CSIRT Description for UZCERT ============================ 1. About this document 1.1 Date of Last Update This is version 1.0, published on January, 2023. 1.2 Distribution List for Notifications Currently UZCERT does not use any distribution lists to notify about changes in this document. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the UZCERT WWW site; its URL is https://uzcert.uz/upload/files/rfc2350.txt Please make sure you are using the latest version. 1.4 Authenticating this document This document has been signed with the UZCERT PGP key. The signatures are also on our Web site, under: http://www.uzcert.uz/about 2. Contact Information 2.1 Name of the Team UZCERT 2.2 Address UZCERT Cybersecurity Center St. Taras Shevchenko, 20 Tashkent Uzbekistan 2.3 Time Zone Uzbekistan Time (UZT), UTC/GMT +05:00 2.4 Telephone Number +998 55 502 10 10 2.5 Facsimile Number +998 55 502 10 10 2.6 Other Telecommunication None available. 2.7 Electronic Mail Address This is a mail alias that serves the human(s) on duty for UZCERT. 2.8 Public keys and Other Encryption Information UZCERT has a PGP key, which KeyID is 5F48E7CD144EFB00 and which fingerprint is 24F9 7763 1B7E 4A9F D515 EB74 5F48 E7CD 144E FB00 The key and its signatures can be found at the usual large public keyservers. 2.9 Other Information General information about UZCERT, as well as links to various recommended security resources, can be found at https://uzcert.uz/ UZCERT uses the following Facebook page to publish news about current activities https://www.facebook.com/csec.uz/ 2.10 Points of Customer Contact The preferred method for contacting UZCERT is via e-mail at ; e-mail sent to this address will be handled by the responsible human. We encourage our customers to use PGP encryption when sending any sensitive information to UZCERT. If it is not possible (or not advisable for security reasons) to use e-mail, UZCERT can be reached by telephone around the clock. If possible, when submitting your report, use the form mentioned in section 6. [Internal] UZCERT provides security researchers with its direct contact information, and internal organizations can contact UZCERT by phone, email or other communication channel. [External] UZCERT provides its contact information on the Internet: https://www.csec.uz and email addresses. 3. Charter 3.1 Mission Statement UZCERT’s responsibilities are followings: - centralized collection and analysis, accumulation of data on modern threats to information and cybersecurity, development of recommendations and proposals for the prevention of cyber-attacks in relation to information systems and resources of government agencies and organizations; - ensuring the protection of objects of informatization, including objects of critical information infrastructure, from potential threats and vulnerabilities of information and cyber security; - determination of the formats of interaction in incident response process - coordination of the activities of other organizations in terms of responding to incidents of information and cyber security; - cooperation with foreign CERT services and teams, government and non-government organizations in the field of information and cyber security. 3.2 Constituency Type of constituency: State and economic management bodies, local government bodies; Legal entities and individuals; Law enforcement agencies; Objects of critical information infrastructure (CI). Description of consistency: Users, owners as well as administrators of information systems and resources. 3.3 Sponsorship and/or Affiliation UZCERT is financially maintained by the Fund for the Development of Information and Communication Technologies of the Republic of Uzbekistan. 3.4 Authority The Act of 14 September 2019 on the national On Additional Measures to Improve the System of Control Over the Implementation of Information Technologies and Communications, Organization of their protection – a role assigned to “Cybersecurity Center” where UZCERT was organized. Parts of that role, specifically addressing operational aspects such as: - implementation of work on the development and implementation of a set of measures in the field of information security in the national segment of the Internet - implementation of work on monitoring the state of ensuring information security of the national segment of the Internet; - implementation of work to identify incidents in the national segment of the Internet; - implementation of work on response (prevention, investigation, elimination) to information and cyber security incidents in the national segment of the Internet; - implementation of work on the accumulation of information on identified incidents of information and cyber security and the results of response to them; - implementation of work to notify users of detected incidents in the national segment of the Internet; - implementation of work on the study and application of the experience of foreign countries in monitoring and responding to information security incidents; - carrying out work on processing applications from individuals and legal entities regarding information and cyber security incidents in the national segment of the Internet; - implementation of work to provide advisory assistance to government agencies, operators, providers of data transmission networks, individuals and legal entities on the processing of information and cyber security incidents; - implementation of work on interaction and cooperation with foreign CERT services on monitoring and response to information and cyber security incidents; - implementation of work on the development and implementation of appropriate systems for monitoring the state of ensuring information and cyber security of the national segment of the Internet; - implementation of work on interaction with government agencies, law enforcement agencies, operators, providers, as well as users of the national segment of the Internet in terms of processing information security incidents; - implementation of work on the collection and analysis of information on the latest developments in the field of information security; - participation in the development of proposals for the improvement of regulatory legal acts in the field of ensuring information security of the national segment of the Internet; - participation in the development of departmental, interdepartmental orders, orders of the Center for Information Security; - monitoring compliance with information security requirements in the work of departments included in the structure of the UZCERT; - making proposals for the definition and revision of the material and technical base and software and hardware, in terms of ensuring the fulfillment of the functions and tasks facing the departments that are part of the UZCERT; - monitoring the safety of documents and information carriers of the Department containing information, access to which is limited by law; - record keeping and storage of documents. 