What is HEAnet CERT ?

HEAnet utilises the services of JA.net CSIRT to provide a single, trusted point of contact for our clients to deal with computer security incidents and their prevention. The aims of the service are to reduce the probability of successful attack, to reduce the direct costs of security to organisations and lower the risk of consequential damage.

Contact: HEAnet-CERT
Email: cert@heanet.ie
PGP Key: cert-key.txt

Additional Links

JANET-CERT: http://www.ja.net/services/csirt/index.html

Incident Reporting Guidelines

In general, we ask that reporting clients contact HEAnet-CERT at cert@heanet.ie Normally, when an incident is initially reported to us, it will be assigned a HEAnet CERT incident reference number. Where we have assigned a number to an incident, we would appreciate you including our incident number in the subject line of any further correspondence relating to the incident.

When Should I Report an Incident?

Preferably you should report an incident as soon as it is discovered, as information that assists in tracking down an attacker tends to fade quickly with time (log files roll over, etc.). Nonetheless, even if the incident is somewhat dated we encourage you to report it in case other sites may have been involved and are unaware.

Why Should I Report an Incident?

There are several reasons to report an incident to HEAnet CERT. These include:

• We can provide technical assistance as to what you should do in the case of an incident.
• We may be able to correlate activities at your site with activities at other sites.
• Your data will help us collect, analyse and report statistics on incidents.
• We will let other sites know that they may have been the source, intermediary or target of an attack, as they are often unaware.
• It is part of being a responsible 'netizen', and supporting the Internet community.

Who Should I Report an Incident To?

To determine whom you should report an incident to, you should consult your own security policies and procedures. In cases where procedures do not explicitly identify who you should report incidents to, you should consult with your management. Some typical incident reporting contacts include:

• Your local network administrator or IT security officer.
• Your organisation’s Computing Services Department or Incident Response Team (IRT) and secondly HEAnet CERT.
• Other sites involved in the incident. This can be done directly by you, or via HEAnet CERT. If you choose to contact other sites yourself, we would appreciate being 'Cc:' on the messages.

Incident Reporting required information.

The incident response assistance that you request from HEAnet CERT depends on the level of incident response expertise available at your site. Some typical assistance request scenarios include:

• No additional assistance required (we are reporting the incident as part of our responsibilities as good 'netizens').
• We do not know how to go about contacting the other sites involved and need assistance co-ordinating the resolution of this incident.
• We have advised everyone else involved, but now how do we recover from this? Help, we have been compromised and have no idea what to do !

The basic information needed when reporting an incident is summarised below:

• Information on how to contact you. We ask that you provide telephone and fax numbers in addition to e-mail.
• A summary of the hosts involved in the incident.
• Your time zone and the accuracy of your clock. This information is important in trying to co-ordinate incident response among sites that may be located all over the world.
• A sufficiently detailed description of the activity you are reporting. It should be noted that the other sites you are reporting incidents to may have more or less experience with computer security, so please be clear in reporting the activity.
• Time-stamped Extracts from system logs showing the suspicious activity.
• Any restrictions on information disclosure.