The JANET security contact

Page top

What's this all about?

JANET CSIRT has specific needs to communicate with JANET organisations in both directions. While the arrangements for contacting JANET CSIRT are straightforward, it may not be obvious to JANET organisations what is expected of them and how we maintain and use the details they supply.

This note is primarily intended for managers of network services and Directors of Information Services within JANET organisations. It will also be of interest to those whose details are recorded for JANET CSIRT purposes, and possibly to people wishing to join JANET CSIRT e-mail lists.

Start of text | Page top

Contents | Start of text

The JANET security contact

JANET requires all connected organisations to provide security contact details:

  • name;
  • e-mail address;
  • telephone.

JANET CSIRT expects the security contact for a JANET organisation to be a person with time, competence, authority and management support to reliably ensure that the organisation takes prompt and effective action in response to requests and information from JANET CSIRT:

  • specific requests about the organisation's network;
  • broadcast requests for action to be taken by all JANET organisations;
  • broadcast advisory notes which may or may not be relevant to the organisation, so that an initial task is to see that someone in the organisation decides.

We also expect you to keep up to date the contact details you supply to us. See

Maintenance of contact information later in this note.

It is not essential that the security contact is the person who will implement any technical changes necessary; only that they are able to get such changes made when JANET CSIRT asks them to.

Up | Contents

E-mail

JANET CSIRT will normally communicate with the security contact by e-mail, and JANET CSIRT expects you to read messages and act on them within a few hours.

For requests specific to your organisation, we value an acknowledgment and an indication that the matter is in hand. We recognise that in some cases it will take a little longer to complete any action necessary.

Mail messages which JANET CSIRT sends will have a ticket number, inserted automatically both in the Subject: and in the body of the message. Ticket references are of the form JANET_CSIRT#nnnnnn, including a six-digit serial number. In the message Subject: the ticket reference is enclosed in square brackets: [JANET_CSIRT#nnnnnn].
Please include the ticket number in the Subject: of your acknowledgment and of further correspondence about the same issue. With most e-mail programs the "Reply" action will insert the ticket reference in the message Subject: automatically.

If your organisation also uses a partly automated ticketing system you may want JANET CSIRT to include your own ticket reference, which we are normally able to do. Please try to ensure that your system does not send automated acknowledgments or updates that take no account of our ticket number or the rest of the Subject: of our messages.

We do not need you to include in your reply the whole of our report or question to you. Selective quoting is best if you can do it.

Up | Previous | Contents

Role addresses

The e-mail address for the security contact may be that of an existing role such as support or helpdesk, or of a new role created specially for the purpose such as csirt-contact. In either case the benefits are that usually role accounts are available to more than one person and are likely to be read more promptly, and that when staff move any changes to e-mail forwarding are purely local so that JANET CSIRT can use the role address without alteration. A possible disadvantage is that where people share a role it is possible for each of them to believe that another one is dealing with a request from JANET CSIRT whereas actually nobody is, but suitable working practices are not hard to devise and document.

Up | Previous | Contents

Local fan-out lists

Another approach also acceptable to JANET CSIRT and with advantages similar to those of using a role account is to operate a small local mailing list. The list receives mail sent to some address such as csirt-contacts and delivers a copy to a number of people on the basis that at any time at least one of them will be able to deal with it promptly. Some organisations think it appropriate for the IT Manager or some similar person to be included in the list, so that they are aware of security news and particular events affecting their organisation and can direct staff effort to suit. The danger of diluting responsibility arises in the same way as it does for a shared role account.

Up | Previous | Contents

E-mail filters

Most organizations and many individuals apply some filtering to incoming e-mail messages, to more easily survive the flood of UBE, viruses and other abuse in the current hostile environment. One filtering or rejection technique is to examine message contents for patterns thought to indicate abuse and to be absent from wanted messages.

Unfortunately, filtering sotware and rules can wrongly classify the reports that JANET CSIRT may need to send you:

  • Sometimes we send copies or partial copies of e-mail abuse (typically UBE, Unsolicited Bulk E-mail or spam) about which we want you to take some action. The presence of the copy material in our message can trigger the same response as if it was sent in actual abuse.
  • We often cryptographically sign our reports using OpenPGP, and occasionally encrypt the contents. Some content filters are not able to distinguish between the encrypted parts of the resulting messages and an unidentified virus, and may reject them.

