1395 5E65 0C7A 5CEF 0373 F6E2 8982 15F5 6081 EBEB
This is a description of the SANReN Proactive CSIRT as per RFC 2350. It provides basic information about the CSIRT, services offered and contact information.
The CSIRT is an academic sector, coordinating CSIRT providing services to research and education institutions of South Africa.
Due to the dual-organisational makeup of the South African National Research and Education Network (NREN), the CSIRT operates as a distributed team focusing on Reactive (TENET) and Proactive (SANReN) services respectively. This document is for the proactive side of the team.
For reactive services (e.g. incident response) please contact the Tertiary Education and Research Network of South Africa (TENET) directly at:
+27 21 7637 one-four-seven (24x7) or csirt {at} tenet.ac.za
v1.5, 2023/09/22
Updates are distributed via the CSIRT website and announcements mailing list. Subscription requests can be sent to "csirt-news+subscribe@sanren.ac.za".
The latest version of this document is available here (signed).
The text version of this document is signed with the team's PGP key (see 2.8).
"SANReN CSIRT": the South African National Research Network proactive Computer Security Incident Response Team.
SANReN CSIRT
CSIR
Building 43
2 Meiring Naudé Road, Brummeria, Pretoria, 0184
Pretoria, South Africa
SAST (UTC+0200)
+27 12 8427 six-five-eight - Heloise Meyer (business hours only)
Not advised. Please call/email upfront if required.
Not available.
"csirt{at}sanren.ac.za"; relays to all SANReN CSIRT members. Use our PGP key to encrypt sensitive information.
The CSIRT team PGP key can be found on the usual public key servers (link here).
"csirt{at}sanren.ac.za" PGP Key
KeyID: 0xE2C491CED20D800F
Fingerprint: 8E0A 2756 1B3E 2B99 4246 C1AA 04A1 B821 AA99 CA2C
Individual team member's keys are available on request.
Operations Manager: Heloise Meyer
Senior Cyber Security Analyst: Kgwadi Matenche
Senior Cyber Security Analyst: Sicelo Ncekana
Cyber Security Analyst: Maajied Moos
See our website
The preferred method for contacting the CSIRT is via e-mail "csirt{at}sanren.ac.za". Note that requests for reactive (e.g. incident response) services should instead be sent to TENET "csirt{at}tenet.ac.za". Please place your institution's name in the subject line.
The team is typically available from 09:00-16:00 Monday to Friday except for public holidays and 25 December to 1 January. We do not provide a 24x7 service.
If it is not possible (or advisable for security reasons) to use e-mail, the proactive CSIRT can be reached by telephone (see 2.4 for numbers) during regular office hours (minimally 9am to 4pm SAST). Voice messages are reviewed.
The mission of the SANReN CSIRT is to provide proactive IT security services to the sites and users of the SANReN network; with the goal of minimising the occurrence of incidents and equipping the constituency to better safeguard against malicious activity.
Note that this is intended to complement the TENET (reactive) CSIRT's mission.
The constituency are the beneficiaries of the SANReN network including customers of TENET defined as the "campuses of South African education and research institutions and associated support institutions in the public sector that connect to the network".
More formally, the constituency can be defined as
.ac.za domain registrants and/or
users of systems and IP addresses in AS 2018 (TENET's autonomous system)
as clarified by the TENET connection policy.
The SANReN CSIRT is primarily funded via the Department of Science and Innovation (DSI) South Africa as part of the SANReN project. The SANReN team (including the CSIRT) is hosted by the Council for Scientific and Industrial Research (CSIR) Meraka Institute. The CSIRT is closely affiliated with the Tertiary Education and Research Network of South Africa (TENET) who operate the SANReN network and also provide the reactive CSIRT services. For further relationship detail please see the SANReN website.
Some services (e.g. vulnerability assessments) are charged for on a cost recovery basis.
The primary objective of the SANReN CSIRT is to proactively mitigate IT security-related issues affecting the SANReN network and constituency as described in the Services section. This is achieved in an advisory role. Accordingly, the team has limited/indirect authority over the constituency.
The TENET AUP defines acceptable use of the SANReN network and infringements could result in intervention by TENET.
The SANReN CSIRT does not directly handle incidents. The constituency is however welcome to contact the team for IT security related advice at any time (including during an incident). Response will be on a best effort basis depending on the current load and availability of team members.
For incident response services please contact TENET: "csirt{at}tenet.ac.za".
The SANReN CSIRT follows the principle of responsible disclosure within the bounds of policy and legislation. The information security traffic light protocol is used to classify information handled by the CSIRT as follows:
TLP:RED - Not for disclosure, restricted to participants only (most sensitive).
TLP:AMBER - Limited disclosure, restricted to participants' organisations on a need-to-know basis (sensitive). Note that TLP:AMBER+STRICT restricts sharing to the organization only.
TLP:GREEN - Limited disclosure, restricted to the community and related organisations (less sensitive).
TLP:CLEAR - Unrestricted disclosure, public (not sensitive).
For the SANReN CSIRT: participants = the CSIRT team member(s) involved in the exchange only, organisations = SANReN + TENET, and community = constituency.
A constituent may request that information be handled at a preferred level otherwise the CSIRT will classify at a level it deems appropriate. Where practicable, the CSIRT will seek authorisation from a constituent before sharing sensitive information, which will also be anonymised if it does not affect the value/use of the information (e.g. redaction of site identifiable information).
In view of the types of information that the SANReN CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP should be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Please contact the CSIRT prior to sending sensitive information if assistance is required (for example in setting up PGP or an alternative secure mechanism).
For reactive services (e.g. incident response and support), please contact TENET “csirt{at}tenet.ac.za”. The SANReN CSIRT offers the following services as per our website. These services are only available to the constituency (exceptions on agreement).
The SANReN CSIRT offers a vulnerability scanning service to constituents. This is a process to identify, classify, report on and provide remediation advice on the security weaknesses of specific IT infrastructure. The service helps institutions identify and remedy vulnerabilities to prevent an attack/compromise. Both external and internal scans can be performed.
The SANReN CSIRT provides an "announcements" service to highlight recent cybersecurity news including alerts/warnings (e.g. intrusions, threats), advisories (e.g. vulnerabilities, bulletins), articles (e.g. interesting news) and any other security-related information (e.g. team updates) that may be of interest to the constituency.
Mechanisms for disseminating these announcements include the CSIRT website, mailing lists and RSS feeds (accessible from the website under specific services). The mailing lists are only available to constituency representatives.
The SANReN CSIRT provides an "resources" service that offers a collection of cyber security incident response playbooks providing a consistent approach to follow when remediating a cybersecurity incident.
Not applicable. Please contact "csirt{at}tenet.ac.za" for incident support.
This information is accurate at publication date.
While every precaution will be taken in the preparation of the website, information, notifications and alerts, the SANReN CSIRT (and sponsors/affiliates) assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained therein including this document.
The key signed version can be found here.
Contact Us: |
CSIRT: |
|
Heloise: |
|
Kgwadi: |
|
Sicelo: |
|
Maajied: |