-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Version: 1.3 Date: Thu 25 Jan 2024 Author: Thomas Pribitzer 1. Document information This document contains a description of CERT.at according to RFC 2350. It provides basic information about the CERT, the ways it can be contacted, describes its responsibilities and the services offered. 1.1 Date of last update 2024-01-25 1.2 Distribution list for notifications There is no distribution list for notifications as of 2021/11. 1.3 Locations where this document may be found The current version of this document can always be found at https://cert.at/de/ueber-uns/rfc2350/ . For validation purposes, a GPG signed ASCII version of this document is located at https://cert.at/media/files/about/rfc2350/files/rfc2350.txt . The key used for signing is the CERT.at key as listed under 2.8. 2. Contact information 2.1 Name of the team CERT.at Computer Emergency Response Team Austria 2.2 Address CERT.at Karlsplatz 1/2/9 1010 Vienna Austria 2.3 Time zone We are located in the central European time zone (CET) which is GMT+0100 (+0200 during day-light saving time). 2.4 Telephone number +43 1 5056416 78 2.5 Facsimile number +43 1 5056416 79 (deprecated, please use only if everything else has failed) 2.6 Other telecommunication Members of the team are active in various online forums of the international CSIRT community. 2.7 Electronic mail address Please send incident reports to . Non-incident related mail should be addressed to . 2.8 Public keys and encryption information CERT.at uses a master signing key to sign all keys used for operational purposes. This trust anchor is: pub rsa4096 2019-02-25 [SC] [expires: 2034-02-21] 8555 0D8D 5236 BBF1 6A49 0DEB D57E 00EA 0070 9A3D uid CERT.at master key sub rsa4096 2019-02-25 [E] [expires: 2034-02-21] and can be found on most key-servers. Please DO NOT use this key for communications with us. All official communication by CERT.at will be signed by the current team key, which is as of January 2024: pub rsa4096/3FF5B6D133BDFD57 2024-01-24 [SC] [expires: 2029-01-22] 64142AF14EC667830ADC64AB3FF5B6D133BDFD57 uid CERT.at (Incidents) uid CERT.at (General Communications) sub rsa4096/6AC1052761C75D8D 2024-01-24 [E] [expires: 2029-01-22] Encrypted communications with CERT.at should use this - and only this - operational key. All keys (including the keys of individual team members) can be found at https://cert.at/media/files/about/rfc2350/files/pgpkeys.asc . (Additional download options (individual keys, revocations) are linked from the html-version of this document.) Since the team key and the master signing key expire regularly, CERT.at will always sign younger master signing keys with the older master signing keys as well. The current master signing key always signs the team key. See also the key transition documents at https://cert.at/media/files/about/rfc2350/files/key-transition-2014.txt and https://cert.at/media/files/about/rfc2350/files/key-transition-2019.txt . 2.9 Team members The team leader of CERT.at is Wolfgang Rosenkranz. Other team members are listed in the "About Us" / Team page on our webpage. Management, liaison and supervision are provided by Robert Schischka, General Manager of CERT.at GmbH. 2.10 Other information Since March 2019, CERT.at is the accredited national CSIRT according to the Austrian implementation of the EU NIS Directive. More information on the Austrian NIS law can be found at https://www.nis.gv.at/ (in German). 2.11 Points of contact The preferred method for contacting CERT.at is via e-mail. For incident reports and related issues please use . This will create a ticket in our tracking system and alert the human on duty. For general inquiries please send e-mail to . If it is not possible (or advisable due to security reasons) to use e-mail, you can reach us via telephone at +43 1 5056416 78. In order for reports to fall under the procedures of the NIS law, they should be submitted via https://nis.cert.at/ (for other reports, please use e-mail). CERT.at's hours of operation are generally restricted to local regular business hours: Mon-Fri (except public holidays and Dec 24th/31st), 8 a.m. - 6 p.m. CET/CEST. Mandatory NIS reports by an authenticated OES/DSP can trigger a 24x7 response by CERT.at. 3. Charter 3.1 Mission statement The purpose of CERT.at is to coordinate security efforts and incident response for IT-security problems on a national level in Austria. CERT.at fulfills the role of the national CSIRT within the NIS framework. 3.2 Constituency The constituency of CERT.at is basically the whole country of Austria. CERT.at will first try to coordinate with IT-security teams and more specific CERTs in Austria. Note that usually no direct support will be given to end users; they are expected to contact their ISP, system administrator, network administrator, or department head for assistance. CERT.at will support the latter. Pro-active and educational material are provided for the general public. 3.3 Sponsorship and/or affiliation CERT.at is an initiative of nic.at, the Austrian domain registry, and the Austrian Federal Chancellery. It is operated by CERT.at GmbH, a subsidiary of nic.at GmbH. 3.4 Authority The main purpose of CERT.at in incident handling is the coordination of incident response. As such, we can only advise our constituency and have no authority to demand certain actions. We have indirect authority over AS30971 and AS1921. Although CERT.at is a subsidiary of nic.at, CERT.at has no take-down rights for malicious domains within the .at ccTLD. 