RFC 2350

Below, you will find the CERT-Radboudumc Service Description, which states,

among other things, the services that CERT-Radboudumc provides.

 

 

1. Document Information
 

1.1. Date of Last Update
This is version 1.1 of December 6^th, 2023.

 

1.2. Distribution List for Notifications

Only Radboudumc DSC’s (Domain Security Contacts) are actively notified of updates to this framework. Any specific questions or remarks please address to the CERT-Radboudumc mail address.

 

1.3. Locations where this Document May Be Found

The current version of this profile is always available at:

https://www.radboudumc.nl/security/rfc-2350

 

2. Contact Information 

2.1. Name of the Team
CERT-Radboudumc: the Computer Emergency Response Team for the Radboud University Medical Center, Nijmegen, The Netherlands.

2.2. Address

Visiting address:

Radboudumc

F.C. Donderslaan 2 (route 237)

6525 GJ Nijmegen

Postal address:

Radboudumc

Attn Informatie Management, CERT-Radboudumc  (237)
P.O. Box 9101
6500 HB Nijmegen
The Netherlands

2.3. Time Zone
GMT+1 (GMT+2 with DST, according to EC rules)

 
2.4. Telephone Number
Servicedesk ICT +31 (0)24 3615071 (24/7)

 

2.5. Facsimile Number
Not available.

 
2.6. Other Telecommunication
Not available.

2.7. Electronic Mail Address
servicedeskict@radboudumc.nl

2.8. Public Keys and Encryption Information
Currently not available, please contact us if you think this is necessary and we will initiate a secure mailconversation with you using Zorgmail.

2.9. Team Members
CERT-Radboudumc team members are drawn from the ranks of Radboudumc professionals.

2.10. Other Information
Our upstream CERT’s:

• Z-CERT: Z-CERT is a Computer Emergency Response Team (CERT), developed specifically for institutions in the healthcare sector. More information: https://www.z-cert.nl/
• SURF-CERT: the SURF Computer Emergency Response Team. SURF is the collaborative organisation for IT in Dutch education and research. More information: https://www.surf.nl/en/surfcert-247-support-in-case-of-security-incidents

2.11. Points of Customer Contact
Normal cases:
Use CERT-Radboudumc mail address.
Business hours response only: 09:00-17:00 local time on Monday-Friday with the exception of the public holidays in The Netherlands. 

EMERGENCY cases:
Use CERT-Radboudumc phone number with back-up of mail address for all detail (putting EMERGENCY in subject line is recommended). The CERT-Radboudumc phone number is available at all times.

 

3. Charter 

3.1. Mission Statement
CERT-Radboudumc’s mission is to coordinate the resolution of (medical) IT security incidents related to the Radboud University Medical Center , and to help prevent such incidents from occurring.
For the world, CERT-Radboudumc is the Radboud University Medical Center  interface with regards to (medical) IT security incident response. All (medical) IT security incidents (including abuse) related to Radboud University Medical Center can be reported to CERT-Radboudumc.

3.2. Constituency
Radboud University Medical Center, with all its patients, employees and students.

3.3. Sponsorship and/or Affiliation
CERT-Radboudumc is part of Radboudumc department: Informatie Management. It maintains affiliations with various CSIRT’s throughout the Netherlands and is a member of the SURFnet Community of Incident Response Teams (SCIRT)

 
3.4. Authority
CERT-Radboudumc coordinates security incidents on behalf of Radboud University Medical Center and has no authority reaching further than that. CERT-Radboudumc is however expected to make operational recommendations in the course of its work. The implementation of such recommendations is not a responsibility of CERT-Radboudumc however, but solely of those to whom the recommendations were made. CERT-Radboudumc has the authority to block addresses or networks.

 

4. Policies

4.1. Types of Incidents and Level of Support
All incidents are considered normal priority unless they are labeled EMERGENCY. CERT-Radboudumc itself is the authority that can set and reset the EMERGENCY label. An incident can be reported to CERT-Radboudumc  as EMERGENCY, but it is up to CERT-Radboudumc to decide whether or not to uphold that status.

 

The CERT-Radboudumc is authorized to address all types of computer security incidents which occur, or threaten to occur, at Radboud University Medical Center.

 

The level of support given by CERT-Radboudumc will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the  CERT-Radboudumc's resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities, listed in decreasing order:

• Threats to the physical safety of human beings.
• Root or system-level attacks on any Information System, or any part of the backbone network infrastructure.
• Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
• Compromise of restricted confidential service accounts or software installations, in particular those used for applications containing confidential data, or those used for system administration.
• Denial of service attacks on any of the above three items.
• Any of the above at other sites, originating from Radboudumc University Medical Center
• Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks.
• Threats, harassment, and other criminal offenses involving individual user accounts.
• Compromise of individual user accounts on multi-user systems.
• Compromise of desktop systems.
• Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. Netnews  and e-mail forgery, unauthorized use of IRC bots.
• Denial of service on individual user accounts, e.g. mailbombing.

 

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.