4. Policies 4.1 Types of Incidents and Level of Support Computer Security Events and Incidents Definition UZCERT documents the internal documentation of SUE “Cybersecurity Center” to identify security incidents in relation to information systems and resources of SUE “Cybersecurity Center” that affect the services and services of UZCERT and SUE “Cybersecurity Center”. Incident handling policy UZCERT receives notifications (mailings, publications, own searches and discoveries) about vulnerabilities, responds to vulnerabilities, coordinates the actions of its clients and provides relevant information in accordance with the tasks and functions assigned to the State Unitary Enterprise "Cybersecurity Center" in general, and UZCERT in particular. The Methodology for the identification, collection and consolidation of digital evidence during computer-aided research and investigation of cybersecurity incidents is used as an internal document for incident handling. 4.2 Co-operation, Interaction and Disclosure of Information The UZCERT information classification policy is based on the information security policy of the State Unitary Enterprise "Cybersecurity Center". This policy defines how to classify information received from external and internal parties. The information is divided into following categories: (a) Publicly available information (b) Confidential information UZCERT is a structural subdivision of the State Unitary Enterprise "Cybersecurity Center" and in its activities observes and is guided by the requirements of the Information Security Policy adopted by the State Unitary Enterprise "Cybersecurity Center", and processes all information received from the parties to the interaction, in accordance with the policy adopted by the State Unitary Enterprise "Cybersecurity Center" ». Information protection All information processed in UZCERT is subject to protection in accordance with the requirements of the Information Security Policy of the State Unitary Enterprise "Cyber Security Center". Record Retentions All information handled by UZCERT is securely stored, and the policy for storing information is based on (State Unitary Enterprise) Cyber Security Center’s information security policy. UZCERT conforms to the policies set by State Unitary Enterprise "Cyber Security Center". Record Destructions All information handled by UZCERT is securely deleted, and the policy for deleting information is based on State Unitary Enterprise "Cyber Security Center"’s information security policy. UZCERT conforms to the policies set by State Unitary Enterprise "Cyber Security Center". Information dissemination All information handled by UZCERT is well controlled, and the policy for distributing information is based on State Unitary Enterprise “Cyber Security Center”’s information security policy. UZCERT conforms to the policies set by State Unitary Enterprise "Cyber Security Center". Access to information All information handled by UZCERT is well controlled, and the policy for distributing information is based on State Unitary Enterprise “Cyber Security Center”’s information security policy. UZCERT conforms to the policies set by State Unitary Enterprise "Cyber Security Center". 4.3 Communication and Authentication Usage of Secure Communications UZCERT can use secure communications as below. [Inside] Using particular tools [Outside] Using encryption and signature by PGP 5. Services 5.1 Incident Response Incident Handling Process. The basic for handling vulnerabilities is as follows: - Receiving - Identification - Analysis - React / Response - Detection / Disclosure - Closing (including review) 5.1.1 Who records and tracks information about the incident? Information about the incident is recorded in the logs, which are kept in electronic form and on paper, by the duty specialists of the Monitoring Department: the time and date of fixing the incident or event, the name of the information system or resource that has undergone unauthorized interference, the name of the organization that owns the information system or resource , technical parameters (for instance: hosting, web server OS, name and version of the CMS), type of incident, URL links to malicious content or screenshots of unauthorized interference in the operation of an information system or resource, as well as other data necessary for further identification and filtering of data about incident. Further, the information is monitored by specialists from the incident response and investigation departments, who interact with the owners and administrators of compromised information systems and resources as part of the response measures, as well as eliminating the causes and consequences of information security incidents. Information about incidents is summarized on a weekly, monthly, quarterly and annual basis, including for the purpose of publishing statistics on incidents on the pages of the websites of the State Unitary Enterprise “Cybersecurity Center” and UZCERT (www.csec.uz, www.uzcert.uz). 5.1.2 Is there any audit trail of actions taken, or how the incident has been updated? Yes. All information is recorded in the electronic document management system, as well as in the registration and tracking system (application) of information about incidents as well as in e-mail archives. 5.1.3 Are there any escalation procedures and corresponding process to raise the incident’s priority? Yes, the department manager is responsible for this. However, certain policy for escalation processes applies. 5.2 Proactive Services UZCERT coordinates and maintains the following services to the extent possible depending on its resources: - Network security information sharing platform (“Early Warning system”) is available to all network administrators within UZCERT’s constituency through request for joining. - Information services through the following channels: = website: https://csec.uz/ and https://uzcert.uz/ = Facebook website: https://facebook.com/csec.uz = Telegram: https://t.me/cyber_csec_uz and https://t.me/uzcert UZCERT organizes an annual CTFs for students of Higher educational institutions within its constituency. 6. Incident Reporting Forms UZCERT had created a local form designated for reporting incidents to the team. We strongly encourage anyone reporting an incident to fill it out, although this is never required. The current version of the form is available at the top of the website: https://csec.uz/ 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, UZCERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.