The Janet security contact

Download as PDFDownload as PDF

In order to investigate security reports and disseminate information within the education and research community, each Janet-connected organisation must provide Jisc CSIRT with security contacts. The requirements and expectations of security contacts are outlined here.

The security contact

Jisc CSIRT expects the security contact for a Janet organisation to be a person with time, competence, authority and management support to reliably ensure that the organisation takes prompt and effective action in response to requests and information from Jisc CSIRT. We also expect you to ensure that your organisation, users, visitors and customers adhere to the Janet Acceptable Use Policy and Security Policy (https://ji.sc/policies).

The size and structure of organisations varies hugely and we do not expect our security contact to have direct control over all aspects of their organisation or third parties, but we do expect you to handle these organisational issues and provide a local point of coordination.

We also expect you to notify us when the details of your security contact change. We cannot tell if you have had staffing or organisational changes. See Maintenance of Contact Information later in this note.

As a minimum, each Connected Organisation must provide the following information:

  • Name, role; email address
  • Distribution group, fan out or team email address
  • Emergency phone number

Security Contacts have roles in both the prevention and resolution of security incidents. Security Contacts must disseminate Jisc's warnings of general risks and precautions to appropriate people within the organisation(s) for which they are responsible, and to ensure that appropriate preventive measures are taken promptly. Security Contacts must ensure that any particular security breach or risk that has been reported to them by Jisc as affecting an organisation for which they are responsible is investigated and resolved promptly, and to inform Jisc that this has been done.

Security Contacts should notify Jisc of any serious cyber security incidents even where no assistance is required as an incident may be part of a wider campaign and any information that can be provided may help other Janet-connected organisations. Security Contacts are also encouraged to share information about cyber security incidents with peers via the Cyber community group (https://www.jisc.ac.uk/get-involved/cyber-security-community-group).

Email

Jisc CSIRT will normally communicate with the security contact by email, and Jisc CSIRT expects you to read messages and act on them within a few hours.

For almost every email sent to you, you can presume that we require at least an acknowledgment unless it has been explicitly stated otherwise. We will not have any great knowledge of your organisation, working practices and network, and it is difficult for us to tell the difference between emails which are not acted on, and emails which are not acknowledged. We recognise that in some cases it will take a little longer to complete any action necessary, and that you will need to triage and prioritise tasks.

If your organisation uses an automated ticketing system you may want Jisc CSIRT to include your own ticket reference along with our own, which we are normally able to do. Please try to ensure that your system does not send automated acknowledgments or updates that take no account of our ticket number or the rest of the Subject: of our messages.

We do not need you to include in your reply the whole of our report or question to you. Selective quoting is recommended.

Role addresses

The email address for the security contact may be that of an existing role such as support or helpdesk, or of a role created specially for the purpose such as csirt-contact. The benefits are that usually role accounts are available to more than one person and are likely to be read more promptly, and that when staff move any changes to email forwarding are purely local so that Jisc CSIRT can use the role address without alteration. A possible disadvantage is that where people share a role it is possible for each of them to believe that another one is dealing with a request from Jisc CSIRT whereas actually nobody is. Suitable working practices, or ticketing systems, are not hard to devise, implement and document.

Local fan-out lists

Another approach also acceptable to Jisc CSIRT and with advantages similar to those of using a role account is to operate a small local mailing list. The list receives mail sent to some address such as csirt-contacts and delivers a copy to a number of people on the basis that at any time at least one of them will be able to deal with it promptly. Some organisations think it appropriate for the IT Manager or some similar person to be included in the list, so that they are aware of security news and particular events affecting their organisation and can direct staff effort to suit. The danger of diluting responsibility arises in the same way as it does for a shared role account.

Email filters

Most organisations and many individuals apply some filtering to incoming email messages, to more easily survive the flood of Unsolicited Bulk Email (UBE), viruses and other abuse in the current hostile environment. One filtering or rejection technique is to examine message contents for patterns thought to indicate abuse and to be absent from wanted messages.

