CSIRT Description for WWU-CERT

1. About this Document

This document contains a description of WWU-CERT according to RFC 2350. It provides information about the CERT, how to contact the team, and describes its responsibilities and the services offered by WWU-CERT.

1.1 Date of Last Update

This is version 1.0, published 2019/02/21.

1.2 Distribution List for Notifications

Notifications of updates are submitted to the moderated mailing list of information security officers at University of Münster (WWU) iv-sicherheit@uni-muenster.de. Subscription requests for this list should be sent to the list server at iv-sicherheit-request@uni-muenster.de with the subject of the message only consisting of the word "subscribe". There is also a website for list management at https://listserv.uni-muenster.de/mailman/listinfo/iv-sicherheit.

1.3 Locations Where this Document May Be Found

The current version of this CSIRT description document is available from the WWU-CERT website; its URL is

Additionally a German version is available at:

Please make sure you are using the latest version.

1.4 Authenticating this Document

Both the English and German versions of this document have been signed with the WWU-CERT's PGP key. The key's fingerprint can be found on the WWU-CERT website. The public key can be downloaded from the usual key servers, for example the SURFnet public key server (https://pgp.surfnet.nl). See section 2.8 for more information.

The signatures are on our website, found under:

2. Contact Information

2.1 Name of the Team

WWU-CERT: Computer Emergency Response Team of Westfälische Wilhelms-University (WWU) Münster.

2.2 Address

WWU-CERT
Westfälische Wilhelms-University, Centre for Information Processing (ZIV)
Röntgenstr. 7-13
48149 Münster
Germany

2.3 Time Zone

Europe/Berlin (GMT+0100, and GMT+0200 from April to October)

2.4 Telephone Number

+49 251 83 31600 (ask for WWU-CERT)

2.5 Facsimile Number

+49 251 83 31552 (this is not a secure fax)

2.6 Other Telecommunication

None available.

2.7 Electronic Mail Address

cert@uni-muenster.de - This is a mail alias that relays mail to the humans on duty for the WWU-CERT.

2.8 Public Keys and Other Encryption Information

The WWU-CERT has a PGP key, whose KeyID is 0xC01D356E and whose fingerprint is

  • DAFE C355 08F3 CB67 2DF7 C3C2 76E4 1181 C01D 356E.

The key and its signatures can be found at the usual large public keyservers, e.g. https://pgp.surfnet.nl:

This key still has relatively few signatures; efforts are underway to increase the number of links to this key in the PGP "web of trust". In the meantime, since most fellow universities in Germany have at least one staff member who knows the WWU-CERT coordinator Thorsten Küfer, he has signed the WWU-CERT key, and will be happy to confirm its fingerprint and that of his own key to those people who know him, by telephone or in person.

The WWU-CERT has a X.509 key, whose KeyID is 0x1CC0EF0BDB7C522BDE365E47 and whose fingerprint is

  • F1D9 74CB 7594 B343 58F0 0C10 0EB8 5049 B6CB AAD6.

The key and its signatures can be found at the DFN-PKI keyserver.

2.9 Team Members

Thorsten Küfer of Computing Services is the WWU-CERT coordinator.

Backup coordinators and other team members, along with their areas of expertise and contact information, are listed on the WWU-CERT website, at

Management, liaison and supervision are provided by Dr. Raimund Vogl, CIO, Director of Centre for Information Processing (ZIV).

2.10 Other Information

General information about the WWU-CERT, as well as links to various recommended security resources, can be found at

2.11 Points of Customer Contact

The preferred method for contacting the WWU-CERT is via e-mail at cert@uni-muenster.de; e-mail sent to this address will "biff" the responsible human, or be automatically forwarded to the appropriate backup person. If you require urgent assistance, put "urgent" in your subject line.

If it is not possible (or not advisable for security reasons) to use e-mail, the WWU-CERT can be reached by telephone during regular office hours. Telephone messages are checked less often than e-mail.

The WWU-CERT's hours of operation are generally restricted to regular business hours (07:00-17:00, Monday to Friday except holidays).

If possible, when submitting your report, use the form mentioned in section 6.

3. Charter

3.1 Mission Statement

The purpose of the WWU-CERT is, first, to assist members of the University of Münster (WWU) community in implementing proactive measures to reduce the risks of computer security incidents, and second, to assist the University of Münster (WWU) community in responding to such incidents when they occur.

The WWU-CERT is responsible for resolving computer security incidents related to systems or user accounts at University of Münster (WWU).

