Last updated: 
1 month 3 weeks ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

CSIRTs and the distribution of sensitive data

Tuesday, June 17, 2014 - 16:00

Andrew's recent post on the legal issues of cleaning up after botnet infections has prompted me to write something about how the way that Janet CSIRT operates helps with these issues in our community.

During our investigation of incidents we frequently encounter logs and datasets that contain potentially sensitive information. These are frequently sourced from data breaches or malware infections - and more often than not from third party systems outside of Janet. The data can contain personal data, payment card data or details of network traffic from Janet systems. On at least one occasion we've dealt with a breach of sensitive medical information.

Ideally in these cases the only information we are exposed to relates to Janet customers. Unfortunately determining which data relates to our customers can be a difficult task. Do we filter based on IP addresses allocated via Janet? IP addresses routed through Janet? Data relating to ac.uk domains? What about ac.uk domains hosted off Janet? Inevitably we end up filtering data from larger datasets.

Using our internal customer records we can then further split the data according to the customer it relates to and then route it to the appropriate security contacts. The approach of having a central point of coordination such as a CSIRT ensures that data is not exposed to more people than is necessary, but that it is still effectively disseminated to help those affected by the incident.