wp-content/uploads/2017/12/rfc2350.txt

                        Please make sure you are using the latest version.

 

            1.4 Authenticating this document

                        This document has been signed with the CERT Polska PGP

                        key. The signatures are also on our Web site, under:

                        http://www.cert.pl/o-nas

 

2. Contact Information

            2.1 Name of the Team

                        CERT Polska

 

            2.2 Address

                        CERT Polska

                        NASK

                        ul. Kolska 12

                        01-045 Warszawa

                        Poland

 

            2.3 Time Zone

                        Central European Time (GMT+0100, GMT+0200 from April

                        to October)

 

            2.4 Telephone Number

                        +48 22 3808 274

 

            2.5 Facsimile Number

                        +48 22 3808 399 (note: this is *not* a secure fax)

 

            2.6 Other Telecommunication

                        None available.

 

            2.7 Electronic Mail Address

                        <cert@cert.pl> This is a mail alias that serves

                        the human(s) on duty for CERT Polska.

 

            2.8 Public keys and Other Encryption Information

                        CERT Polska has a PGP key, which KeyID is 969C0EB8 and

                        which fingerprint is

                        DC34 CB6E CD73 C0B1 DC8C 8AE7 FD58 C59E 969C 0EB8

                        The key and its signatures can be found at the usual large

                        public keyservers.

 

            2.9 Other Information

                        General information about CERT Polska, as well as links

                        to various recommended security resources, can be found

                        at http://www.cert.pl/

 

                        CERT Polska uses the following Facebook page to publish

                        news about current activities http://www.facebook.com/CERT.Polska

 

                        CERT Polska posts short messages on current events to

                        the following twitter accounts

                        http://www.twitter.com/cert_polska

                        http://www.twitter.com/cert_polska_en

 

            2.10 Points of Customer Contact

 

                        The preferred method for contacting CERT Polska is via

                        e-mail at <cert@cert.pl>; e-mail sent to this address

                        will be handled by the responsible human. We encourage our

                        customers to use PGP encryption when sending any

                        sensitive information to CERT Polska.

                       

                        If it is not possible (or not advisable for security

                        reasons) to use e-mail, CERT Polska can be reached by

                        telephone during regular office hours. Off these hours

                        incoming phone calls are transmitted to an aswering

                        machine. All messages recorded are checked ASAP.

 

                        CERT Polska operates 24 hours a day, every day of the year.

 

                        If possible, when submitting your report, use the form

                        mentioned in section 6.

 

3. Charter

 

            3.1 Mission Statement

                        The mission of CERT Polska is to identify, analyse and

                        mitigate threats targeting Polish internet users. As an

                        essential part of the national cyber security system, CERT

                        Polska contributes to ensuring cyber security at the

                        national level.

 

            3.2 Consituency

                        Consitituency of CERT Polska is defined in Article 26 (1) of

                        the Act of 5 July 2018 on the national cyber security system.

                       

                        All legal entities and natural persons in Poland, with the

                        exceptions of:

                       

                        - entities subordinate to or supervised by the Minister of

                        National Defence, including entities whose ICT systems or ICT

                        networks are covered by a single list of facilities,

                        installations, devices and services included in the critical

                        inrastructure referred to in Article 5b, paragraph 7,

                        subparagraph 1 of the Act of 26 April 2007 on crisis

                        management,

                        - companies of significant importance in terms of economy and

                        defence, for whom the authority organising and supervising

                        their performance of tasks for the defence of the state is

                        the Minister of National Defence,

                        - public finance sector entities referred to in Article 9,

                        items 1, 8 and 9 of the Act of 27 August 2009 on public

                        finance, with the exception of: research institutes, Office of

                        Technical Supervision, Polish Air Navigation Services Agency,

                        Polish Centre for Accreditation, National Fund for

                        Environmental Protection and Water Management and regional

                        funds for environmental protection and water management,

                        - National Bank of Poland,

                        - National Development Bank,

                        - entities than listed in items 1 to 4 and paragraph 5, whose

                        ICT systems or ICT networks are covered by a single list of

                        facilities, installations, devices and services included in

                        the critical infrastructure referred to in Article 5b,

                        paragraph 7, subparagraph 1 of the Act of 26 April 2007 on

                        crisis management.

                       

                        Note that ANY incident regarding any host, network, legal

                        entity or natural person in Poland MAY be reported to CERT

                        Polska. Reports of incident beyond CERT Polska's constituency

                        will be forwarded without undue delay to the relevant CSIRT,

                        according to Article 26 (8) of the Act of 5 July 2018 on the

                        national cybersecurity system.

 

            3.3 Sponsorship and/or Affiliation

                        CERT Polska is financially maintained by the National Research

                        Institute NASK which it is formally a part of.

                       

                        NASK receives a specified-user subsidy from the part of the

                        state budget assigned to the minister compenent for

                        digitalisation to fund operations of CERT Polska.

 

            3.4 Authority

                        The Act of 5 July 2018 on the national cyber security system

                        defines competencies and authority of "CSIRT NASK" - a role

                        assigned to NASK in the national cyber security system.