The main goal is to protect the reputation of the University of Münster (WWU) from negligent or illegal usage of the university's IP addresses or ressources. This includes but is not limited to the following tasks:

  1. Contact for all computer security related questions.
  2. Help as fast and efficient as possible in response to security incidents (such as hacker attacks, critical vulnerabilities, computer viruses and worms, spamming etc.).
  3. Blocking of computers or accounts in acute incidents.
  4. Preparation of information and conduct of examinations, as far as this serves for prevention or for the verification of leads.
  5. Review of and, if necessary, response to copyright infringement.
  6. Processing of public prosecutorial and police inquiries.
  7. Operation and monitoring of Intrusion Detection and Intrusion Prevention Systems (IDS / IPS).
  8. Acceptance and documentation of all security-related incidents, which must also be reported to external bodies (such as the DFN-CERT).
  9. Cooperation with the CERT of the German Research Network (DFN-CERT) as well as national and international interest groups and all those responsible for computer security at the University of Münster (WWU).
  10. Cooperation in the design of security-relevant regulations.

3.2 Constituency

The WWU-CERT's constituency is the University of Münster (WWU) community, as defined in the scope of the University of Münster (WWU) "Policy on Information Security". This policy is available at

However, please note that, notwithstanding the above, WWU-CERT services will be provided for on-site systems only.

WWU-CERT provides services for the following public IP address spaces:

  • 128.176.0.0/17
  • 128.176.128.0/17
  • 185.151.152.0/22
  • 193.175.4.0/24
  • 193.175.250.0/24
  • 212.201.112.0/22
  • 212.201.144.0/21
  • 2001:638:500::0/48
  • 2001:4cf0::0/29

3.3 Sponsorship and Affiliation

The WWU-CERT was incorporated 2000/01/14 and is sponsored by the Centre for Information Processing (ZIV) of University of Münster (WWU) (https://www.uni-muenster.de/ZIV/en). It maintains affiliations with DFN German Research Network (https://www.dfn.de), CERT-Verbund (https://www.cert-verbund.de) and various University CSIRTs throughout Germany on an as needed basis.

The office of the WWU-CERT is established at the Centre for Information Processing (ZIV).

3.4 Authority

The WWU-CERT operates under the auspices of, and with authority delegated by, the Centre for Information Processing (ZIV) of University of Münster (WWU). For further information on the mandate and authority of the Centre for Information Processing (ZIV), please refer to the university's "Policy on Information Security", available at

The WWU-CERT expects to work cooperatively with system administrators and users at University of Münster (WWU), and, insofar as possible, to avoid authoritarian relationships. However, should circumstances warrant it, the WWU-CERT will appeal to Centre for Information Processing (ZIV) to exert its authority, direct or indirect, as necessary.

Members of the University of Münster (WWU) community who wish to appeal the actions of the WWU-CERT should contact the Director of Centre for Information Processing (ZIV). If this recourse is not satisfactory, the matter may be referred to the Chief Information Officer (CIO) (in the case of perceived problems with existing policy), or to the IT commission of University of Münster (WWU) (in the case of perceived errors in the application of existing policy).

4. Policies

4.1 Types of Incidents and Level of Support

The WWU-CERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at University of Münster (WWU).

The level of support given by WWU-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the WWU-CERT's resources at the time, though in all cases some response will be made within two working days. Resources will be assigned according to the following priorities, listed in decreasing order:

  • Threats to the physical safety of human beings.
  • Root or system-level attacks on any Management Information System, or any part of the backbone network infrastructure.
  • Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
  • Compromise of restricted confidential service accounts or software installations, in particular those used for MIS (management information system) applications containing confidential data, or those used for system administration.
  • Denial of service attacks on any of the above three items.
  • Any of the above, originating from University of Münster (WWU) and concerning foreign systems.
  • Large-scale attacks of any kind, e.g. sniffing attacks, social engineering attacks, password cracking attacks.
  • Threats, harassment, and other criminal offenses involving individual user accounts.
  • Compromise of individual user accounts on multi-user systems.
  • Compromise of desktop systems.
  • Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. copyright infringements, netnews and e-mail forgery, unauthorized use of IRC bots.
  • Denial of service on individual user accounts, e.g. mailbombing.

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.

Incident response distinguishes between on site systems and off site systems:

  • Intranet As soon as the WWU-CERT receives an indication of an incident regarding employee computers, it attempts to contact the technically responsible person by telephone in order to coordinate the necessary measures with him and, if necessary, the shutdown of the computer. If no person in charge can be reached, the computer is disconnected on the network side and the technically responsible person as well as the responsible IT support unit (IVV) are notified by email with information about the incident and the measures to be taken.
  • Remote access In case of incidents in the remote access area (VPN, WIFI, etc.), a possibly existing connection is disconnected directly and a dial-in blocking is set. The user account as such is not limited in its usability by this blocking. An e-mail will also be sent with exact information about the nature of the incident and the measures to be taken for unblocking the remote access.