 

Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance.  The CERT-Radboudumc will support the latter people.

 

While the CERT-Radboudumc understands that there exists great variation in the level of system administrator expertise at Radboud University Medical Center, and while the CERT-Radboudumc will endeavor to present information and assistance at a level appropriate to each person, the CERT-Radboudumc cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf.

 

In most cases, the CERT-Radboudumc will provide pointers to the information needed to implement appropriate measures.

 

The CERT-Radboudumc is committed to keeping the Radboud University Medical Center system administration community informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

4.2. Co-operation, Interaction and Disclosure of Information
ALL incoming information is handled confidentially by CERT-Radboudumc, regardless of its priority. 
Information that is evidently very sensitive in nature is only communicated in an encrypted fashion. When reporting an incident of very sensitive nature, please state so explicitly (e.g. by using the label VERY SENSITIVE in the subject field of e-mail) and use encryption as well.

CERT-Radboudumc will use the information you provide to help solve security incidents, as all CSIRTs do or should do. This means explicitly that the information will be distributed further only on a need-to-know base, and in an anonymized fashion. 
 

If you object to this default behaviour of CERT-Radboudumc, please make explicit what CERT-Radboudumc can do with the information you provide. CERT-Radboudumc will adhere to your policy, but will also point out to you if that means that CERT-Radboudumc cannot act on the information provided.

 
CERT-Radboudumc does not report incidents to law enforcement, unless Dutch law requires so – as in the case of first-degree crime. Likewise, CERT-Radboudumc cooperates with law enforcement in the course of an official investigation only, meaning a court order is present, AND in case a CERT-Radboudumc constituent requests that CERT-Radboudumc cooperates in an investigation. In the latter case, when a court order is absent, CERT-Radboudumc may only provide information on a need-to-know base.

 

In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant  computing facilities.  It does not refer to unauthorized  users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no  expectation of confidentiality from the CERT-Radboudumc.  They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist.

 

Information being considered for release will be classified as follows:

 

• Private user information is information about particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual,  and/or ethical reasons.

 

Private user information will be not be released in identifiable form outside the CERT-Radboudumc, except as provided for below.  If the identity of the user is disguised, then the information can be released freely (for example to show a sample .cshrc file as modified by an intruder, or to demonstrate a particular social engineering attack).

 

• Intruder information is similar to private user information, but concerns intruders.

 

While intruder information, and in particular identifying information, will not be released to the public (unless it becomes a  matter of public record, for example because criminal charges have been laid), it will be exchanged freely with system administrators and CSIRTs tracking an incident.

 

• Private site information is technical information about particular systems or sites.

 

It will not be released without the permission of the site in question, except as provided for below.

 

• Vulnerability information is technical information about vulnerabilities or attacks, including fixes and  workarounds.

 

Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor  before the general public is informed.

 

• Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity.  Embarrassing information may concern a site or a particular user or group of users.

 

Embarrassing information will not be released without the permission of the site or users in question, except as provided for below.

 

• Statistical information is embarrassing information with the identifying information stripped off.

 

Statistical information will be released at the discretion

of the Informatie Management Department.

 

• Contact information explains how to reach system administrators and CSIRTs.

 

Contact information will be released freely, except where the contact person or entity has requested that this not be the case, or where CERT-Radboudumc has reason to believe that the dissemination of this information would not be appreciated.

 

Potential recipients of information from the CERT-Radboudumc will be classified as follows:

 

• Because of the nature of their responsibilities and  consequent expectations of confidentiality, members of Radboud University Medical Center management are entitled to receive whatever information is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions.
• Members of the Office of Audit & Risk are entitled to receive whatever information they request concerning a computer security incident or related matter which has been referred to them for resolution. 
• System administrators at Radboud University Medical Center who are members of the department Informatie Management are also, by virtue of their responsibilities, trusted with confidential information.  However, unless such people are also members of CERT-Radboudumc, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems.
• Users at Radboud University Medical Center are entitled to information which pertains to the security of their own computer accounts, even if this means revealing "intruder information", or   "embarrassing information" about another user.  For example, if account aaaa is cracked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was cracked, and how the attack on the bbbb account was executed.  User bbbb is also entitled, if she or he requests it, to information about account aaaa which might enable bbbb to investigate the attack.  For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa.  Users at Radboud University Medical Center are entitled to be notified if their account is believed to have been compromised.
• The Radboud University Medical Center community will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general Radboud University Medical Center  community.  There is no obligation on the part of the CERT-Radboudumc to report incidents to the community, though it may  choose to do so; in particular, it is likely that the CERT-Radboudumc will inform all affected parties of the ways in which they were affected, or will encourage the affected site  to do so.
• The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though the CERT-Radboudumc recognizes that, for all intents and purposes, information made available to the Radboud University Medical Center community is in effect made available to the community at large, and will tailor the information in consequence.
• The computer security community will be treated the same way the general public is treated.  While members of CERT-Radboudumc may participate in discussions within the computer security community, such as newsgroups, mailing lists (including the full-disclosure list "bugtraq"), and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from CERT-Radboudumc experience will be disguised to avoid identifying the affected parties.
• The press will also be considered as part of the general public.  The CERT-Radboudumc will not interact directly with the Press concerning computer security incidents, except to point them toward information already released to the general public.  If necessary, information will be provided to the Radboud University Medical Center Communicatie department, and to the Servicedesk ICT of the Informatie Management department.  All incident-related queries will be referred to these two bodies.  The above does not affect the ability of members of CERT-Radboudumc to grant interviews on general computer security topics; in fact, they are encouraged to do to, as a public service to the community.
• Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information.  This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident.  Such information sharing is most likely to happen in the case of sites well known to CERT-Radboudumc (for example, several other Dutch University Medical Centers have informal but well-established working relationships with Radboud University Medical Center in such matters).