                       

                        Parts of that role, specifically addressing operational

                        aspects such as:

                        - monitoring of cyber security threats at the national level,

                        - incident response,

                        - information sharing,

                        - participation in CSIRTs Network

                        are fulfilled by CERT Polska.

 

4. Policies

 

            4.1 Types of Incidents and Level of Support

                        CERT Polska is authorized to address all types of

                        computer security incidents which occur, or threaten to

                        occur, in its constituency.

 

                        The level of support given by CERT Polska will vary

                        depending on the type and severity of the incident or

                        issue, the type of constituent, the size of the user

                        community affected, and the availability of CERT Polska's

                        resources at the time, though in all cases some response

                        will be made within two working days.

 

                        Incidents will be prioritized according to their

                        apparent severity and extent.

                       

                        Critical, significant and substantial incidents, as well as

                        incidents in a public entity (as defined in Article 2 of the

                        Act of 5 July on the national cyber security system) are

                        coordinated by respective CSIRTs - including CERT Polska,

                        according to their constituency.

                       

                        Incident handling is the responsibility of individual entities.

                       

                        However, under Article 26 of the Act of 5 July on the national

                        cyber security system, in reasonable cases, at the request of

                        operator of essential services, digital service providers, or

                        public entities, CERT Polska may provide support in incident

                        handling.

 

            4.2 Co-operation, Interaction and Disclosure of Information

                        CERT Polska exchanges all necessary information with

                        other CSIRTs, other entities included in the Polish national

                        cyber security system, as well as with affected parties'

                        administrators. No personal nor overhead data are

                        exchanged unless explicitly authorized.

 

                        All sensitive data (such as personal data, system

                        configurations, known vulnerabilities with their locations)

                        are encrypted if they must be transmitted over unsecured

                        environment as stated below.

 

            4.3 Communication and Authentication

                        In view of the types of information that CERT Polska

                        deals with, telephones will be considered sufficiently

                        secure to be used even unencrypted. Unencrypted e-mail

                        will not be considered particularly secure, but will be

                        sufficient for the transmission of low-sensitivity data.

                        If it is necessary to send highly sensitive data by e-mail,

                        PGP will be used. Network file transfers will be considered

                        to be similar to e-mail for these purposes: sensitive data

                        should be encrypted for transmission.

 

                        Where it is necessary to establish trust, for example

                        before relying on information given to CERT Polska, or

                        before disclosing confidential information, the identity

                        and bona fide of the other party will be ascertained to

                        a reasonable level of trust. Within NASK, and with known

                        neighbor sites, referrals from known trusted people will

                        suffice to identify someone. Otherwise, appropriate

                        methods will be used, such as a search of FIRST members,

                        the use of WHOIS and other Internet registration

                        information, etc, along with telephone call-back or e-mail

                        mail-back to ensure that the party is not an impostor.

                        Incoming e-mail whose data must be trusted will be checked

                        with the originator personally, or by means of digital

                        signatures (PGP in particular is supported).

 

5. Services

 

            5.1 Incident Response

                        CERT Polska will provide incident response capabilities in

                        the following areas:

                       

            5.1.1 Incident Triage

                            - Investigating whether indeed an incident occured.

                            - Determining the extent of the incident.

 

            5.1.2 Incident Coordination

                            - Determining the initial cause of the incident

                                   (vulnerability exploited)

                            - Facilitating contact with other sites which may be

                              involved.

                            - Facilitating contact with appropriate law enforcement

                              officials, if necessary.

                            - Making reports to other CSIRTs

                            - Composing announcements to users, if applicable

                                  

            5.1.3 Incident handling

                        In some cases, limited support may be provided in technical

                        incident handling, including malware and forensic analysis,

                        threat hunting, evidence collection.

                       

                        The extent of this support will depend on the type and severity

                        of the incident, and the type of the affected entity.

 

            5.2 Proactive Services

                        CERT Polska coordinates and mantaines the following services

                        to the extent possible depending on its resources:

 

                        - Network security information sharing platform ("n6")

                        available to all network administrators:

                                   https://n6.cert.pl/

                - Information services through the following channels:

                                   = website: https://www.cert.pl/

                                   = Facebook website: https://facebook.com/CERT.Polska

                                   = twitter: https://twitter.com/CERT_Polska (PL) and

                                     https://twitter.com/CERT_Polska_en (EN)

                            - Training and educational services

 

                CERT Polska organizes an annual SECURE conference covering

                        current important security issues which is open for all

                        interested parties.

                       

                        CERT Polska contributes to NASK's activities in the area

                        of awareness rising and education on cyber security.

                       

            5.3 Research and Development

                        CERT Polska provides tools and facilities to monitor and

                        analyze threats.

                                   https://github.com/CERT-Polska

                                   https://www.cert.pl/en/projekty/

 

6. Incident Reporting Forms

 

                        CERT Polska had created a local form designated for

                        reporting incidents to the team. We strongly encourage

                        anyone reporting an incident to fill it out, although

                        this is never required. The current version of the form

                        is available from:

                                   https://incydent.cert.pl/

 

7. Disclaimers

 

                        While every precaution will be taken in the preparation of

                        information, notifications and alerts, CERT Polska assumes

                        no responsibility for errors or omissions, or for damages

                        resulting from the use of the information contained within.