Reporting an Incident
GovCertUK
GovCertUK assists Government departments and organisations in the recovery from a computer security incident. We gather data from all available sources to monitor the general threat level. For these reasons the early reporting of incidents and attempted attacks is highly recommended.
To assist in the identification and categorisation of an event please read GovCertUK's Incident Response Guidelines (pdf) for further information and guidance.
Reporting Process
Incidents should be reported by the Departmental Security Officer, or equivalent (or an individual authorised by the DSO). In the first instance, contact should be made by telephone (+44 (0)1242 709311) where an initial assessment will be made. This should be followed up by completing the incident response template (doc) and emailing it to:
Unclassified: incidents@govcertuk.gov.uk
Restricted: incidents@govcertuk.gsi.gov.uk
During office hours (0830 - 1700) enquiries or incidents will be handled by GovCertUK staff. Outside office hours, at weekends, and on public holidays a duty officer will monitor correspondence and respond to telephone calls, supported by on-call GovCertUK staff.
As much supporting information as possible should be supplied with an incident response template, such as log files, internal/external IP addresses, affected operating systems, software patching policy etc.
Malware samples
Incidents should be reported by the Departmental Security Officer, or equivalent (or an individual authorised by the DSO). In the first instance, contact should be made by telephone (+44 (0)1242 709311) where an initial assessment will be made. This should be followed up by completing the incident response template (doc) and emailing it to:
Unclassified: incidents@govcertuk.gov.uk
Restricted: incidents@govcertuk.gsi.gov.uk
During office hours (0830 - 1700) enquiries or incidents will be handled by GovCertUK staff. Outside office hours, at weekends, and on public holidays a duty officer will monitor correspondence and respond to telephone calls, supported by on-call GovCertUK staff.
As much supporting information as possible should be supplied with an incident response template, such as log files, internal/external IP addresses, affected operating systems, software patching policy etc.
Malware samples
If advised by GovCertUK to submit a malware sample, follow this process:
- All samples should be renamed to <original file name>.<original file extension>.txt
- All samples should then be zipped and password protected using a password of 'infected'
- It is recommended to, PGP encrypt the message (and attachments) with the GovCertUK Public Key, available here
- The email subject line should read 'MALWARE SAMPLE'
- Send the message to samples@govcertuk.gov.uk