For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system  administrators and CSIRTs.  "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident.

• Vendors will be considered as foreign CSIRTs for most intents and purposes.  The CERT-Radboudumc wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products.  In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem.  Identifying details will not be given to the vendor without the permission of the affected parties.
• Law enforcement officers will receive full cooperation from the CERT-Radboudumc, including any information they require to pursue an investigation, in accordance with Radboud University Medical Center policies.

 

4.3. Communication and Authentication

 

In view of the types of information that the CERT-Radboudumc will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted.  Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used.  Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.

 

Where it is necessary to establish trust, for example before relying on information given to the CERT-Radboudumc, or before disclosing confidential information, the identity and bonafide of the other party will be ascertained to a reasonable degree of trust.  Within Radboud University Medical Center, and with known neighbor sites, referrals from known trusted people will suffice to identify someone.  Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc., along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor.  Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures.

1. Services
   1. Incident Response

CERT-Radboudumc will assist system administrators in handling the technical and organizational aspects of incidents.  In particular, it will provide assistance or advice with respect to the following aspects of incident management:

• 1. 1. Incident Triage
• Investigating whether indeed an incident occurred.
• Determining the extent of the incident.
  1. 1. Incident Coordination

• Determining the initial cause of the incident (vulnerability exploited).
• Facilitating contact with other sites which may be involved.
• Facilitating contact with Radboud University Medical Center Security and/or appropriate law enforcement officials, if necessary.
• Making reports to other CSIRTs.
• Composing announcements to users, if applicable.
  1. 1. Incident Resolution

• Removing the vulnerability.
• Securing the system from the effects of the incident.
• Evaluating whether certain actions are likely to reap results in proportion to their cost and risk, in particular those actions aimed at an eventual prosecution or disciplinary action: collection of evidence after the fact, observation of an incident in progress, setting traps for intruders, etc.
• Collecting evidence where criminal prosecution, or Radboud University Medical Center disciplinary action, is contemplated.

 

In addition, CERT-Radboudumc will collect statistics concerning incidents which occur within or involve the Radboud University Medical Center community, and will notify the community as necessary to assist it in protecting against known attacks.

 

To make use of CERT-Radboudumc’s incident response services, please send e-mail as per section 2.11 above.  Please remember that the amount of assistance available will vary according to the parameters described in section 4.1.

1. 1. Proactive Activities

The CERT-Radboudumc coordinates and maintains the following services to the extent possible depending on its resources:

• Information services
  • List of departmental security contacts, administrative and technical.  These lists will be available to the general public, via commonly-available channels such as  the World Wide Web and/or the Domain Name Service.
  • Mailing lists to inform security contacts of new information relevant to their computing environments. These lists will be available only to Radboud University Medical Center system administrators.
  • Repository of vendor-provided and other security-related patches for various operating systems.  This repository will be available to the general public wherever license restrictions allow it, and will be provided via commonly-available channels such as the World Wide Web and/or ftp.
  • Repository of security tools and documentation for use by sysadmins.  Where possible, precompiled ready-to-install versions will be supplied.  These will be supplied to the general public via www or ftp as above.
  •  "Clipping" service for various existing resources, such as major mailing lists and newsgroups.  The resulting clippings will be made available either on the restricted mailing list or on the web site, depending on their sensitivity and urgency.
• Training services
  • Members of the CERT-Radboudumc will give periodic seminars on computer security related topics; these seminars will be open to Radboudumc University Medical Center system administrators.
• Auditing services
  • Security level assignments; machines and subnetworks at Radboud University Medical Center will be audited and assigned a security level.  This security level information will be available to the Radboudumc University Medical Center community, to facilitate the setting of appropriate access privileges.  However,  details of the security analyses will be confidential,  and available only to the concerned parties.
• Archiving services
  • Central logging service for machines capable of remote logging.  Incoming log entries will be watched by an automated log analysis program, and  events or trends indicative of a potential security problem will be reported to the affected system administrators.
  • Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the Radboudumc University Medical Center community

1. Incident Reporting Forms

There are no local forms developed yet for reporting incidents to CERT-Radboudumc. All incidents can be reported by any of the in previous chapters mentioned methods.

1. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CERT-Radboudumc  assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.