Unfortunately, filtering sotware and rules can wrongly classify the reports that Jisc CSIRT may need to send you:

  • Sometimes we send copies or partial copies of email abuse (typically UBE or spam) about which we want you to take some action. The presence of the copy material in our message can trigger the same response as if it was sent in actual abuse.
  • We may cryptographically sign our reports or encrypt the contents. Some content filters are not able to distinguish between the encrypted parts of the resulting messages and an unidentified virus, and may reject them.

There are three kinds of ways you may be able to configure your filtering software or service to let our reports through without loss or delay:

  1. You can give us a role contact address to which filtering is not applied.
    You should probably already be doing this for the postmaster address required by RFC 2821 and related RFCs, and you might extend it to the security or abuse addresses described in RFC 2142 and let us use one of those; or you can set up a special role address for this purpose only.
    • RFC 2821 Simple Mail Transfer Protocol
    • RFC 2142 Mailbox Names for Common Services, Roles and Functions
  2. You can allow list our originating email address irt@jisc.ac.uk.
    This exposes you to abuse from any bulk mailer, virus or worm that falsely uses our address, as does happen from time to time. Normal care and good practice will still protect you from actual damage, so that this is solution is not unworkable.

Telephone

Jisc CSIRT will telephone for:

  • urgent contact in case of an emergency where it is important to get the cooperation of the Janet-connected organisation very quickly;
  • escalation where we have had no substantive response to email requests or the email contact address appears not to work;
  • detailed technical discussion in specific situations where we feel it will be more effective than email.

Just as for email details, it is not essential that a technician or network manager routinely answers the contact number given. It is more important that it is an attended number and that anyone likely to answer it will understand who we need to speak to and is able to put us in touch promptly. A number in an office shared by several network staff who are unlikely to be away from the office all at the same time may well be suitable; a helpdesk number where staff are trained to recognise calls from Jisc CSIRT and to route them to the right people within the organisation is another possibility available in some organisations.

An out-of-hours number should also be provided, if available.

Named person

Despite the advantages of role contacts, it is also helpful to have the name of one or more of the real people involved. One workable form of data is the name of a person and their personal extension, Direct Dial or mobile phone number, along with an email address which is expanded to deliver to several people.

It is important that you have enough named contacts so that someone is available in the case of illness or holiday.

Multiple contacts

It is strongly recommended that organisations have at least two named persons, with email address and phone number recorded, and ideally, an out of hours number. Normally we will send email messages to all the addresses we have.

Mailing lists

Jisc CSIRT maintains two email lists UK-Security-announce and UK-Security. Both are operated by JiscMail. Jisc CSIRT is the list ”owner”, and the -request addresses for the lists each forward messages to us for action.

Neither list is strictly secret or private, but circulation is limited. We ask you not to make the contents publicly available; you might copy them to an internal Web site, but not to your external one.

Jisc CSIRT will add addresses at an organisation to either list or to both lists if the security contact there approves of the addition.

To join either or both of the lists, send your request to
UK-Security-announce-request@jiscmail.ac.uk or
UK-Security-request@jiscmail.ac.uk
as appropriate, and it will be forwarded to Jisc CSIRT for consideration. If you know who the security contact is for your organisation you should instead ask them to write to us, as it will eliminate the stage of asking for their approval.

Compulsory; UK-Security-announce

Jisc CSIRT uses the UK-Security-announce list to distribute material which is intended for all Janet-connected organisations, either because it is important for all and requires action, or because it is relevant to many organisations and only the organisations themselves will know who they are.

All email addresses supplied as security contact information are added to this list. Only Jisc CSIRT is authorised to send messages to the list; the addresses on it must be valid for delivery of mail but (at least for this purpose) they need not be configured so that mail can be sent from them.

