SUNet CERT
Constituency: Swedish universities, museums and research institutes with
direct SUNet connection.
Historical review
- Very small-scale CERT at KTHNOC (the SUNet NOC) since several years.
- Security cooperation between Swedish universities via SUSEC since about
10 years.
- DDOS-attacks raised awareness.
- SUNet CERT since about Oct 2000.
- Member of FIRST (and since the Copenhagen meeting) TI level 2.
Two hats
SUNet CERT is located at Uppsala university and manned by the same personnel
as UU:s IRT.
Organisation
- 4 persons, equals about one full-time employee but together with
UU-IRT around 2.5.
- Manned office hours, but KTHNOC is manned 7*24 and can be called in
emergencies.
- abuse@sunet.se, security@sunet.se, cert@cert.sunet.se -> sunet-cert
UU-IRT
- Spam- and incident handling for Uppsala univ.
- IDS, scanning.
- Security alerts.
- Around 2000 cases/year.
- Started (in smaller scale) around 1990.
Services
- Security alerts, in average about one / week (guess thats about as
much as people read). Directed to university security contacts, usually
with scanning scripts, snort rules etc.
- Incident coordination.
- Statistics and trend analysis.
- Seminars etc. (incident handling, IDS systems etc).
- But NOT incident handling in the sense digging into logs &et; machines.
Statistics
- Around 1000 incidents handled/year. That is: complaints forwarded
and followed up etc.
- A medium-sized university generated about 1200 reports/year.
- A lot of reports forwarded as they are about things outside SUNet,
probably because people sending complaints to
abuse@(domain-in-RIPE:s changed-record).
Tools used
We have been using RequestTracker (RT) and Jitterbug for incident handling but
are in the process in migrating to RT vers.2
Contact info