Information security is about protecting the availability, integrity and confidentiality of information. It is not limited to data stored in IT systems; all valuable information, regardless of the way it is recorded or stored, needs to be safeguarded. Such data includes not only privacy-sensitive information but also research data and copyrighted materials.
Below the following subjects will be elaborated in more detail: CERT (Computer Incident Response Team), network policy en Responsible disclosure.
The aim of the Wageningen University & Research Computer Emergency Response Team (WUR-CERT) is to safeguard the IT facilities at WUR. WUR-CERT is responsible for preventing and solving any computer and network security incidents facing WUR. WUR-CERT provides the following services:
- Coordinating security incidents: organising and running a reporting centre for security incidents, coordinating and monitoring an adequate response to such incidents, including escalation to the line management or Executive Board.
- Providing information about preventing incidents and current threats. This includes passing on warnings from other CERTs, informing the management of the University in the event of national or large-scale malware attacks and enacting necessary measures at WUR.
- Making recommendations on Wageningen University & Research IT security aspects and security policy. WUR-CERT is authorised to give solicited and unsolicited advice to help resolve or reduce WUR-specific security problems.
There is a further explanation of the tasks and responsibilities of the WUR-CERT, in the appendix below.
CERT team as of July 2017
Only publicly available members are listed (in alphabetical order by last name) in the table below, all others can be reached via firstname.lastname@example.org
- Andre ten Böhmer (netwerk specialist)
- Freek Bolte (incident manager)
- Remon Klein Tank (security specialist)
- Ramon Kroese (desktop specialist)
- Erik Molenaar (network specialist)
- Sander van den Steen van Ommeren (application specialist)
- Raoul Vernède (security officer)
- Edwin op de Woert (web application specialist)
- Martijn Sueters (service desk employee)
For the world
In case of a security incident the preferred method for contacting the WUR-CERT is via e-mail at email@example.com
All other non-critical questions and remarks should be sent to the Servicedesk at firstname.lastname@example.org
WUR Students and employees
Students and employees of Wageningen University & Research should by default report security incidents to the Servicedesk FB-IT (email@example.com). They will relay the message to the WUR-CERT team or a specialist. In case of confidential information or incidents with high priority WUR-CERT can be contacted by telephone through the FB-IT Servicedesk (dial 0317-488888 and ask for WUR-CERT). Outside of working hours high priority issues can be sent directly to firstname.lastname@example.org
Encrypting and signing
Confidential information can be encrypted using the WUR-CERT PGP key. The key can also be used to verify the digital signature of WUR-CERT. Based on our email address email@example.com the key can be downloaded from well-known public key servers, specifically pgp.surfnet.nl. The WUR-CERT PGP key has the fingerprint fingerprint 8F96 1657 5D17 82ED 79D9 073C FEA1 776D 6E45 DBCF. It is important to check before downloading from a public key server that the fingerprint match with each other.
When reporting an incident, it is very important to provide as much information as possible, such as: date/time/place of the incident, if the incident has occurred several times and, if so, how often, IP numbers/systems involved (victim as well as suspected cause), related URLs, any (error) notifications, and (a printout of) log files.
Hours of operation
The WUR-CERT's hours of operation are generally restricted to regular business hours (08:30-17:00 from Monday to Friday except public holidays in the Netherlands). Outside the business hours, the mailbox will be checked on best-effort principle with reasonable intervals.
The WUR-CERT operates in timezone CET/CEST (UTC+01:00, and UTC+02:00 from April to October).
At the Wageningen University & Research, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Please do the following:
- E-mail your findings to firstname.lastname@example.org. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands. The key can be downloaded from well-known public key servers, specifically pgp.surfnet.nl. The WUR-CERT PGP key fingerprint can be found under contact information (above).
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
- Do not reveal the problem to others until it has been resolved,
- Do not use social engineering, distributed denial of service, spam, applications of third parties or attacks our physical security, and
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
What we promise:
- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date,
- If you have followed the instructions above, we will not take any legal action against you in regard to the report,
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
- We will keep you informed of the progress towards resolving the problem,
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
This Responsibel disclosure is based on an example written by Floor Terra.