Note that no direct support will be given to end users; they are expected to contact the responsible system administrator of their IVV (see https://www.uni-muenster.de/de/en/zentraledienstleister/ivven.html), central network administration (NOC, https://www.uni-muenster.de/ZIV/Technik/Netz/NOC.html), the central user help desk (ZIV) (see https://www.uni-muenster.de/ZIV/en/Hilfe/Ansprechpartner.html) or the department head for assistance. The WWU-CERT will support the latter people.

While the WWU-CERT understands that there exists great variation in the level of system administrator expertise at University of Münster (WWU), and while the WWU-CERT will endeavor to present information and assistance at a level appropriate to each person, the WWU-CERT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, the WWU-CERT will provide pointers to the information needed to implement appropriate measures. System administrators should contact the IT security officer (IV-SB) of the department (see https://www.uni-muenster.de/IV-Sicherheit/intern/sicherheitsbeauftragte.html).

The WWU-CERT is committed to keeping the University of Münster (WWU) IT security officers (IV-SB) and system administration community informed of potential vulnerabilities, and where possible, will inform this community via the mailing list iv-sicherheit@uni-muenster.de of such vulnerabilities before they are actively exploited.

4.2 Co-operation, Interaction and Disclosure of Information

While there are legal and ethical restrictions on the flow of information from WWU-CERT, some of which are also outlined in the "Usage Regulations of the Centre for Information Processing and the IP Provider Units of University of Münster (WWU)" (https://www.uni-muenster.de/imperia/md/content/ziv/pdf/ziv_benutzungsordnung_en.pdf), and all of which will be respected, the WWU-CERT acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and other involved people where necessary, the WWU-CERT will otherwise share information freely when this will assist others in resolving or preventing security incidents. In particular, the Traffic Light Protocol (TLP) is used to protect information during the exchange (see section 4.3).

In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from the WWU-CERT. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist.

Information being considered for release will be classified as follows:

  • Private user information is information about particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual, and/or ethical reasons.

    Private user information will not be released in identifiable form outside the WWU-CERT, except as provided for below. If the identity of the user is disguised, then the information can be released freely (for example to show a sample .cshrc file as modified by an intruder, or to demonstrate a particular social engineering attack).

  • Intruder information is similar to private user information, but concerns intruders.

    While intruder information, and in particular identifying information, will not be released to the public (unless it becomes a matter of public record, for example because criminal charges have been laid), it will be exchanged freely with IT security officers (IV-SB), system administrators and CSIRTs tracking an incident.

  • Private site information is technical information about particular systems or sites.

    Such information will not be released without the permission of the site in question, except as provided for below.

  • Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds.

    Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed.

  • Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or group of users.

    Embarrassing information will not be released without the permission of the site or users in question, except as provided for below.

  • Statistical information is embarrassing information with the identifying information stripped off.

    Statistical information will be released at the discretion of the WWU-CERT.

  • Contact information explains how to reach system administrators and CSIRTs.

    Contact information will be released freely, except where the contact person or entity has requested that this not be the case, or where WWU-CERT has reason to believe that the dissemination of this information would not be appreciated.

Potential recipients of information from the WWU-CERT will be classified as follows:

  • Because of the nature of their responsibilities and consequent expectations of confidentiality, management members of University of Münster (WWU) are entitled to receive whatever information is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions.

  • Members of the Office of Rights and Responsibilities are entitled to receive whatever information they request concerning a computer security incident or related matter which has been referred to them for resolution.

  • IT security officers (IV-SB) and system administrators at University of Münster (WWU) are by virtue of their responsibilities, trusted with confidential information. However, unless such people are also members of WWU-CERT, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems.

  • Users at University of Münster (WWU) are entitled to information which pertains to the security of their own user accounts, even if this means revealing "intruder information", or "embarrassing information" about another user. For example, if account aaaa has been hacked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was hacked, and how the attack on the bbbb account was executed. User bbbb is also entitled, if she or he requests it, to information about account aaaa which might enable bbbb to investigate the attack. For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa. Users at University of Münster (WWU) are entitled to be notified if their account is believed to have been compromised.

  • The University of Münster (WWU) community will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the community. There is no obligation on the part of the WWU-CERT to report incidents to the community, though it may choose to do so; in particular, it is likely that the WWU-CERT will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so.

