CSIRT SPECIFICATION FOR NATIONAL CERT – CERT.hr

1. Introduction

This document contains information about the operation, constituency and description and services offered by National CERT / CERT.hr. The document complies with the requirements of RFC 2350 (https://www.ietf.org/rfc/rfc2350.txt), which outline the requirements and expectations of the Internet community for the best practices of CSIRTs in their operations.

1.1 Date of last update

This is version 5.3 published in December 2022.

1.2 Distribution list for notifications

Currently, National CERT / CERT.hr has not established a mailing list to notify of updates to this document. Major update information is available  on our website: https://www.cert.hr. 

1.3 Locations where this document may be found

The current version of this document is available from National CERT/CERT.hr website on the following link: https://www.cert.hr/wp-content/uploads/2022/12/CERT_hr_RFC2350_ENG_v5.3.txt

1.4 Identification

1. Document title: CSIRT SPECIFICATION FOR NATIONAL CERT – CERT.hr
2. Version: 5.3
3. Document date: 12.12.2022.
4. Expiration: This document is valid until further notice.

This document has been signed with the National CERT's PGP key.
 
Public PGP key of National CERT/CERT.hr is available at: https://www.cert.hr/wp-content/uploads/2019/02/ncert_asc.zip

Digitally signed document is available at: https://www.cert.hr/wp-content/uploads/2022/12/CERT_hr_RFC2350_v5.3_signed.zip

2. Contact information

2.1 Name of the team

National CERT / CERT.hr - National Computer Emergency Response Team

2.2 Address

Croatian Academic and Research Network - CARNET
Department for National CERT
Josipa Marohnića 5
10000 Zagreb
Croatia

2.3 Time zone

CET – Central European Time: UTC+0100
(Start: last Sunday in October at 02:00; End: last Sunday in March at 02:00)

CEST – Central European Summer Time: UTC+0200
(Start: last Sunday in March at 03:00; End: last Sunday in October at 03:00)

2.4 Telephone number

+385-1-6661-650

2.5 Facsimile number

+385-1-6661-767 (not to use for secure information)

2.6 Other telecomunication

There's none available.

2.7 Electronic mail address

ncert[at]cert.hr – for general inquiries

incident[at]cert.hr – for incident reporting - use of telephone and facsimile for reporting incidents should be avoided as much as possible

zks-incident[at]cert.hr- for the submission of reports about significant incidents from key service operators i digital service providers
 
2.8 Public PGP key and other encryption information

National CERT has a PGP key.
Primary User ID: Croatian National CERT
Key ID: 0xFCA254BB
Expiration: Never
Fingerprint:
E54B B60A C4D1 45E7 0FF4 CC5B E35C DB85 FCA2 54BB

The PGP key with a signature is available at Nacionalnog CERT's / CERT.hr's website (https://www.cert.hr/en/contact/) and at most of the popular key exchange servers.

2.9 Team members
 
The assistant of the principal for National CERT Nataša Glavor holds the position of the leader of National CERT/ CERT.hr within Croatian Academic and Research Network – CARNET. 
There are two teams working within the National CERT / CERT.hr: Incident handling service and Services and infrastructure security team. 

2.10 Other information

General information about the National CERT, as well as links to various recommended security resources can be found at: https://www.cert.hr . Most of the information is available only in Croatian.

Facebook page: https://www.facebook.com/CERT.hr/ 

Twitter profile: https://twitter.com/hrcert 

2.11 Points of customer contact

The preffered method for reporting the incident is via e-mail to incident@cert.hr. The procedure of reporting an incident is described at: https://www.cert.hr/en/report_incident/.

Received reports about an incident will be handled by National CERT's team. National CERT recommends encryption of confidential information with PGP key when reporting an incident.

If sending an e-mail is not possible (or not advisable due to security circumstances), incidents can also be reported via telephone during regular office hours. 

Reports about incidents according to the Cybernetic Security Act on key service providers and digital service providers can be submitted to zks-incident[at]cert.hr. The instructions can be found on the link in chapter 6 of this document.

National CERT’s operating hours are generally restricted to regular business hours (09:00-16:00 Monday to Friday).
 
3. Charter

3.1 Mission statement

The purpose of the National CERT is, firstly, to assist users of the Internet in Croatia by implementing proactive activities in order to reduce the risks of computer security incidents, and secondly, to coordinate responding to such incidents when they occur.

3.2 Constituency

National CERT’s constituency is the whole Croatian top level domain (.hr) and all IP ranges in Croatia, excluding the Government bodies.

National CERT/CERT.hr is coordinating significant incidents according to the Cybernetic Security Act on key services providers and digital service providers for the following sectors: banking, financing market infrastructure, digital infrastructure, business services for government bodies and digital service providers.

National CERT is also  the CERT of Croatian Academic and Research Network – CARNET.

3.3 Sponsorship and/or affiliation

National CERT is financed by the Ministry of Science and Education via Croatian Academic and Research Network – CARNET. National CERT is a department within CARNET. Croatian Academic and Research Network - CARNET is engaged in the development, construction and maintenance of the ICT infrastructure connecting Croatian academic and scientific research institutions into a private network.

National CERT is a member of the following organizations:
•	FIRST (Forum of Incident Response Teams) - https://www.first.org/members/teams/cert-hr
•	TF-CSIRT (Task Force on Cyber Security Incident Response Teams)  - https://www.trusted-introducer.org/directory/teams/certhr.html
•	EU CSIRT's Network

3.4 Authority

National CERT was established in accordance with the Information Security Act of the Republic of Croatia and according to the Act CERT is a national body for prevention and protection from computer threats to the security of public information systems in the Republic of Croatia. 

