IUCC logo



FIRST member since 1995














Incident Handling and Response Guide


February 2006











This Guide uses as its basis the CERN LCG/EGEE Incident Handling and Response Guide with local modifications for the IUCC environment.

1           Purpose

The purpose behind the development of this document is to reduce the incidence, severity, and exposure of IUCC to cyber security incidents. An incident is any real or suspected event that poses a real or potential threat to the integrity of services, resources, infrastructure, or identities in the IUCC network.

2           Policies

2.1               Reporting of security incidents

All IUCC and university members should report all security incidents to the IUCC CERT NOC team even if the incident is handled locally. A security incident that affects one campus one day, might very affect another campus on another day.

2.2               Handling of Sensitive Data

2.2.1           Incident information

Detailed and specific incident information should be shared with the IUCC CERT NOC team by all IUCC universities. The IUCC CERT NOC team commits to using appropriate safeguards to protect sensitive or privacy-related information included in the incident information even after they are no longer actively working on the incident.

Some details of the incident, MIGHT BE shared by the IUCC CERT NOC team with other NREN CERT teams or Internet security managers in order to contain the incident.

Nothing in these policies is meant to restrict the flow of information from a university to any other organization to which the university is required to report incidents.

Public disclosure of information regarding security events SHOULD be handled through the specific university Public Relations Department and SHOULD NOT contain more than summary information except for incident details related to specifics at the site. In the event of a security incident that involves two or more universities or involving the general IUCC infrastructure, then the IUCC MAY issue a press release via its Public Relations Department, once again only containing summary information about the incident. Preservation of supporting data and evidence collection

All supporting data for an incident SHOULD be treated consistent with the specific universitys rules for maintaining and storing such materials. In the event of an incident involving multiple universities, then the collection and coordination of evidence between sites is expected to be handled by the IUCC CERT NOC team.

3           Organizational Structure

3.1               Security Contacts

All IUCC university members MUST provide security contact information. Whenever possible, the information supplied SHOULD include detailed contact information for specific individuals involved with networking security on campus. Universities that consider security to be an around-the-clock effort should specify the times that their contacts can be notified. This information will be kept secret via the page https://cert.iucc.ac.il/internal-contact-info (accessible via a user and password or via a valid IUCC certificate). These individuals will be placed on the cert@cert.ac.il email list as a body of technical experts to provide advice and to report incidents.

3.2               IUCC CERT NOC

The IUCC CERT NOC members (nocplus@noc.ilan.net.il) will be responsible to track incidents, coordinate response processes, maintain the flow of information regarding incident status, and coordinate with all external organizations that need to be involved. In addition, the IUCC CERT NOC members are responsible to monitor various Internet security lists (site defacements, abusing IUCC IPs, etc.) and to forward the relevant incident information to the cert@cert.ac.il list. This will involve a 10% increase in IUCC CERT NOC payments.

3.3               Webmaster

The IUCC CERT webmaster maintains the IUCC CERT email list (cert@cert.ac.il), and the archived mailing list server. More importantly, the webmaster also updates the informational pages located on the https://cert.iucc.ac.il site. Information for the public and private pages is expected to be provided by the IUCC CERT NOC members, the individual university security contacts and by the IUCC CERT Coordinator. This will be a .2 FTE position (35hr/month).

3.4               Technical Coordinator

The IUCC CERT Coordinator will be responsible to coordinate all the activities of the IUCC CERT NOC and the IUCC CERT Webmaster maintain contact with other external CERT organizations and to arrange meetings and workshops for all group members. This will be a .1 FTE position (20hr/month).

3.5               Researcher and Grid Coordinator

The IUCC Grid Coordinator will be responsible for risk assessments, Grid related issues and maintain the contact with external organization (contact with other CERT organizations will be mainly done by the technical coordinator and backup by the Grid coordinator). This will be a 10hr/month position.


4           Supporting Resources

Public security contact information for the IUCC CERT is maintained at the site https://cert.iucc.ac.il/contact.

        Incident reporting will be done through the list cert@cert.ac.il as well as through the site page https://cert.iucc.ac.il/report-abuse which will cause an email to be sent to cert@cert.ac.il

        Discussion of incidents will be done through the same list

Similarly the email address of abuse@univ-name.ac.il should be used by each of the eight university members.

5           Process

The processes for incident handling and response are:

1.      Discovery and reporting

2.      Initial analysis and classification

3.      Containment

4.      Notification and escalation

5.      Analysis and response

6.      Post-incident analysis

5.1               Discovery and Reporting

Incidents will be discovered through a variety of means including users, system administrators, networking peers, monitoring of resources, and through monitoring of various Internet security lists.

When an incident is discovered that relates to IUCC or an IUCC university, it MUST be reported to the local institution incident handling process AND the discovering/reporting party MUST ensure that the incident is reported to the IUCC CERT NOC. The discovering or reporting party can report the incident to all involved via one email to cert@cert.ac.il.

5.2               Initial analysis and classification

During the day, the on-call IUCC CERT NOC member will receive the cert@cert.ac.il email abuse report and will need to make an initial analysis of the incident to determine whether this requires the immediate intervention of the specific university security personnel or whether a general notification can be sent which will be read at some later point. During nighttime and weekends, the university liasons and the external customer representatives who have authorization to contact the IUCC NOC Level-1 support as operated by Barak, will open security incidents via the same mechanism. The IUCC CERT NOC will explore other methods for receiving security alert notifications (such as via SMS).

5.3               Containment

When an attack occurs the most important aspect is to contain the attack. The IUCC CERT NOC would be responsible to take all necessary actions to contain the attack and inform the affected parties of what actions they have taken.

Sites SHOULD inform the IUCC CERT NOC of actions they take affecting the incident.

5.4               Notification and escalation

A procedure needs to be devised for escalation of security events. The IUCC CERT NOC might encounter incidents that will require an escalation on a 24x7 basis. This escalation procedure is still to be determined.

5.5               Analysis and Response

5.5.1           Resource tracking

Since the total cost of the incident is often important for legal action, sites should bear in mind during incident response that the incident response costs SHOULD be documented, including:


        containment actions taken

        what was determined

        what steps taken to respond/recover

        what was the extent of damage

        person-hours required in response

5.5.2           Evidence collection

The IUCC CERT NOC will be responsible to collect evidence in a fashion that would be admissable in an Israeli court of law. The IUCC CERT NOC would have to undergo training in this area since this is an unknown area for the IUCC CERT NOC.

5.6               Post-Incident Analysis

At the end of an incident, the IUCC CERT NOC SHOULD schedule a conference call to review the lessons learned and gather feedback from the specific universities involved). A close-out written report MUST be completed by the IUCC CERT NOC within 1 month following the incident.


6           Relevant and related standards and practices

RFC 2350 - Expectations for Computer Security Incident Response


RFC 2196 - Site Security Handbook


RFC 3227 Guidelines for Evidence Collection and Archiving


LCG Security Group, Agreement on Incident Response



CERT/CC - Handbook for Computer Security Incident Response Teams



CERT/CC - Incident Reporting Guidelines



CERT/CC - Creating a Computer Security Incident Response Team:

A Process for Getting Started



CERT/CC - State of the Practice of Computer Security Incident Response Teams (CSIRTs)