-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CSIRT Description for GMV CERT ------------------------------ 1. Document Information 1.1 Date of Last Update This version was published on February 20th, 2020. 1.2 Distribution List for Notifications Currently GMV-CERT does not use any distribution lists to notify about changes in this document. Notifications of updates are submitted to our constituency using established communication channels. 1.3 Locations where this Document May Be Found The current version of this document is available from the GMV-CERT Web site: https://cert.gmv.com/portal_gmv-cert/doc/rfc2350.txt 1.4 Authenticating this Document This document has been signed with the GMV CERT's PGP keys. The signatures are also on GMV CERT Web site (https://cert.gmv.com). 2. Contact Information 2.1 Name of the Team "GMV-CERT": GMV Computer Security Incident Response Team. 2.2 Address GMV CERT Isaac Newton 11 P.T.M. Tres Cantos, 28760 Madrid Spain 2.3 Time Zone Central European Time - CET (GMT+0100, and GMT+0200 from April to October) 2.4 Telephone Number +34 902 46 46 01 / +34 91 807 76 72 Available 24x7 2.5 Facsimile Number +34 91 807 21 99 (this is *not* a secure fax) 2.6 Other Telecommunication Videoconference options available. 2.7 Electronic Mail Address This is the mail to contact GMV-CERT representatives for general purposes. Do not use for incidents reporting. This is the mail to report a computer security incident. 2.8 Public Keys and Encryption Information GMV-CERT has the following PGP keys: CERT representatives contact (do NOT use for incidents reporting) Key ID: 0x6EF7672A Fingerprint: CE79 3A9A E91D 1ADC 9659 E0FD 250B 68D1 6EF7 672A Incident reporting to GMV CERT Key ID: 0x350850F0 Fingerprint: 8D63 C7CB 3DD7 1079 BFAE 122A 8419 D69A 3508 50F0 The keys and its signatures can be found at the usual large public key servers and under GMV CERT Web site (https://cert.gmv.com) 2.9 Team Members GMV CERT manager is Oscar riaño. Oscar Riaño Key ID: 0x1BC64F62 Fingerprint: A515C E96 A051 E7F5 9AB5 662B 6B0B 977A 1BC6 4F62 GMV CERT deputy manager is Jairo Montero Key ID: 0x786ABCB7 Fingerprint: 43E5 F954 88F5 18C3 542F BA24 877C EE09 786A BCB7 2.10 Other Information General information about GMV CERT can be found at GMV CERT Web site (https://cert.gmv.com) 2.11 Points of Customer Contact For reporting a computer security incident the preferred method is by email at GMV CERT incident mailbox () If possible, when submitting your report, use the template mentioned in section 6. If it is not possible (or not advisable for security reasons) to use e-mail, GMV CERT can be reached by telephone 24x7. 2.12 Operating Hours GMV CERT is available 24x7, subject to contract provisions established with GMV CERT constituency. 3. Charter 3.1 Mission Statement GMV-CERT is a commercial Computer Security Incident Response Team (CSIRT) that provides a portfolio of security services (section 5.) to its established customer base. GMV CERT mission is to provide capabilities for its customers to deal with computer security incidents, helping their prevention and improving their security level. 3.2 Constituency GMV CERT constituency is GMV CERT's customer base. 3.3 Sponsorship and/or Affiliation GMV-CERT is part of GMV (https://www.gmv.com) GMV is a privately owned technological business group with an international presence. Founded in 1984, GMV offers its solutions, services and products in very diverse sectors: Aeronautics, Banking and Finances, Space, Defense, Health, Security, Transportation, Telecommunications, and Information Technology for Public Administration and large corporations. GMV-CERT has the intent to stablish and maintain affiliations with other CSIRTs around the world on an as needed basis. 3.4 Authority As commercial CSIRT, GMV-CERT operates under the contractual agreements established with its customer base. 4. Policies 4.1 Types of Incidents and Level of Support As a commercial CSIRT, GMV-CERT is prepared to address all types of computers security incidents which occurs at its constituency as specified by the contractual agreements. GMV-CERT may act upon requests of one of its constituents or may act if one of its constituents is involved in a computer security incident. The level of support given by GMV-CERT is determined by the contractual agreements established between GMV-CERT and its constituency. 4.2 Co-operation, Interaction and Disclosure of Information GMV-CERT will cooperate with other organizations in the field of computer security. This cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities. Nevertheless GMV-CERT will protect the privacy of its constituency and therefore (under normal circumstances) pass on information in an anonymized way only. Unless explicitly authorized, the identity or vital information of victims of computer security incidents will not be divulged. GMV-CERT operates under the restrictions imposed by Privacy Regulations in Data Privacy, namely "GDPR" or Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales..Therefore it is also possible that GMV CERT may be forced to disclose information due to a Court's order. 