This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] Adding a "Security Information" contact?

Previous message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
Next message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Carlos Friaças cfriacas at fccn.pt
Sat Jun 11 08:57:58 CEST 2022

Hi,
(CSIRT hat on)

I don't really agree with the vision where the taxonomy needs to be 
overloaded into object fields.

I always perceived the abuse-c field already as the security-c.
People interested in processing security/abuse issues will take messages 
received on the abuse-mailbox: seriously.

Moreover, there are also irt objects.

Regards,
Carlos



On Tue, 7 Jun 2022, Ángel González Berdasco via anti-abuse-wg wrote:

> El mar, 07-06-2022 a las 13:14 +0200, Gert Doering escribió:
>> Hi,
>>
>> On Tue, Jun 07, 2022 at 11:02:19AM +0000, Ángel González Berdasco via
>> anti-abuse-wg wrote:
>>> I don't think the problem would be to add a new attribute if
>> needed.
>>> The problem would be to *define* what should go there (and then get
>>> everyone downstream to use that new attribute)
>>
>> This...  so, what would you suggest?
>>
>> Gert Doering
>>         -- NetMaster
>> --
>
> I would use the Reference Security Incident Taxonomy (RSIT) as
> the classification source, which is the taxonomy used by (most of) the
> CSIRT community. See [1]
>
> So the PTY-MAXGROBECKER network could have:
>
> abuse-c: GROBECKER-ABUSE
>
> and the GROBECKER-ABUSE object:
> abuse-mailbox: general at abuse.grobecker.info
> abuse-mailbox-vulnerable: vulnerability-reports at abuse.grobecker.info
> abuse-mailbox-fraud: fraudabuses at abuse.grobecker.info
>
> where 'vulnerable', 'fraud', etc. are the machine readable tags defined
> in the RSIT for the values in the classification column.
>
> Thus, when CERT BUND wanted to report an unpatched Confluence, they
> would have an incident of type: "Vulnerable ? Vulnerable System", find
> that there is a 'abuse-mailbox-vulnerable' attribute and report it
> there.
>
> Whereas if it was a phishing landing page (incident of type Fraud ?
> Phishing), that would go to fraudabuses at abuse.grobecker.info (from
> 'abuse-mailbox-fraud')
>
> But if it was a host sending out spam, (incident classification Abusive
> Content	? Spam), having no "abuse-mailbox-abusive-content", it would
> fall back to abuse-mailbox and direct it to
> general at abuse.grobecker.info.
>
>
>
> Does something like this seem sensible to others?
>
>
> Best regards
>
>
>
> 1-
> https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md
>
> -- 
> INCIBE-CERT - Spanish National CSIRT
> https://www.incibe-cert.es/
>
> PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys
>
> ====================================================================
>
> INCIBE-CERT is the Spanish National CSIRT designated for citizens,
> private law entities, other entities not included in the subjective
> scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
> Jurídico del Sector Público", as well as digital service providers,
> operators of essential services and critical operators under the terms
> of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
> las redes y sistemas de información" that transposes the Directive (EU)
> 2016/1148 of the European Parliament and of the Council of 6 July 2016
> concerning measures for a high common level of security of network and
> information systems across the Union.
>
> ====================================================================
>
> In compliance with the General Data Protection Regulation of the EU
> (Regulation EU 2016/679, of 27 April 2016) we inform you that your
> personal and corporate data (as well as those included in attached
> documents); and e-mail address, may be included in our records
> for the purpose derived from legal, contractual or pre-contractual
> obligations or in order to respond to your queries. You may exercise
> your rights of access, correction, cancellation, portability,
> limitationof processing and opposition under the terms established by
> current legislation and free of charge by sending an e-mail to
> dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de
> Ciberseguridad de España, M.P., S.A. More information is available
> on our website: https://www.incibe.es/proteccion-datos-personales
> and https://www.incibe.es/registro-actividad.
>
> ====================================================================
>
> -- 
>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/
>

Previous message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
Next message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]