RFC-2350 The following profile of Bayern-CERT has been composed according to RFC-2350. 1 Document Information 1.1 Date of Last Update This version was published on 2022-08-02. 1.2 Distribution List for Notifications None. 1.3 Locations where this Document may be found The current version of this document can be found at: https://www.lsi.bayern.de/mam/aktuelles/rfc2350_bayern-cert.txt 1.4 Document Authenticity This document can be retrieved from our webserver using TLS/SSL. 2 Contact Information 2.1 Name Bayern-CERT 2.2 Mailing Address Landesamt fuer Sicherheit in der Informationstechnik (LSI) Kesslerstrasse 1 90489 Nuernberg GERMANY 2.3 Time Zone CET/CEST, Central European Time/Central European Summer Time, UTC+0100/UTC+0200 2.4 Telephone Number +49 911 21549 999 2.5 Facsimile Number On special request only 2.6 Other Telecommunication None. 2.7 Electronic Mail Address cert@bayern.de 2.8 Public Keys and Encryption Bayern-CERT's current PGP key is available under https://www.lsi.bayern.de/mam/lsi/cert.txt 2.9 Team Members No information is provided in public. 2.10 Operating Hours Monday to Thursday 7:30-17h Friday 7:30-15h Exceptions will be December 24th, 31st and national holidays 2.11 Other Information see: https://www.lsi.bayern.de Bayern-CERT is a member of - TF-CSIRT, see: https://www.trusted-introducer.org/directory/teams/bayern-cert-de.html - Verwaltungs-CERT-Verbund (VCV) - CERT-Verbund, see: https://www.cert-verbund.de/ 3 Charter 3.1 Mission Statement Bayern-CERT's mission is to protect and defend the Bavarian state IT infrastructure against threats and attacks that would breach the confidentiality, integrity or availability of information or IT assets. Furthermore it's the central point of contact to coordinate and investigate security incidents within it's constituency. 3.2 Constituency Bayern-CERT's services are primarily available to the federal authorities of Bavaria and authorized participants connected to the Bavarian Government Network (BYBN). Bayern-CERT is responsible in particular for the following domains and IP ranges: *.bayern.de 195.200.70.0/23 193.34.207.0/24 212.144.246.32/27 3.3 Sponsoring Organization / Affiliation State Office for Information Security (LSI) 3.4 Authority Bayern-CERT's mandate is based on the Bavarian Digital-Law (BayDiG). See: https://www.gesetze-bayern.de/Content/Document/BayDiG To fulfil it's mission, Bayern-CERT is authorised to monitor the BYBN network and it's connections to the internet for detecting attacks, breaches and other threats for information security. In case of an indication/alert the monitored data is processed as needed according to data protection regulations. For further investigations the constituency and affected parties will be informed or warned thereof. 4 Policies 4.1 Types of Incidents and Level of Support The Bayern-CERT is authorised to address all types of computer security incidents which occur, or threaten to occur, within its constituency. The level of support given by Bayern-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the Bayern-CERT's resources at the time. Typically the first response will be made within one working day, otherwise we will respond the following day. 4.2 Co-operation, Interaction and Disclosure of Information Generally incident related information such as names and technical details is not published without agreement of the named parties. Bayern-CERT will never pass information to third-parties unless Bayern-CERT is required to by law. Under the condition of acceptance through affected parties or authorized by law, Bayern-CERT aims to share Tactics, Techniques and Procedures (TTPs) for the purpose of prevention and reaction to specific incidents. Therefore such information might be passed to entities such as: - LSI's own technical experts and the Bavarian IT Situation Centre. - Affected parties in our constituency. - Affected ISPs/hosting providers in Germany. - German law enforcement agencies (if required by law or on request by information source). - CERT/CSIRT cooperation groups as named in 2.11 All information is passed depending on its classification and the need-to-know principle. Only the specifically relevant and anonymised extracts are passed on to external parties. 4.3 Communication and Authentication The preferred method of communication is E-Mail. Bayern-CERT respects the Traffic Light Protocol (TLP) as defined by the FIRST Standards Definitions, see: https://www.first.org/tlp/. All sensitive communication to Bayern-CERT should be encrypted with our public PGP or S/MIME key. For the exchange of larger amounts of sensitive information a secured platform is in place. 5 Services 5.1 Incident Response Bayern-CERT coordinates all activities related to incident response within its constituency. We provide support, help and advice with respect to the following aspects of incident management: 5.1.1 Incident Triage - Investigating whether indeed an incident occurred. - Determining the extent of the incident. 5.1.2 Incident Coordination - Determining the initial cause of the incident (vulnerability exploited). - Facilitating contact with other sites which may be involved. - Making reports to other CSIRTs. 5.1.3 Incident Resolution - Providing support and advice in removing the cause of a security incident and its effects. - Collecting evidence where criminal prosecution is contemplated. - Tracking the progress of the measures taken by the involved parties. 5.2 Proactive Activities - Warning and Information Services (WID). - Threat intelligence analysis and sharing. Different sections of LSI offer additional services such as security auditing and consulting etc. More information on LSI's services is available under https://www.lsi.bayern.de/ 6 Incident Reporting Forms There are no special forms required to report an incident. For our constituency a basic form to report an incident is available through the intranet. 7 Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, Bayern-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.