  • The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though the WWU-CERT recognizes that, for all intents and purposes, information made available to the University of Münster (WWU) community is in effect made available to the community at large, and will tailor the information in consequence.

  • The computer security community will be treated the same way the general public is treated. While members of WWU-CERT may participate in discussions within the computer security community, such as newsgroups, mailing lists, and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from WWU-CERT experience will be disguised to avoid identifying the affected parties.

  • The press will also be considered as part of the general public. The WWU-CERT will not interact directly with the press concerning computer security incidents, except to point them toward information already released to the general public. If necessary, information will be provided to the University of Münster (WWU) Public Relations Department, and to the Customer Relations group of the Centre for Information Processing (ZIV). All incident-related queries will be referred to these two bodies. The above does not affect the ability of members of WWU-CERT to grant interviews on general computer security topics; in fact, they are encouraged to do to, as a public service to the community.

  • Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites well known to WWU-CERT (for example, CERTs or CSIRTs of other known universities).

    For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident.

  • Vendors will be considered as foreign CSIRTs for most intents and purposes. The WWU-CERT wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties.
  • Law enforcement officers will receive full cooperation from the WWU-CERT, including any information they require to pursue an investigation, in accordance with the "Usage Policy for Services of the University of Münster (WWU)". In these cases, the legal department of University of Münster (WWU) is involved.

4.3 Communication and Authentication

In view of the types of information that the WWU-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP or S/MIME encryption will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.

Where it is necessary to establish trust, for example before relying on information given to the WWU-CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within University of Münster (WWU), and with known CERTs or CSIRTs, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, along with telephone call-back or signed e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP or S/MIME are supported).

All e-mail postings containing official statements on behalf of the team or team members should be signed using X.509 or PGP. All e-mail containing confidential information should be encrypted and signed using X.509 or PGP.

WWU-CERT supports the Traffic Light Protocol (TLP) (https://www.first.org/tlp/) for sharing of information.

4.4 Reaction Time

Usually our first response is timely at the same working day, if not we will respond the following working day.

Our contact information, the business hours and emergency procedure can be found in chapter 2.

5. Services

5.1 Incident Response

The WWU-CERT supports IT security officers (IV-SB) and system administrators in dealing with technical and organizational aspects of incidents. In particular, it provides support or advice on the following basic steps of incident handling (as per DFN-CERT, https://www.dfn-cert.de/information/grundlegende-schritt-zur-unterfallsbearbeitung.html):

5.1.1 Preparation

For preparation organizational units have to compile contact lists with contact persons, documentation on supervised systems and ideally create emergency plans for different scenarios. More detailed information can be found in section 5.2.

5.1.2 Incident Discovery

The discovery of a security incident is the first step in its treatment. Often it is not easy to decide if an incident exists or not. To decide this, one should proceed systematically and be guided by incident checklists (see DFN-CERT).

5.1.3 Incident Analysis

The analysis deals with the clarification of the circumstances of the security incident as well as with the coordination of further proceedings with all involved parties. In addition to colleagues, this also includes supervisors, customers as well as administators and users of the affected systems and applications. Other stakeholders may include their lawyer or investigative authorities (specifically, when legal action is required or reported), the press office, ISPs, manufacturers (e.g., for patches), and possibly other CSIRTs.

To clarify the extent of the incident, the following questions should be discussed:

  • When and where did the incident happen?
  • What exactly happened?
  • Who is involved and who is the attacker?
  • How was the attack executed? Which vulnerability has been exploited?
  • What damage has been done so far? What further damage can be expected?

5.1.4 Containment

Containment is about protecting the system from further damage from the incident and eliminating the vulnerability.

Often a final solution to the problem is not immediately possible. For example, patches are not allowed during service (Service Level Agreements) or you do not want to cancel running jobs / experiments. Nevertheless, it is important to prevent further damage (for example, through worms, Spam, DDoS attacks, etc.), especially for third parties. Sometimes containment is even the only option left because there is no "final" solution, e.g. during a DDoS attack.

Containment measures need to considered very carefully so as to not cause more damage by those measures (for example by shutting down services) than the attacker would (potentially) cause. Some actions are taken only for a short time until system maintenance is possible.

5.1.5 Regain Control

Regaining control means in many cases: reinstalling. Unfortunately, this step is unavoidable, especially in the case of infestation by viruses / worms or in case of direct unauthorized system access. The containment described in the previous section has the disadvantage that the cause of the problem is not removed. The removal of backdoors or worms removes e.g. not the weak point that made it possible to break into the system in the first place. Also, you can never be sure (especially with kernel rootkits) that all the remnants of the attacker have been removed from the system.

