Five frequently asked questions (and answers) about SURFcert

Who or what is SURFcert?

SURFcert is the name of the cybersecurity incident response team for all SURF member institutions. We advise, alert on threats and coordinate incidents and vulnerabilities within the education and research sector. SURFcert's team consists of ten people, five of whom work at SURF and five at SURF member institutions. Our team is therefore formed not only for, but also by the members of SURF.

How does SURFcert help your institution?

We are there for you in case of crises or incidents. Is your institution under attack? Then you can call us 24/7 for immediate help and advice. We combat a DDoS attack immediately with our scrubbing centre in the SURF network, where we can filter out unwanted traffic. We also alert your institution to vulnerabilities we detect and share information and analysis on current threats. We also organise training on setting up and running good incident response.

As the coordinating Computer Emercency Response Team (CERT) for the whole sector, we maintain an overview of what is going on in the field of cybersecurity. We investigate whether, for example, indicators of compromise observed at one institution also occur at other institutions. We share these indicators with the institutions through MISP, making the cooperation as a whole stronger than the sum of its parts.

What is the relationship between SURFcert, the NCSC and Z-CERT?

The National Cyber Security Centre (NCSC) is the computer crisis team that focuses on central government and the vital sector, rather than education and research. For our sector, SURFcert has that coordinating role, which is why we have been designated by the minister as a sectoral CERT under the Wbni Act. SURFcert maintains close contact with the NCSC and other certs in the National Coverage System on behalf of SURF members. Naturally, we are also closely following the developments surrounding NIS2, although the exact impact within our sector is still unclear.

Because SURFcert is part of SURF, which also provides internet and other services to its members, we are in an exceptionally good position to help institutions. We can observe well what is going on where and act proactively.

SURFcert has developed a lot of knowledge about the specific landscape and threat picture in the education and research sector. We translate this knowledge into specific advice and actions for SURF members. We are in close contact with other CERTs, such as Z-CERT for the healthcare sector (including teaching hospitals), School-CERT for primary education and various CERTs from other sectors, both nationally and internationally through GÉANT and FIRST.

Who does SURFcert communicate with within my institution?

For notifications to your institution, we contact the Security Entry Point you have registered in SURFdashboard. This can be a counter such as the local CSIRT. If you do not have a Security Entry Point registered, or we need to reach someone in person, we will contact the Site Security Contact, a person within each institution who makes cybersecurity decisions. So it is vital that the contact details of these departments or individuals are up to date. 

In addition to one-to-one contact, we share a lot of information in SURF institutions' community for operational security experts: SCIRT. Each institution can nominate members for this. Within SCIRT, institutions and SURFcert exchange experiences, analyses and indicators in confidence. In major incidents and crises, we also always inform SCIPR, the community of policy-related security professionals.

What is the difference between SURFcert and SURFsoc?

SURFcert is part of SURF's basic services and is available to all institutions free of charge. SURFsoc is an additional service you can purchase and offers advanced detection of incidents within your institution's network. If you purchase SURFsoc, you receive 24/7 notifications of detected security issues in the log sources you offer, which you then follow up yourself within your institution.

There are close links between SURFcert and SURFsoc. If SURFsoc detects a successful attack, SURFcert is also always called in to provide help and advice, and to determine whether the characteristics of the attack are also relevant to other institutions. SURFsoc uses indicators of compromise provided by SURFcert for detection.