-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CERT.br RFC2350 Version: 1.4 Date: January 12, 2024 1. Document Information This document contains a description of CERT.br according to RFC 2350. 1.1 Date of Last Update January 12, 2024 1.2 Distribution List for Notifications There is no distribution list for notifications of new versions of this document. 1.3 Locations Where This Document May Be Found The current version of this document can be found at https://cert.br/about/rfc2350/ For validation purposes, a GPG signed ASCII version of this document is located at https://cert.br/about/rfc2350/rfc2350-certbr.txt The key used for signing is the CERT.br key as listed under 2.8. 2. Contact Information 2.1 Name of the Team Name in English: CERT.br - Computer Emergency Response Team Brazil Name in Portuguese: CERT.br - Centro de Estudos, Resposta e Tratamento de Incidentes de Segurança no Brasil 2.2 Address CERT.br/NIC.br Av. das Nações Unidas, 11541, Cj 71/72 04578-000 - São Paulo, SP - Brazil 2.3 Time zone CERT.br is located in São Paulo, Brazil, UTC-0300. Brazil no longer observes daylight saving time. 2.4 Telephone number Not applicable. CERT.br does not accept incident reports via telephone. 2.5 Facsimile number Not applicable. 2.6 Other telecommunication iNOC-DBA: 22548*800 2.7 Electronic mail address Incident reports should be sent to cert@cert.br. 2.8 Public keys and encryption information CERT.br PGP Key has annual validity and the year's key is generated in January. The Key information can be found at: https://cert.br/contact/ CERT.br PGP Key can be found at: https://cert.br/pgp/CERTbr.asc 2.9 Team members No public information is provided about CERT.br members. 2.10 Other information For additional information about how to contact CERT.br, see: https://cert.br/contact/ CERT.br is a FIRST member, details at: https://www.first.org/members/teams/cert-br CERT.br is a TF-CSIRT member, Accredited by Trusted Introducer, details at: https://www.trusted-introducer.org/directory/teams/certbr.html 2.11 Points of customer contact To contact CERT.br regarding security incidents related to Brazilian networks send an email to . CERT.br operates from Monday through Friday, from 09:00h to 18:00h, UTC-0300. 3. Charter 3.1 Mission statement To increase the level of security and incident handling capacity of the networks connected to the Internet in Brazil. 3.2 Constituency CERT.br provides incident analysis and coordination for any network that uses Internet Resources allocated by NIC.br, namely IP addresses or Autonomous Systems allocated to Brazil, and domains under the ccTLD .br. CERT.br will always try to coordinated with more specific Brazilian CSIRTs and Security Teams. If none is available, it will do its best to locate the Autonomous System Responsible party. Educational material is provided for the general public at these addresses: https://cartilha.cert.br/ https://internetsegura.br/ 3.3 Sponsorship and/or affiliation CERT.br is a NIC.br service to Brazil, it was created in 1997, by initiative of the Brazilian Internet Steering Committee (CGI.br). CGI.br is a multi-stakeholder organization, coordinated by the Government, that coordinates all Internet related activities in Brazil. Funding is solely provided by NIC.br (https://nic.br/). The activities performed by CERT.br are in accordance to the CGI.br attributions, as defined in the Presidential Decree 4829[1], from 2003: I - to establish strategic directives related to the use and development of the Internet in Brazil; IV - to promote studies and recommend procedures, rules and technical and operational standards for the security of the network and services in the Internet, as well as for its growth and adequate use by the society; VI - to be represented at national and international forums related to the Internet; These activities are also in accordance to the NIC.br objectives, according to is Statute[2]: IV - to address the security and emergency requisites of the Brazilian Internet, in articulation and cooperation with other entities; VII - to promote and collaborate in the organization of courses, symposiums, seminars, conferences and congresses, with the objective of contributing for the development and improvement of teaching opportunities in its areas of expertise. References (in Portuguese): 1. https://cgi.br/pagina/decretos/108 2. https://nic.br/estatuto-nic-br/ 3.4 Authority CERT.br has no authority over its constituency, all activities are based on collaborative relationships with other entities. 4. Policies 4.1 Types of incidents and level of support CERT.br is a National CSIRT of Last Resort and provides a focal point for incident notification in the country, providing the coordination and necessary support for organizations involved in incidents, including: - Support in the analysis of compromised systems and in their recovery process; - Establish collaborative relationships with other entities, such as other CSIRTs, universities, Internet service and access providers and telecommunication companies; - Maintain public statistics of incidents handled and spam complaints received. CERT.br is also committed to keeping its constituency informed of new trends and threats. In this respect CERT.br maintains both a national and an international network of sensors, that provide data used to increase the capacity of incident detection, event correlation and trend analysis in the country. 