4.3 Communication and Authentication Telephone and unencrypted e-mail are considered sufficient for the transmission of low-sensitivity data. If it is necessary to send high sensitivity data by e-mail, PGP will be used. Network file transfers will be considered similar to e-mail for these purposes. GMV CERT contact template can be found in section 6. 5. Services 5.1 Reactive Services 5.1.1 Monitoring: GMV-CERT will assist its constituency in health monitoring and security monitoring, detecting unwanted situations in the monitored constituency 5.1.2 Incident Response / Security Incident Management GMV-CERT will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of the incident management: 5.1.2.1 Incident Triage - Investigating whether indeed an incident occurred. - Determining the extent of the incident. 5.1.2.2 Incident Coordination - Determining the initial cause of the incident. - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate security teams. - Facilitating contact with Police Corps and law enforcement officials. - Making reports to other CSIRTs. - Composing announcements to users (members of the constituency), if applicable. 5.1.2.3. Incident Resolution - Technical Assistance. This may include analysis of compromised systems. - Recommendations on Eradication or Elimination of the cause of a security incident and its effects. - Recovery Aid in restoring affected systems and services to their status before. - Forensics and Post-Mortem investigations. These includes forensics, artifact and evidence handling. - Vulnerability handling. - Suggestions in securing the system from the effects of the incident. GMV-CERT will collect statistics concerning incidents which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks. 5.1.3 Help Desk: GMV-CERT provides a Help Desk to register customer requests and maintain them informed. 5.1.4 Operation and Administration of security devices GMV-CERT can apply the measures defined and agreed in the incident resolution phase (contention and eradication measures). 5.1.5 Corrective Maintenance: GMV-CERT collaborates in the test elaboration and test evidence gathering, correction deployment and correct functioning validation. 5.1.6 Vulnerability Management: GMV-CERT manages the whole vulnerability lifecycle, detecting, communicating and contributing to their correction. 5.2 Proactive Services Additionally to Incident Response, GMV CERT provides a portfolio of security services. Proactive services provide means to reduce the number of actual incidents by giving proper and suitable information concerning potential incidents to the constituency. 5.2.1 Support to Operation of Security Devices GMV-CERT provides the customer with on-demand management reports covering the operation of security devices. 5.2.2 Proactive Maintenance GMV-CERT maintains an accurate inventory and configuration management database supervising configurations, known errors, backups, and recovery tests, among others. 5.2.3 Security Audits and Assessments GMV-CERT performs security audits to identify vulnerabilities. 5.2.4 Pen Testing and Ethical Hacking GMV-CERT penetration tests to identify vulnerabilities. 5.2.5 Security Intelligence. GMV-CERT identifies IOCs to better protect the constituency through early identification of potential incidents. 6. Incident Reporting Forms Check section 2.9 to choose the constituency of the incident you want to report. Use the following template and send it by email to the appropriate address. Please, provide as much detail as possible and attach any relevant file (log, email, image...): ================================================================= INCIDENT REPORT Have you reported this incident to other individuals or organizations?: - Type of incident detected (Phishing, Malware, DDoS, Unauthorized use/access...): - When was this incident detected? (Provide datetime and timezone): - Incident Details (Provide a short description of the incident): Complete the following information about affected system and attacker host. --- Affected System (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Operating System: Primary purpose of the affected system (Workstation, Web/DNS/ FTP/Application/Database server, Router, Firewall...): --- End Affected System --- --- Attacker Host (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Protocol: --- End Attacker Host --- ================================================================= This is the most preferable way to report a computer security incident to GMV-CERT. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, GMV-CERT assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEznk6mukdGtyWWeD9JQto0W73ZyoFAl5X//kACgkQJQto0W73 ZyqdRBAAstKkBtBtBH31MXRw3vaAcNmNz9kChoQbyIH5M7rzWDDDhTGq+GFmcxWn ksNJ+/qhMWWQywXGUMxh4Vbpu6V3nxlnWo9lI2Gi/ue9kQ4rXkqJas4fQgbg2oCw KKVFDdBIls+8ZogTBF6cONPjtHlz2lRvba+NfDMVWCKSi+j2Kh0YcrjtO6FTcRlw nEqU/7u67boy4fuwUg18fgdHD0wGipZuCD4vxZ3s7cjV1fZRlHCjk4ri2NuAUP9v jkV8dWtto+oSfOGyY+GXROrKUYt+uVHUs7uqvJ56lwNV6hNoYICjf4WcwuX27BQG pjBOWflS095DDabVAGRiBnh9EJYFd6e9Fzvvw+JJCpb3uwjA1Jkgyzlz9I4/mEuZ DyqPrmVtrXG0X1oM8jmWkTI6ooAKa3VoSHPP8YPytUPyso5al9LxsMh5qXKwXnNY GodU4603jKXntV16ffPBEJqFC0iOYnjLeaQ3wAS+FfZMA65n9M5mz1aSWCuvrUM6 2+PsMEcatKKaf9vfMjw2oevSRUVnX2D/xjCGrkuHxP2pU9E7hgPgDhcLLEH4XW/w BgEACggPHSE/0qpCezSh+MTAZ5k/4rLbHooXkwCP41Ior/JjYemx5wyhouvp4wGp ROU/9vjYJk5Qsa2uTe99/tstlWzxPG+xfS1i/JmnQiqxpk00s14= =jsNh -----END PGP SIGNATURE-----