According to the Ordinance on the Work of National CERT, the Department deals with incidents if one of the parties to the incident is in the Republic of Croatia (i.e. if it is in the .hr domain or in Croatian IP address space). 

According to the Cybernetic Security Act on key services providers and digital service providers (NN 64/18) National CERT/CERT.hr is declared as an authorized CSIRT for all key service operators which are operating in banking, financing market infrastructure, digital infrastructure, business services for government bodies (scope of government bodies competent for science and education) and digital service providers.

According to the Ordinance on the organisation and management of the national top-level domain  (NN 38/10) National CERT has the authority to request a temporary suspension of  a .hr domain if the domain is hosting malicious content (Phishing URL, Malware URL) and if there is no timely reaction to requests for removal of the malicious content.

In its field of jurisdiction, National CERT has rights to give directives, guidelines, recommendations, advices and opinions.

4. Policies

4.1 Types of incidents and level of support

National CERT is authorized to handle all types of computer security incidents and threats that occur within its constituency.
Types of computer security incidents defined by National CERT are:  
•	Successfully compromised host
•	Malicious website
•	Attempt of unauthorized access
•	Information Gathering
•	Denial of Service
•	Cryptojacking
•	Unsolicited electronic messages, offensive content, harassment, misinformation
•	Advanced persistent threat (APT)
•	Fraud
•	Other types of malicious attacks

National CERT engages with its resources in helping to resolve significant incidents that are defined according to the following priorities:
a)	incidents that pose a threat to human lives
b)	incidents that occur on the Internet infrastructure in Croatia 
c)	incidents of major importance
d)	new types of malicious attacks
e)	other incidents

National CERT is required to respond to a report within two working days (Monday-Friday).

4.2 Co-operation, interaction and disclosure of information

National CERT is in cooperation with:
•	Office of the National Security Council (UVNS)
•	Information Systems Security Bureau (ZSIS)
•	Ministry of the Interior of the Republic of Croatia

National CERT modulates its activites within the area of computer security regulations in Croatia with the Office of the National Security Council (UVNS) and also cooperates with them regarding euro-atlantic integration matters. National CERT is also in co-peration with the Information Systems Security Bureau (ZSIS) and the Ministry of the Interior of the Republic of Croatia. Cooperation with foreign CERT teams is achieved through memberships in Forum of Incident Response and Security Teams (FIRST) and in TF-CSIRT working group.

4.3 Communication and authentication

For communication with CERT teams and other authorities responsible for information security, National CERT uses Internet, telephone, fax, electronic media and written form. Other forms of communication are available in specific situations. When storing, publishing and sending data, it is ensured that data sources can be protected and verified using appropriate cryptographic and electronic signature methods. Other authentication methods include verification through members of the FIRST organization, use of WHOIS information service and data with the relevant registration authorities on the Internet, confirmation phone call and the return e-mail.

All communication is subject to the Privacy Notice, which can be found at https://www.cert.hr/NCOoPInc.

5. Services

5.1 Incident response

National CERT gives support for the following technical and organizational aspects:

5.1.1. Incident triage

•	determining whether the observed incident can be classified as a computer-security incident, i.e. whether it is a type of incident defined according to the National Taxonomy of Computer-Security Incidents
•	security warnings are created on the basis of collected information, and distributed publicly or privately
•	determining the extent of the incident  

5.1.2 Incident coordination

Coordination of response to significant incidents involving at least one party from Croatia where, due to its scope and significance, several CERTs or other relevant bodies are involved.

5.1.3 Incident resolution

Reactive measures of incident resolution:
•	Security warnings
•	Coordination during resolution of major incidents

In addition, the National CERT collects statistics on incidents related to its area of activity and, where appropriate, reports to the public in order to encourage and facilitate protection against certain known types of attacks. To assist and mediate in handling of computer-security incidents, a notification must be sent by e-mail to the National CERT address that complies with the parameters set out in Chapter 2.11.

Help and support of National CERT is provided according to chapter 4.1.

5.2 Proactive measures

By taking proactive measures, National CERT acts before the occurment of incidents or other events which pose a threat to the security of information systems, with the aim of preventing or mitigating possible damage.

Information about proactive measures are publicly available.

Proactive measures are as follows:

Security warnings: Based on tracking of events and situations in the field of computer security, analysis of available data and by foreseeing trends, National CERT prepares and publishes security alerts to adequately prepare to prevent or mitigate damage.

Monitoring of computer security technologies: National CERT regularly monitors the field of computer security technologies and integrates the findings into disseminated information.

Dissemination of information in the field of computer security: National CERT collects, aggregates, produces and disseminates relevant information and documents, recommendations and instructions in the field of computer security.

Vulnerability assesment: National CERT offers a vulnerability assesment service separately (and technically separated) for:
•	Croatian Academic and Research Network - CARNET
•	institutions that are connected to the CARNET network via permanent connection

More information is available here: https://www.cert.hr/provjera_ranjivosti/
 
Rising awareness of the importance of computer security: through public action and promotional activities, National CERT works to educate the general public and raise awareness about the importance of cumputer security.

Computer security education and training: National CERT prepares and conducts educational campaigns for targeted groups of users through educational materials.

6. Incident reporting forms

Instructions and forms for reporting incident according to the Cybernetic Security Act on key service providers and digital service providers is available at: https://www.cert.hr/zks-incident.
 
7. Disclaimer

While every precaution will be taken in the preparation of information, notifications and alerts, National CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.