4.2 Co-operation, interaction and disclosure of information CERT.br treats all information as confidential by default, but will use the information shared to help solve security incidents. Information might be distributed forward to other teams/organizations on a need-to-know basis. Information will be anonymised whenever it is feasible. CERT.br adheres to the Information Sharing Traffic Light Protocol according to the FIRST Standard Definitions and Usage Guidance: https://www.first.org/tlp/. Information that is labelled with the tags WHITE, GREEN, AMBER, or RED will be handled appropriately. 4.3 Communication and authentication For normal communication not containing sensitive information CERT.br uses conventional methods like unencrypted e-mail. Please refer to sections 2.7 and 2.8. For sensitive information, the use of PGP encryption is strongly encouraged. If it is necessary to authenticate a person before communicating, this can be done either through existing communities (e.g. FIRST, TI) or by other methods like call-back, mail-back or even face-to-face meeting if necessary. 5. Services 5.1 Incident response CERT.br will provide assistance to other teams in handling the technical and organizational aspects of incidents. 5.1.1. Incident triage CERT.br will help to validate the incident, as well as to assess it and prioritise it. 5.1.2. Incident coordination CERT.br encourages all teams to directly contact the most specific CSIRT or security team as possible, and to maintain CERT.br in the copy of the communication. CERT.br will then: * Determine if all involved organizations where contacted and if any additional contact needs to be made; * Facilitate contact to other parties which can help resolve the incident; * If any help is needed, it will contact the involved organizations to help them to take the appropriate steps. The most valuable service we can provide is to act as an information hub, which knows where to send the right incident reports to in order to help and facilitate the resolution of security incidents. Due to staffing levels we can not guarantee we can reply to all incident reports received. If the report was already sent to the best possible contacts, CERT.br will record the incident for statistical purposes, but it might not send any reply. If you haven't received any feedback to a report and need any action by CERT.br staff, please contact us again, clearly stating the type of help needed. Auto-generated reports and data-feeds will be handled as automatically as possible. 5.1.3. Incident resolution As CERT.br is a coordinating team, this means we do not have any authority to enforce the request of takedowns, shutdowns or any other specific action. To the best of our ability we will: * Advise local security teams and system administrator on appropriate actions; * Identify any new type of incident that could require the dissemination of best practices for prevention of future incidents; * Collect and publicly disclose statistics on incidents and trends, as way to create situational awareness in our constituency. 5.2 Proactive activities CERT.br has several activities which aim to help our constituency to prevent as well as better handle computer security incidents: * Raise security awareness in its constituency; * Provide formal training in incident management; * Observe current trends in technology; * Aggregate, validate and redistribute data-feeds; * Transfer relevant knowledge to the constituency, through best practices documents, presentations and training; * Provide fora for community building and information exchange within the constituency; * Collect contact information of local security teams. 6. Incident reporting forms There are no forms available. Please refer to section 2.7. 7. Disclaimers While every precaution is taken in the preparation of information and notifications, CERT.br assumes no responsibility for errors or omissions, or for damages resulting from the use of the information provided. -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEFijHEXTMMflXlMINoj/YKobgHJ8FAmWhRikACgkQoj/YKobg HJ/tlAv/RUGZXjzIEUk0wyAVByKMyJEfMCZb9mL8nSgGqiAXqz+iLzQxzOP3BZDH 85hC1eiJuNzmpJoevnXZjbJ8kuQvVRjwwtaK4w2BmXOsvBAiaEkSC3eSZtyz5iqQ 9VWEmt8mFiV1Zjle3fXKDTknMwsP5WsBU8UVlLzvzPIwp8Ki31HpYTr3JznFXmiv hcZYes1bMkx/g8uX1CTU2PUu9VJniuRxaVe0G65BMNVi6wuFrsMeC3AouBvXL2JO +oVaj8tX0g9t5vBhjpmPum0pIg9SVd5GwRW4giTHGj4Yy5CFWMxOM7ul6X7WOGOa Pb92MfDdvt0kHwlT6ZiAV2O4+IWAHal2yZPddPP4Je+MdrM6CKCvT0yqLdYKXIRZ oDZnJ1ON3e4YhI73ZUnqv2DnmTjf+PRIc8a+nmSetWKy3KXK9Ri3JIzW/i1fh4kV 7V6X51/N5LGGuMK0BvstoRJEH05MOVfwn7Y1aovy9TxD0v9dpsIolDD/rpWZAew1 8deyzzyZ =dhoU -----END PGP SIGNATURE-----