CSIRT Description for AlgoCERT ----------------------------- 1. About this document 1.1 Date of last update This document was first published on May 17th, 2016. No updates have been made so far. 1.2 Distribution list for notifications None available. 1.3 Locations where this document may be found This document can be found at https://www.algosecure.fr/cert/rfc2350-en.txt A French version can be found at https://www.algosecure.fr/cert/rfc2350-fr.txt 1.4 Authenticating this document Both the English and French versions of this document have been signed with the AlgoCERT's PGP key. The signatures are available on our Web site, under: https://www.algosecure.fr/cert/rfc2350-en.sig https://www.algosecure.fr/cert/rfc2350-fr.sig 2. Contact Information 2.1 Name of the team AlgoCERT: the AlgoSecure Computer Emergency Response Team. 2.2 Address AlgoSecure 57 Boulevard Vivier Merle 69003 Lyon FRANCE 2.3 Time Zone Europe/Paris (UTC +1, and UTC +2 from April to October) 2.4 Telephone Number +33 4 26 78 24 86 2.5 Facsimile number None available. 2.6 Other telecommunication None available. 2.7 Electronic mail address You can write to us directly at firstname.lastname@example.org. 2.8 Public keys and other encryption information The AlgoCERT has a PGP key, whose ID is 0x801E05B0 and whose fingerprint is FA89 A8BF ABB9 66BF FC42 CE24 7F35 4DCB 801E 05B0. The key and its signatures can be found at the usual large public keyservers. 2.9 Team members Team members: the team consists of five security experts. 2.10 Other information Operating Hours are 09:00-12:00 and 14:00-17:00 CET Monday to Friday 2.11 Points of customer contact The preferred method of communication is by the web form available at : https://www.algosecure.fr/cert/ Please use this form in priority so we can have the basic information to properly start working on your emergency. AlgoCERT can also be reached by email and by telephone during regular office hours. 3. Charter 3.1 Mission Statement AlgoCERT is a private computer emergency response team for the private sector, communes and non-governmental entities. It is operated by AlgoSecure, a team of experts in computer security, system and network administration based in Lyon, France. AlgoSecure allies performance and humanism to help organizations improve the security level of their information systems as well as the security awareness of their employees. Its mission are to: - support companies when they experience computer security incidents - gather intelligence from incidents - help organizations assess and improve their security level - inform its clients when vulnerabilities related to their products are released - provide resources to train users to computer security - exchange information and cooperate with other CSIRTs/CERTs 3.2 Constituency The constituency of AlgoCERT are public and private organizations. 3.3 Sponsorship and/or affiliation AlgoCERT is operated by AlgoSecure, a French company specialized in computer security based in Lyon, France. 3.4 Authority AlgoCERT does not function under any authority. 4. Policies 4.1 Types of Incidents and Level of Support AlgoCERT can address all types of computer security incidents which occur in its constituency networks, except for DDoS attacks. The level of support provided will depend on the severity of the incident, the human and technical resources of AlgoSecure available at the time, and the information provided when declaring an incident. Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance. AlgoCERT will support the latter people. AlgoCERT cannot train system or network administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, AlgoCERT will provide pointers to the information needed to implement appropriate measures. The AlgoCERT is committed to keeping its paid customers informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information AlgoCERT is willing to share technical data with other CSIRTs as well as with affected parties� administrators. However, this information sharing will not disclose any personal or sensitive information. Sensitive information that will not be shared may include: name of the company that reported incidents, contact information of the person who declared the incident, public IP addresses of the affected systems, etc. Exchanges of sensitive information will be made in a secure manner using PGP, encrypted volumes, and/or any other secure mean of communication. 4.3 Communication and Authentication You can contact us by phone or unencrypted email for discussing non-sensitive issues. If you wish to send us sensitive information, data should be encrypted using our aforementioned PGP key. Data can also be stored in an encrypted volume or a password-protected ZIP file. Passwords can be transmitted by encrypted emails (using our PGP key) or by phone. 5. Services AlgoCERT provides proactive services in order to anticipate and prevent security incidents from happening. It also provides reactive services where we will assist system and network administrators deal with security incidents that occur within the information system of their company. 5.1 Incident Response The incident response process will follow these phases: - triage: we will collect any evidence of the incident and check whether it is really a security incident that we can have an action on - study: we will investigate the incident (source, causes, timeline...) and look for solutions - resolution: we will help system/network administrators and/or developers remove the vulnerability or threat and try to recover potentially lost data - evaluation: we will write a report about the circumstances of the incident and what we did to help recover from it, and finally assess the service we provided to our customers in order to further improve it. 5.2 Proactive Activities In order to prevent incidents from happening, or at least reduce the probability of them happening, we can audit your information system in order to detect vulnerabilities and try to exploit them. We can then explain to you what risks you are facing within your company and help you reduce them. We can deploy a monitoring service within your infrastructure in order to detect any abnormalities within your information system. We can also integrate security equipments such as firewalls, SIEM, IPS and IDS within your information system to anticipate and mitigate security incidents. AlgoCERT also offers a warning service about recently published vulnerabilities specific to the products that you use within your information system, so that you can be aware of vulnerabilities, the potential public exploits and patches. Finally, we provide training services to better educate your users to computer security. We can either go to your facilities and speak directly with the users, or send you documents that we have made (such as slideshows, tutorials about products, posters, etc) that you can then edit and present yourself to your users. Detailed descriptions of the aforementionned services can be found on our website. 6. Incident Reporting Forms When declaring an incident, we kindly ask you to use the form available at https://www.algosecure.fr/cert/ Feel free to include a lot of information regarding the incident. That way, we can properly start researching and investigating on the incident. You can also contact us using the contact information detailed in section 2 of this document. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, AlgoCERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.