In addition to the actual reinstallation, the hardening of the system should not be forgotten. This includes not only the installation of all security patches, but also the secure configuration of the services. Software from third-party manufacturers and self-developed software must not be forgotten. Most importantly, all passwords should be changed, both locally and within the domain if the attacker had access to the password database (LDAP server, KDC, domain controller). If weak passwords were the possible cause, the password policy should be adjusted accordingly. Also vulnerable are keys for signature or encryption, so X.509, PGP and SSH keys. If they are not changed, the attacker still could have access to VPNs, e-mail, web applications, or GRID systems.

5.1.6 Follow-Up

When emergency plans are applied, rarely everything works as planned. Therefore, after the incident, the participants should gather for a follow-up of the incident and discuss:

  • What (which measures) worked?
  • What did not work?
  • What could have been better?
  • Which (sub)plans have to be changed?
  • Which parts of the documentation are incomplete? Which possible incident types were forgotten?

The result of the follow-up are updated emergency plans and documentation, so hopefully the next time you are better prepared.

In addition, the WWU-CERT collects statistics on security incidents occurring within or involving the University of Münster (WWU). The members of the University of Münster (WWU) are notified when the circumstances of the security incident require it.

To request the support of the WWU-CERT when handling a security incident, the contact can be established by e-mail as described in Section 2.11. It should be noted that the level of support may vary (see section 4.1).

5.2 Proactive Activities

The WWU-CERT coordinates and maintains in cooperation with the ZIV the following services to the extent possible depending on its resources:

  • Information services

    • List of departmental IT security contacts, administrative and technical. These lists can be found on our websites: https://www.uni-muenster.de/IV-Sicherheit/intern/sicherheitsbeauftragte.html
    • Mailing lists to inform security contacts of new information relevant to their computing environments. These lists will be available only to University of Münster (WWU) IT security officers (IV-SB) and system administrators.
    • Repository of vendor-provided and other security-related patches for various operating systems. This repository will be available to the general public wherever license restrictions allow it, and will be provided via commonly-available channels such as the World Wide Web and/or ftp.
    • Repository of security tools and documentation for use by sysadmins. Where possible, precompiled ready-to-install versions will be supplied. These will be supplied to the general public via www or ftp as above.
    • "Clipping" service for various existing resources, such as major mailing lists and newsgroups. The resulting clippings will be made available either on the restricted mailing list or on the web site, depending on their sensitivity and urgency.
    • Provision of a malware analysis service for suspicious files to the University of Münster (WWU) community through the following URL: https://www.uni-muenster.de/ZIV.CERT/vt/.
  • Training services

    • Members of the WWU-CERT will give periodic seminars on computer security related topics; these seminars will be open to University of Münster (WWU) IT security officers (IV-SB) and system administrators.
  • Auditing services

    • Regularly performed vulnerability scans on exposed systems. Provision of a vulnerability scan on request to University of Münster (WWU) system administrators, which can be found at: https://www.uni-muenster.de/ZIV.CERT/scan/.
    • Security level assignments in cooperation with the IT security management team; machines and subnetworks at University of Münster (WWU) will be audited and assigned a security level. This security level information will be available to the University of Münster (WWU) community, to facilitate the setting of appropriate access privileges. However, details of the security analyses will be confidential, and available only to the concerned parties.
  • Archiving services

    • Central logging service for machines capable of Unix-style remote logging. Incoming log entries will be watched by an automated log analysis program, and events or trends indicative of a potential security problem will be reported to the affected system administrators.
    • Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the University of Münster (WWU) community.

5.3 Reactive Activities

This includes the monitoring of central security systems (eg. Intrusion Prevention System (IPS), antivirus system) as well as assistance with the forensic analysis of security incidents.

Detailed descriptions of the above services, along with instructions for their usage, are available on the WWU-CERT website, as per section 2.10 above.

6. Incident Reporting Forms

There are no local forms developed yet for reporting incidents to WWU-CERT.

Incident reports should contain the following information:

  • Incident date and time (including time zone)
  • Source IPs, ports, and protocols
  • Destination IPs, ports, and protocols

Preferable the report includes a log file in a common format e.g. Syslog or Common Event Format (CEF).

7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, WWU-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.

This document is provided 'as is' without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

Use of this document is at the user's sole risk. All users expressly agree to this condition of use.

If you notice any mistakes within this document please send a message to WWU-CERT by e-mail. We will try to resolve such issues as soon as possible.

8. Copyright

Copyright (C) The Internet Society (1998). All Rights Reserved.
Copyright (C) DFN-CERT Services GmbH. All Rights Reserved.
Copyright (C) University of Münster (2019). All Rights Reserved.