There are three kinds of ways you may be able to configure your filtering software or service to let our reports through without loss or delay:

  1. You can give us a role contact address to which filtering is not applied.
    You should probably already be doing this for the postmaster address required by RFC 2821 and related RFCs, and you might extend it to the security or abuse addresses described in RFC 2142 and let us use one of those; or you can set up a special role address for this purpose only.
  2. You can whitelist our originating e-mail address irt@csirt.ja.net.
    This exposes you to abuse from any bulk mailer, virus or worm that falsely uses our address, as does happen from time to time. Normal care and good practice will still protect you from actual damage, so that this is solution is not unworkable.
  3. You can whitelist the IP addresses of our mail servers:
    212.219.244.220 mail1.norse.ukerna.ac.uk
    193.60.199.98 mail2.norse.ukerna.ac.uk
    This is effective as the addresses are stable and the servers well-managed.

Note that you MUST NOT send delivery failure notifications for anything your filters decide not to deliver; you have to assume that the originator address of a message which is UBE or contains a virus is forged. We will never know you didn't get our report.

Up | Previous | Contents

Telephone

JANET CSIRT will use the telephone number for:

  • urgent contact in case of an emergency where it is important to get the cooperation of the JANET organisation very quickly;
  • escalation where we have had no substantive response to e-mail requests or the e-mail contact address appears not to work;
  • detailed technical discussion in specific situations where we feel it will be more effective than e-mail.

Just as for e-mail details, it is not essential that a technician or network manager routinely answers the contact number given. It is more important that it is an attended number and that anyone likely to answer it will understand who we need to speak to and is able to put us in touch promptly. A number in an office shared by several network staff who are unlikely to be away from the office all at the same time may well be suitable; a helpdesk number where staff are trained to recognise calls from JANET CSIRT and to route them to the right people within the organisation is another possibility available in some organisations.

The office number of a technician or network manager who spends much of her time in other parts of the site, or the organisation's PABX operator or receptionist, do not usually work well for this purpose.

Direct Dial-In numbers are preferred; but a switchboard number and extension are acceptable. Our experience is that a switchboard number and name only are not always effective in a larger organization.

Up | Previous | Contents

Named person

Despite the advantages of role contacts, it is often helpful to have the name of one or more of the real people involved. One workable form of data is the name of a person and their personal extension, Direct Dial or mobile phone number, along with an e-mail address which is expanded to deliver to several people.

Up | Previous | Contents

Multiple contacts

JANET CSIRT is happy to have more than one person, e-mail address and phone number recorded, with a practical limit of three or four. Normally we will send e-mail messages to all the addresses we have.

Up | Previous | Contents

Mailing lists

JANET CSIRT maintains two e-mail lists UK-Security-announce and UK-Security. Both are operated by JISCmail using LISTSERV technology. JANET CSIRT is the list "owner" (in LISTSERV terminology), and the -request addresses for the lists each forward messages to us for action.

Neither list is strictly secret or private, but circulation is limited. We ask you not to make the contents publicly available; you might copy them to an internal Web site, but not to your external one.
JANET CSIRT will add addresses at an organisation to either list or to both lists if the security contact there approves of the addition.

To join either or both of the lists, send your request to
UK-Security-announce-request@jiscmail.ac.uk or
UK-Security-request@jiscmail.ac.uk
as appropriate, and it will be forwarded to JANET CSIRT for consideration. If you know who the security contact is for your organisation you should instead ask them to write to us, as it will eliminate the stage of asking for their approval.

Up | Previous | Contents

Compulsory; UK-Security-announce

JANET CSIRT uses the UK-Security-announce list to distribute material which is intended for all JANET organisations, either because it is important for all and requires action, or because it is relevant to many organisations and only the organisations themselves will know who they are.

All e-mail addresses supplied as security contact information are added to this list. Only JANET CSIRT is authorised to send messages to the list; the addresses on it must be valid for delivery of mail but (at least for this purpose) they need not be configured so that mail can be sent from them.

Up | Previous | Contents

Optional; UK-Security

The UK-Security list is available for discussion; list members can send messages from their addresses as they appear in the list for expansion and delivery to all the members. Note that this does not work if the e-mail address from which your mail appears to be sent is different from the one entered in the list, even though that may be your preferred address for delivery. Your organisation's mail should be configured so that your sent mail matches your delivery address; but if it does not and you want to use the discussion facility, you must ensure that it is your sending address that appears in the list.

In practice JANET CSIRT sends most announcements to both the UK-Security list and the UK-Security-announce list, which together make a virtual list UK-Security-all. JISCmail has a "Superlist"feature which ensures that an address on both lists then only receives one copy of a message sent.

