1. Information about this document
This document describes the computer security incident response service of the University of Lisbon according to RFC 2350.
1.1 Last updated
2022/04/04 (yyyy/mm/dd)
1.2 Distribution list for notifications
There is no distribution channel to notify changes to this document.
Updates to this document will be visible in the place specified in the article 1.3.
1.3 Access to this document
The updated version of this document is available at https://www.ulisboa.pt/sites/ulisboa.pt/files/basicpage/docs/rfc2350-en.txt
The Portuguese language version is available at https://www.ulisboa.pt/sites/ulisboa.pt/files/basicpage/docs/rfc2350-pt.txt
1.4 Authenticity of this document
Both the Portuguese and English versions of this document have been signed with the CSIRT-ULisboa's PGP key.
The signatures are also on our website, under:
https://www.ulisboa.pt/sites/ulisboa.pt/files/basicpage/docs/rfc2350-pt.txt.asc
https://www.ulisboa.pt/sites/ulisboa.pt/files/basicpage/docs/rfc2350-en.txt.asc
2. Contact information
2.1 Name of the team
CSIRT-ULisboa
2.2 Address
Reitoria da Universidade de Lisboa
Alameda da Universidade
1649-004 Lisbon
Portugal
2.3 Time zone
Portugal/WEST (GMT+0, GMT+1 in day-light saving time)
2.4 Telephone number
+351 217 967 624
2.5 Facsimile number
+351 210 113 402
2.6 Other telecommunication
None.
2.7 Electronic mail address
Electronic mail address to notify about computer security information incidents:
csirt@ulisboa.pt
Electronic mail address for IT support:
suporte@ulisboa.pt
Electronic mail address for other issues:
reitoria@ulisboa.pt
2.8 Public keys and encryption information
PGP Key ID: 0xFFFDBB19
PGP Fingerprint: EF91 E037 C74F 5F55 F64F  5308 9DD6 9BDD E74C 9D07
The key is available at https://www.ulisboa.pt/sites/ulisboa.pt/files/basicpage/docs/pgp-csirt.asc
2.9 Team members
Members: André Jesus
More information about CSIRT-ULisboa can be found at https://www.ulisboa.pt/info/csirt/
2.10 Other information
2.11 User contact means
The preferred method for contacting CSIRT-ULisboa is via e-mail as described in sections 2.7 using the template shown in section 6.
3. Charter
3.1 Mission statement
The purpose of CSIRT-ULisboa is to allow the University of Lisbon to coordinate security efforts and incident response for IT-security problems at University of Lisbon.
3.2 Constituency
CSIRT-ULisboa coordinates responses to cybersecurity incidents that involve any entity within University of Lisbon, including devices belonging to a network or address allocated exclusively to University of Lisbon.
3.3 Affiliation
CSIRT-ULisboa is a service ofthe  University of Lisbon. CSIRT-ULisboa keeps a close coordination with RCTS CERT (https://www.fccn.pt/seguranca/rcts-cert/).
3.4 Authority
CSIRT-ULisboa authority is defined by the Rector of University of Lisbon.
CSIRT-ULisboa hopes to collaborate with the various IT departments of all university. In case of lack of answer in an acceptable time, and if the incident requires, restriction or blocking of connectivity may occur.
4. Policies
4.1 Incident types and support level
CSIRT-ULisboa handles all types of cybersecurity incidents, categorized in the following types:
a) Malicious code
b) Availability
c) Information Collection
d) Intrusion Attempt
e) Intrusion
f) Information security
g) Fraud
h) Abusive Content
i) Vulnerable
j) Other
The level of support given by CSIRT-ULisboa varies depending on the type, severity and scope of ongoing incidents and the resources available for its treatment. CSIRT-ULisboa is not a helpdesk team, end users shall contact their corresponding IT team.
4.2 Cooperation, interaction and privacy policy
CSIRT-ULisboa privacy policy and data protection establishes that sensitive information can be sent to third parties, only and exclusively on a real need basis, with the exception of judicial entities.
Information that is not confidential will be used for statistical ends, which can be disclosed to other entities.
4.3 Communication and authentication
For normal communication not containing sensitive information CSIRT-ULisboa, phone and non-ciphered e-mail are considered to be sufficient for non-sensitive information transmission. In order to transmit sensitive information, PGP usage is mandatory.
5. Services
5.1 Coordination of security incidents
CSIRT-ULisboa will coordinate a response to a security incident between the interested/affected parties. This coordination typically will involve the asset owner or the team responsible for the involved network segment. The handled incident can start by CSIRT-ULisboa initiative, for example a large-scale incident, or can be started by other designated means. Auto-generated reports and data-feeds will be handled as automatically as possible.
This incident coordination includes:
5.1.1 Incident triage
1) Determining whether an incident is authentic if possible;
2) Determine the involved entities;
3) Assessing and prioritizing the incident.
5.1.2 Incident coordination
1) Contact the involved entities to investigate the incident and take the appropriate steps
2) Facilitate contact to other parties which can help resolve the incident
3) Send response to other CSIRTs or original requester.
CSIRT-ULisboa works as an information hub which knows where to send the right incident reports to in order to help and facilitate the resolution of IT security incidents.
5.1.3 Incident resolution
CSIRT-ULisboa follows up on the progress of the concerned local security teams.
In case an incident is not solved in a timely manner, CSIRT-ULisboa can initiate the process to restrict connectivity in case of necessity and/or analyze involved assets.
CSIRT-ULisboa will also collect statistics about incidents.
5.2. Proactive activities
CSIRT-ULisboa coordinates and maintains the following services:
1) Risk analysis
2) Security audits
3) Dissemination of alerts;
4) Configuration and maintenance of security tools;
5) Intrusion detection analysis;
6) Dissemination of information related to security.
7) Internal vulnerability checking.
CSIRT-ULisboa does not carry out the abovementioned mitigation or resolution measures. This responsibility lies with each person responsible for the affected asset.
6. Incident reporting forms
When submitting a security incident, it is necessary to indicate clearly:
1) IP address and port for the source and destination (4 itens);
2) The date, time and time zone, accurately, if it is not possible, the time interval;
3) Packet headers;
4) Incident category according to section 4.1
7. Disclaimer
While every precaution will be taken in the preparation of information, on the internet portal or other means of communication, CSIRT-ULisboa assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.
Incident notification to CSIRT-ULisboa does not substitute notification to judicial authorities or other legal institutions, when the incident also configures an illegality which penal procedure depends on oficial complaint or particular accusation.