Optional; UK-Security

The UK-Security list is available for discussion; list members can send messages from their addresses as they appear in the list for expansion and delivery to all the members. Note that this does not work if the e-mail address from which your mail appears to be sent is different from the one entered in the list, even though that may be your preferred address for delivery. Your organisation’s mail should be configured so that your sent mail matches your delivery address; but if it does not and you want to use the discussion facility, you must ensure that it is your sending address that appears in the list.

In practice Jisc CSIRT sends some announcements to both the UK-Security list and the UK-Security-announce list, which together make a virtual list UK-Security-all. JiscMail has a “Superlist“feature which ensures that an address on both lists then only receives one copy of a message sent.

Although some use is still made of the UK-Security list, in recent years most discussion has moved to the Jisc Cyber Community Group. To join this community see the information at https://www.jisc.ac.uk/get-involved/cyber-security-community-group

Multiple copies of messages

JiscMail has, of course, no automatic way to suppress duplicate copies of a message sent to one or both lists if they are to different addresses.
For instance,

  • you may ask us to use in UK-Security-announce a role address which is a local list, while some or all of the people it expands to are on UK-Security with their personal addresses;
  • or you may choose to have two or more addresses in UK-Security so that you can use either of them to post to the list.

The NOMAIL feature of JiscMail allows you to suppress list messages to any of your addresses. From the JiscMail front page set a password for your address using the link Register Password and then use the link Subscriber’s Corner.

Please do not over-use this facility. In particular make sure that at least one address remains set to have messages sent and will deliver them so that someone reads them and takes action.

Up | Previous | Contents

Out-of-office replies

You must ensure that you do not send automatic replies to list messages, for a combination of reasons. On occasions when Jisc CSIRT is trying to disseminate information, to be informed that you are out of the office is not satisfactory. In discussion use, there is no justification for troubling Jisc CSIRT (as list owners) or contributors to the list with such responses, let alone passing an out-of-office response back to the address of the list itself and so to all list members.

You may be able to filter list messages so that they are delivered to a folder in your absence (and for that matter even when you are in the office) and you can read or dispose of them in your own time; otherwise for the discussion list UK-Security you will have to suspend your list subscription for the time you are away. Jisc CSIRT will not do that for you; you can use the NOMAIL feature of JiscMail (see Multiple copies of messages).

For the announcement list you may still apply some filtering but you will need to make your own arrangements, perhaps with one or more colleagues, for someone to read and respond to any messages needing action.

Genuine error messages may arise if your organisation’s mail service is experiencing difficulty; these will always be delivered to Jisc CSIRT and may convey useful information, and there is no need to try to suppress them. Such error reports come from your organisation’s mail server and not from your own desktop mail program.

Maintenance of contact information

Security Contact data must be reviewed and confirmed to Jisc on a quarterly basis. The database of contact details is held by the Jisc Service Desk (JSD). To confirm details, update your details or to check what is at present recorded, please contact them by email (service@jisc.ac.uk) or telephone (0300 300 2212).

Other contacts

JSD also have other contact information for your organisation in relation to your connection to Janet and to any billing, management or policy questions which arise. Jisc CSIRT has sight of some of this information and will use it if other routes fail.

Personal data

Jisc Privacy Notice

Jisc SOC Data PrivacyImpact Assessment

In addition to the provisions of that policy, Jisc CSIRT will normally not reveal the identity of security or other contacts at Janet-connected organisations to people from other Janet-connected organisations or elsewhere without obtaining their permission. However, Jisc CSIRT’s purpose is to respond to security incidents and concerns, and when urgent action is required we may consider it expedient to pass contact details directly to other parties involved in the incident. In such cases we will point out that the personal data is only to be used to resolve the immediate matter in hand.

Note also that in many cases the same personal data is published by someone else (perhaps in the organisation’s Web pages or one or more whois databases). Neither Jisc nor Jisc CSIRT accept any responsibility for use of information obtained in such ways.