Up | Previous | Contents

Multiple copies of messages

JISCmail has, of course, no automatic way to suppress duplicate copies of a message sent to one or both lists if they are to different addresses.
For instance,

  • you may ask us to use in UK-Security-announce a role address which is a local list, while some or all of the people it expands to are on UK-Security with their personal addresses;
  • or you may choose to have two or more addresses in UK-Security so that you can use either of them to post to the list.

The NOMAIL feature of JISCmail allows you to suppress list messages to any of your addresses. From the JISCmail front page set a password for your address using the link Register Password and then use the link Subscriber's Corner.

Please do not over-use this facility. In particular make sure that at least one address remains set to have messages sent and will deliver them so that someone reads them and takes action.

Up | Previous | Contents

Out-of-office replies

You must ensure that you do not send automatic replies to list messages, for a combination of reasons. On occasions when JANET CSIRT is trying to disseminate information, to be informed that you are out of the office is not satisfactory. In discussion use, there is no justification for troubling JANET CSIRT (as list owners) or contributors to the list with such responses, let alone passing an out-of-office response back to the address of the list itself and so to all list members.

You may be able to filter list messages so that they are delivered to a folder in your absence (and for that matter even when you are in the office) and you can read or dispose of them in your own time; otherwise for the discussion list UK-Security you will have to suspend your list subscription for the time you are away. JANET CSIRT will not do that for you; you can use the NOMAIL feature of JISCmail (see Multiple copies of messages).

For the announcement list you may still apply some filtering but you will need to make your own arrangements, perhaps with one or more colleagues, for someone to read and respond to any messages needing action.

Genuine error messages may arise if your organisation's mail service is experiencing difficulty; these will always be delivered to JANET CSIRT and may convey useful information, and there is no need to try to suppress them. Such error reports come from your organisation's mail server and not from your own desktop mail program.

Up | Previous | Contents

For the information of anyone wishing to process or filter list messages automatically, lines such as these from the message header should be a positive identification.
For a message sent to both the UK-Security and the UK-Security-announce lists:

Sender: General security announcement from JANET CSIRT <UK-SECURITY-ALL@JISCMAIL.AC.UK> To: UK-SECURITY-ALL@JISCMAIL.AC.UK Precedence: list

For a message sent to the UK-Security-announce list alone: Sender: JANET CSIRT special announcements <UK-SECURITY-ANNOUNCE@JISCMAIL.AC.UK> To: UK-SECURITY-ANNOUNCE@JISCMAIL.AC.UK Precedence: list

Up | Previous | Contents

Maintenance of contact information

The database of contact details is held by the JANET Service Desk. To update your details or to check what is at present recorded, please contact them by e-mail (service@ja.net) or telephone (0870 850 2212).

Up | Previous | Contents

Other contacts

JSD also have other contact information for your organisation in relation to your connection to JANET and to any billing, management or policy questions which arise. JANET CSIRT has sight of some of this information and will use it if other routes fail.

Up | Previous | Contents

Personal data

JANET's Privacy Policy

In addition to the provisions of that policy, JANET CSIRT will normally not reveal the identity of security or other contacts at JANET organisations to people from other JANET organisations or elsewhere without obtaining their permission. However, JANET CSIRT's purpose is to respond to security incidents and concerns, and when urgent action is required we may consider it expedient to pass contact details directly to other parties involved in the incident. In such cases we will point out that the personal data is only to be used to resolve the immediate matter in hand.

Note also that in many cases the same personal data is published by someone else (perhaps in the organisation's Web pages or one or more whois databases). Neither JANET nor JANET CSIRT accept any responsibility for use of information obtained in such ways.

Up | Previous | Contents

Contacting JANET CSIRT

It is helpful to tell us the name of your organisation as well as your own short-term contact details (which we recognise may not always be those already known to us).

If you are responding to something we have sent you it will always have a JANET CSIRT ticket reference and it is important that you are able to tell us what it is. The team member answering your e-mail message or telephone call may not have been previously involved with the particular thread of correspondence.

Up | Previous | Contents

Out of hours

At most times outside usual office hours in the UK, you can call our published telephone number (above) and if the matter is urgent, an answering service will call out one or more duty team members; but we do not monitor incoming e-mail.

JANET CSIRT is aware that many JANET organisations do not make staff available to respond to network security incidents outside their ordinary business hours.

Up | Previous | Contents

 

 

 

 

Privacy Policy | Web Admin
© The JNT Association,
JANET(UK), Lumen House, Library Avenue
Harwell Science and Innovation Campus, Didcot, Oxfordshire
OX11 0SG