4. Policies 4.1 Types of incidents and level of support CERT.at is authorised to address all types of computer security incidents which occur, or threaten to occur, in our constituency (see 3.2) and which require cross-organisational coordination. The level of support given by CERT.at will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and our resources at the time. Special attention will be given to issues affecting critical infrastructure and designated operators of essential services / digital service providers (in the NIS context). CERT.at is committed to keeping its constituency informed of potential vulnerabilities, and, where possible, will inform this community of such vulnerabilities before they are actively exploited. Overall, the primary role of CERT.at during incidents is information exchange and coordination, and not on-site incident response. 4.2 Co-operation, interaction and disclosure of information CERT.at will cooperate with other organisations in the field of computer security. This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. Nevertheless CERT.at will protect the privacy of reporters, partners and our constituents, and therefore (under normal circumstances) pass on information in an anonymised way only unless other contractual agreements or laws apply. CERT.at operates under the restrictions imposed by Austrian law. This involves careful handling of personal data as required by Austrian Data Protection law, but it is also possible that - according to Austrian law - CERT.at may be forced to disclose information due to a court order. The designation of CERT.at as the national CSIRT according to the NIS law provides a legal framework for cooperation and information sharing. CERT.at participates in the national "operational cooperation" (OpKoord) and acts as the default reporting point for incident reporting under the NIS framework. On one hand, the NIS law explicitly allows the sharing of personal data (to CERT.at and from CERT.at to affected parties) for the purpose of reacting to, or preventing incidents. On the other hand, the law defines what information from the NIS reporting needs be passed by CERT.at to the Ministry of the Interior. For details on the law and related secondary legislation see https://nis.gv.at/ . CERT.at treats all submitted information (except NIS reports, see above) as confidential per default, and will only forward it to concerned parties in order to resolve specific incidents when consent is implicit or expressly given. For example: incoming report "Malware on www.example.com/malware, please get it cleaned up". In this case, we would forward the information only to the concerned parties (domain-holder, hoster/ISP, appropriate CERTs) to help them quickly fix the problem. We will not forward information about incidents to government authorities or the press without explicit prior permission by the submitting party. CERT.at is an active participant in various collaboration mechanisms, e.g. the Austrian CERT Verbund (association of CERTs), the Austrian Trust Circle (ATC), the EU CSIRTs Network, the TF-CSIRT and FIRST. 4.3 Communication and authentication For normal communication not containing sensitive information CERT.at might use conventional methods like unencrypted e-mail. For secure communication PGP-encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. FIRST, TI, CNW) or by other methods like call-back, mail-back or even face-to-face meeting if necessary. 5. Services 5.1 Incident response CERT.at will assist IT-security teams in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1. Incident triage * determining whether an incident is authentic * assessing and prioritizing the incident 5.1.2. Incident coordination * determining the involved organizations * contacting the involved organizations to investigate the incident and take the appropriate steps * facilitating contact to other parties which can help resolve the incident * sending reports to other CERTs We mainly see ourselves as information hub which knows where to send the right incident reports to in order to help and facilitate the clean-up of IT security incidents. 5.1.3. Incident resolution * advising local security teams on appropriate actions * following up on the progress of the concerned local security teams * asking for reports * reporting back CERT.at will also collect statistics about incidents within its constituency. 5.2 Proactive activities CERT.at tries to * raise security awareness in its constituency * collect contact information of local security teams * publish announcements concerning serious security threats * observe current trends in technology * distribute relevant knowledge to the constituency * provide forums for community building and information exchange within the constituency 5.3 Service levels CERT.at will always strive to react to incoming incident reports from humans within one business day. Due to current staffing levels this cannot be guaranteed, though. If you haven't received feedback to an incident report after two business days, we ask that you contact us again. Auto-generated reports and data-feeds will be handled as automatically as possible. 6. Incident reporting forms For reports within the NIS framework, use the portal at https://nis.cert.at/ There are no forms available for informal reports to CERT.at. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CERT.at assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEZBQq8U7GZ4MK3GSrP/W20TO9/VcFAmWyX7UACgkQP/W20TO9 /VfGkg/+Pnz2uVeJoT9h+cizi6Gn4qxp4gZMmaZKX0PkycEJE/f7zAudEkm1M9Zg ZoHkpCiyBIFYFTPrtcF4CS5/nq4uK0tWzio+BV5YrTXR+ZAYUzEypEiI00bL/5U1 vvVdofLQbjFPbw8hqSfrVPNZibSqu1j/DQudyLRkxrRJ2Ll03BUmAvDnWt7Ss+9d pS+T+5l8pHUh5CFSKOO6/aaBv0llhzeAlzuxqd5ARYsHvgCyRTQVLjns0Os0xTRM zMskpRkdgNQzUrTK5dfdktU2O/NeD7DFgjaFrtIoUfdhO7orf7S7GWyoeZrenHgw RFhggY2L84VdZJ5QqH4JnAR682Yfk2dUja9tQb1pa/e/gyJKUZEA1LPeY1zWrgAn xpWQGMIevTMyZtG6J6fpBWyWBbEMa5aZgat7AfRojy2Hlgcm03cQqKxuhFB7aXIl BflX6kNDUFLZN0HNoNl1S8YTTfWv+GvZEPrvArHtfcXHhsThdbPD/W6FNSh1anCD zr8tSOLB+hKzSogaG0mhhXl2hcf7qjZ+15vttClBuVrpdjjwtDhQS1a30MSCV2lA go86IKMT517bdVpMJnjkrf530vBDp6oGButby2mRRbhrybjlJUNuPqIsMdiZYcpa DmddU1Dx6IewTrBE27AWzned8TL3HLbDQmGiEWrsQK2DpjZD+ls= =LlsA -----END PGP SIGNATURE-----