9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

About Us > RFC 2350

1 Document Information

This is a description of the SANReN Proactive CSIRT as per RFC 2350. It provides basic information about the CSIRT, services offered and contact information. The CSIRT is an academic sector, coordinating CSIRT providing services to research and education institutions of South Africa.

Due to the dual-organisational makeup of the South African National Research and Education Network (NREN), the CSIRT operates as a distributed team focusing on Reactive (TENET) and Proactive (SANReN) services respectively. This document is for the proactive side of the team.

For reactive services (e.g. incident response) please contact the Tertiary Education and Research Network of South Africa (TENET) directly at:
+27 21 7637 one-four-seven (24×7) or
“noc{a}tenet.ac.za”

1.1 Date of Last Update

v1.1, 2016/12/01.

1.2 Distribution List for Notifications

Updates are distributed via the CSIRT website and announcements mailing list. Subscription requests can be sent to “csirt-news+subscribe{a}sanren.ac.za”. Reply to the email sent in response.

1.3 Locations where this Document May Be Found

The latest version of this document is available here (signed).

1.4 Authenticity of this Document

The text version of this document is signed with the team’s PGP key (see 2.8).

2 Contact Information

2.1 Name of the team

“SANReN CSIRT”: the South African National Research Network proactive Computer Security Incident Response Team.

2.2 Address

SANReN CSIRT
CSIR Meraka Institute
Building 43
2 Meiring Naudé Road, Brummeria, Pretoria, 0184
South Africa

2.3 Time Zone

SAST (UTC+0200)

2.4 Telephone Numbers

+27 12 8414 triple-one – Roderick Mooi (business hours only)
+27 12 8414 one-four-eight – Schalk Peach (business hours only)

2.5 Facsimile Number

Not advised. Please call/email upfront if required.

2.6 Other Telecommunication methods

Not available.

2.7 Electronic Mail Address

“csirt{a}sanren.ac.za”; relays to all SANReN CSIRT members. Use our PGP key to encrypt sensitive information.

2.8 Public Keys and Encryption Information

The CSIRT team PGP key can be found on the usual public key servers (link here).

“csirt{a}sanren.ac.za”
KeyID: 0×16233FB5
Fingerprint: 9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

Individual team member’s keys are available on request.

2.9 Team Members

Manager: Roderick Mooi
Senior Analyst: Schalk Peach

2.10 Other Information

See our website.

2.11 Points of Customer Contact

The preferred method for contacting the CSIRT is via e-mail “csirt{a}sanren.ac.za”. Note that requests for reactive (e.g. incident response) services should instead be sent to TENET “noc{a}tenet.ac.za”. Please place your institution’s name in the subject line.

The team is typically available from 09:00-16:00 Monday to Friday except for public holidays and 25 December to 1 January. We do not provide a 24×7 service.

If it is not possible (or advisable for security reasons) to use e-mail, the proactive CSIRT can be reached by telephone (see 2.4 for numbers) during regular office hours (minimally 9am to 4pm SAST). Voice messages are reviewed.

3 Charter

3.1 Mission Statement

The mission of the SANReN CSIRT is to provide proactive IT security services to the sites and users of the SANReN network; with the goal of minimising the occurrence of incidents and equipping the constituency to better safeguard against malicious activity.

Note that this is intended to complement the TENET (reactive) CSIRT’s mission.

3.2 Constituency

The constituency are the beneficiaries of the SANReN network including customers of TENET defined as the “campuses of South African education and research institutions and associated support institutions in the public sector that connect to the network”.

More formally, the constituency can be defined as

  1. .ac.za domain registrants and/or
  2. users of systems and IP addresses in AS 2018 (TENET’s autonomous system)

as clarified by the TENET connection policy.

3.3 Sponsorship and/or Affiliation

The SANReN CSIRT is primarily funded via the Department of Science and Technology (DST) South Africa as part of the SANReN project. The SANReN team (including the CSIRT) is hosted by the Council for Scientific and Industrial Research (CSIR) Meraka Institute. The CSIRT is closely affiliated with the Tertiary Education and Research Network of South Africa (TENET) who operate the SANReN network and also provide the reactive CSIRT services. For further relationship detail please see the SANReN website.

Some services (e.g. vulnerability assessments) are charged for on a cost recovery basis.

3.4 Authority

The primary objective of the SANReN CSIRT is to proactively mitigate IT security-related issues affecting the SANReN network and constituency as described in the Services section. This is achieved in an advisory role. Accordingly, the team has limited/indirect authority over the constituency.

The TENET AUP defines acceptable use of the SANReN network and infringements could result in intervention by TENET.

4 Policies

4.1 Types of Incidents and Level of Support

The SANReN CSIRT does not directly handle incidents. The constituency is however welcome to contact the team for IT security related advice at any time (including during an incident). Response will be on a best effort basis depending on the current load and availability of team members.

For incident response services please contact the TENET NOC “noc{a}tenet.ac.za”.

4.2 Co-operation, Interaction and Disclosure of Information

The SANReN CSIRT follows the principle of responsible disclosure within the bounds of policy and legislation. The information security traffic light protocol is used to classify information handled by the CSIRT as follows:

  • TLP:RED – Not for disclosure, restricted to participants only (most sensitive)
  • TLP:AMBER – Limited disclosure, restricted to participants’ organisations on a need-to-know basis (sensitive)
  • TLP:GREEN – Limited disclosure, restricted to the community and related organisations (less sensitive)
  • TLP:WHITE – Unrestricted disclosure, public (not sensitive)
    For the SANReN CSIRT: participants = the CSIRT team member(s) involved in the exchange only, organisations = SANReN + TENET, and community = constituency.

A constituent may request that information be handled at a preferred level otherwise the CSIRT will classify at a level it deems appropriate. Where practicable, the CSIRT will seek authorisation from a constituent before sharing sensitive information, which will also be anonymised if it does not affect the value/use of the information (e.g. redaction of site identifiable information).

4.3 Communication and Authentication

In view of the types of information that the SANReN CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP should be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Please contact the CSIRT prior to sending sensitive information if assistance is required (for example in setting up PGP or an alternative secure mechanism).

5 Services

For reactive services (e.g. incident response and support), please contact TENET “noc{a}tenet.ac.za”. The SANReN CSIRT offers the following services as per our website. These services are only available to the constituency (exceptions on agreement).

5.1 Vulnerability Assessments

The SANReN CSIRT offers a vulnerability scanning service to constituents. This is a process to identify, classify, report on and provide remediation advice on the security weaknesses of specific IT infrastructure. The service helps institutions identify and remedy vulnerabilities to prevent an attack/compromise. Both external and internal scans can be performed.

5.2 Announcements

The SANReN CSIRT provides an “announcements” service to highlight recent cybersecurity news including alerts/warnings (e.g. intrusions, threats), advisories (e.g. vulnerabilities, bulletins), articles (e.g. interesting news) and any other security-related information (e.g. team updates) that may be of interest to the constituency.

Mechanisms for disseminating these announcements include the CSIRT website, mailing lists and RSS feeds (accessible from the website under specific services). The mailing lists are only available to constituency representatives.

6 Incident Reporting Forms

Not applicable. Please contact “noc{a}tenet.ac.za” for incident support.

7 Disclaimers

This information is accurate at publication date.

While every precaution will be taken in the preparation of the website, information, notifications and alerts, the SANReN CSIRT (and sponsors/affiliates) assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained therein including this document.

The signed version can be found here.