Prosegur CERT

  • 1. About this document

1.1 Date of Last Update

This is version 1.0, published 2015/09/17.

1.2 Distribution List for Notifications

Notifications of updates are submitted to our constituency using established communication channels.

1.3 Locations where this Document May Be Found

The current version of this document is available from the PROSEGUR CERT Web site:

http://www.prosegur.es/web/groups/repositorio/documents/repositorio/prwebc035187.txt

1.4 Authenticating this Document

This document has been signed with the PROSEGUR CERT's PGP keys. The signatures are also on our Web site, under:

http://www.prosegur.es/web/groups/repositorio/documents/repositorio/prwebc035020.asc

http://www.prosegur.es/web/groups/repositorio/documents/repositorio/prwebc035019.asc

 
  • 2. Contact Information

2.1 Name of the Team

PROSEGUR CERT

2.2 Address

PROSEGUR CERT
Calle Pajaritos 24, 
28007 
Madrid

2.3 Time Zone

Central European Time - CET (GMT+0100 and GMT+0200 from April to October)

2.4 Telephone Number

+34 91 589 83 80 (CET)
Available during normal working hours.

2.5 Facsimile Number

+34 91 589 83 80 (CET) (this is *not* a secure fax)

2.6 Other Telecommunication

None available.

2.7 Electronic Mail Address

soc.cert@prosegur.com
This is the mail to contact with PROSEGUR CERT.

soc.certgroup@prosegur.com
This is the mail to report a computer security incident.

2.8 Public Keys and Other Encryption Information

The PROSEGUR CERT has the following PGP keys:

For information about the PROSEGUR CERT
soc.cert@prosegur.com
Key ID: 0x6EF18432
Fingerprint: 5B44 485C C344 A83F 7C9B F5A6 E028 C7A6 6EF1 8432

For Incidents Response
soc.certgroup@prosegur.com
Key ID: 0xC7403B2A
Fingerprint: B1DC FB9E 5FF0 1324 BF08 DC36 4195 0D39 C740 3B2A

2.9 Team Members

Incidents Response Chair is Jorge Alcaín Pro.

Fernando Romero Horcajada
fernando.romero-horcajada@prosegur.com
Key ID: 0xDA51B7C
Fingerprint: 9898 8275 E284 A003 4546 14B0 6ABE A4E5 0DA5 1B7C

2.10 Other Information

General information about the PROSEGUR CERT, as well as links to various recommended security resources can be found at

http://www.prosegur.com/corp/Servicios/ciberseguridad/CERT/index.htm

2.11 Points of Customer Contact

For reporting a computer security incident preferred method is by email at PROSEGUR CERT incidence mailbox soc.certgroup@prosegur.com

2.12 Operating hours

Incident Response Team is available 0800-1900 (CET) Monday to Friday Spanish working calendar.
24x7x365 under development.

 
  • 3. Charter

3.1 Mission Statement

PROSEGUR launched a new business line focused on cybersecurity management, including cyberattack prevention, detection and response.

3.2 Constituency

PROSEGUR CERT offering is currently comprised of Logical Security (managed security, monitoring and correlation, vulnerability management, source code security and ethical hacking), 
Digital Surveillance (content monitoring of open web sources) and Cyberintelligence (content monitoring of non-listed Internet sources, Internet security audits, ad hoc investigations).

3.3 Sponsorship and/or Affiliation

PROSEGUR CERT is sponsored by PROSEGUR.

3.4 Authority

PROSEGUR CERT provide services for PROSEGUR and companies.

 
  • 4. Policies

4.1 Types of Incidents and Level of Support

Resources will be assigned according to the following priorities:

  • Threats to the physical safety of human beings.
  • Root or system-level attacks on any Management Information, System or any part of the backbone network infrastructure.
  • Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
  • Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration.
  • Denial of service attacks on any of the above three items.
  • Any of the above at other sites, originating from the Constituency of the PROSEGUR CERT.
  • Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks.
  • Threats, harassment, and other criminal offenses involving individual user accounts.
  • Compromise of individual user accounts on multi-user systems.
  • Compromise of desktop systems.
  • Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. netnews and e-mail forgery, unauthorized use of IRC bots.
  • Denial of service on individual user accounts, e.g. mailbombing.

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.

In most cases, PROSEGUR CERT will provide pointers to the information needed to implement appropriate measures.

The PROSEGUR CERT is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

4.2 Co-operation, Interaction and Disclosure of Information

We will cooperate with other organizations in the field of computer security. This cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities.

Nevertheless the PROSEGUR CERT will protect the privacy of its constituency and therefore (under normal circumstances) pass on information in an anonymized way only. Unless explicitly authorized, the identity or vital information of victims of computer security incidents will not be divulged.

PROSEGUR CERT operates under the restrictions imposed by the law of Spanish Data Protection Authority. Therefore it is also posible that the PROSEGUR CERT may be forced to disclose information due to a Court’s order.

4.3 Communication and Authentication

Telephone and unencrypted e-mail are considered sufficient for the transmission of low-sensitivity data. If it is necessary to send high sensitivity data by e-mail, PGP will be used. Network file transfers will be considered similar to e-mail for these purposes.

 
  • 5. Services

5.1 Reactive Services

5.1.1 Alerts and Warning

Monitoring and correlaction of the systems and digital surveillance with early warning notifications.

5.1.2 Incident Handling

PROSEGUR CERT will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of the incident management:

  • Investigating whether indeed an incident occurred.
  • Determining the extent of the incident.

Incident Response Coordination:

  • Determining the initial cause of the incident (exploited vulnerability).
  • Facilitating contact with other sites which may be involved.
  • Facilitating contact with appropriate security teams.
  • Facilitating contact with Police Corps and law enforcement officials.
  • Making reports to other CSIRTs.
  • Composing announcements to users (members of the constituency), if applicable.

Incident Resolution:

  • Technical Assistance. This may include analysis of compromised systems.
  • Recommendations on Eradication or Elimination of the cause of a security incident (the vulnerability exploited) and its effects.
  • Recovery Aid in restoring affected systems and services to their status before.
  • Forensics and Post-Mortem investigations.
  • Suggestions in securing the system from the effects of the incident.

The PROSEGUR CERT will collect statistics concerning incidents which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks.

5.1.3 Vulnerability Handling

PROSEGUR CERT will assist its constituency in reaction to the discovery of new vulnerabilities. A database is maintained collecting information of vulnerabilities, automatically and manually, via network scans and by other means. Penetration testing teams are coordinated.

5.2 Proactive Activities

Proactive services provide means to reduce the number of actual incidents by giving proper and suitable information concerning potential incidents to the constituency. PROSEGUR CERT additional proactive services include:

5.2.1 Announcements

PROSEGUR CERT will provide its constituency with information about ongoing attacks, security vulnerabilities, alerts in the general sense, and short-term recommended course of action for dealing with the resulting problems.

5.2.2 Security Audits or Assessments

Auditing of network systems business.

5.2.3 Configuration and Maintenance of Security Tools, Applications, and Infrastructures

PROSEGUR CERT have a tool of security information and event management (SIEM).
SIEM is a term for software products and services combining security 
information management (SIM) and security event management (SEM). 

SIEM technology provides real-time analysis of security alerts generated by network hardware and applications.

5.2.4 Development of Security Tools

A repository of various tested security tools and security tolos developed by PROSEGUR CERT will be supplied to the general public via web.

 
  • 6 Incident reporting

Incident reports could be send by email to PROSEGUR CERT. Please, provide as much detail as possible and attach any relevant file (log, email, image...)

 
  • 7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, the PROSEGUR CERT assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained.