Вы находитесь на странице: 1из 73

ISO/IEC 27035/_1

I ii
i
I I
I I
(ISO/IEC 27035:2011, IDT)

ISO/IEC 27035/_1
__________________________________________________________________________________________

35.040
05
IDT
: ,
, ,
,

, ,

" ".
1

"-

"
( " ")
2
_______________ ______
3 ISO/IEC 27035:2011 Information
technology Security techniques Information security incident management ( .
. ).
SC 27 "
" ISO/IEC JTC 1
" " (ISO)
(IEC).
(en).
,
, , ,
.
" "
.

..
(IDT).
4

II

ISO/IEC 27035/_1

.............................................................................................................................................................. IV
1 ..........................................................................................................................................1
2 ..........................................................................................................................................1
3 ....................................................................................................................................2
4 .............................................................................................................................................2
4.1 .......................................................................................................................................2
4.2 .........................................................................................................................3
4.3 ............................................................................................4
4.4 ............................................................................................................................................5
4.5 ............................................................................................................................................................5
4.6 ..........................................................6
5 ......................................................................................................................7
5.1 ...........................................................................................7
5.2 .................................9
5.3
............................................................................................................................................................10
5.4 ....................................11
5.5 ISIRT ..........................................................................................................................................15
5.7 ..............................................................................................17
5.8 ......................................................................................................18
6 .................18
6.1 .........................................................................................18
6.2 ......................................................21
6.3 ....................................................21
7 ...................................................................................................................22
7.1 .........................................................................................22
7.2 PoC...............................................................................................23
7.3 ISIRT .............................................................................................25
8 ...........................................................................................................................26
8.1 .........................................................................................26
8.2 ..........................................................................................................................................27
8.2.1 ..................................................................................................................27
8.2.1.1 ...............................................................................................................................27
8.2.1.2 ............................................................................................28
8.2.1.3 .........................................................................................28
8.2.1.4 .................................................................................................................29
8.2.2 ........................30
8.2.3 ...............................................................................................................30
8.2.4 .............................................................................................................31
8.2.5 ..........................................................................31
9 ..................................................................................................................................34
9.1 .........................................................................................34
9.2 .......................................................34
9.3 ......................................................................................................34
9.4

...................................................................................................................35
9.5
............................................................................................................36
9.6
.....................................................................................................................36
9.7 ....................................................................................................................36
A () ISO/IEC 27001 ISO/IEC 27035 ....................37
B () ...39
C ()
...................................................................................42
D () ,
..............................................................................52
. ()
..............................................................................................................................68
III

ISO/IEC 27035/_1


, .
, , ,
, , ,
.
- . ,
, .

. ,
,

:
,
;
,
, ()
(,
);
,
,
,
;
,

.

49. ,
.


, .

IV

ISO/IEC 27035/_1






I ii
i i i
I I
I I
Information technology
Security techniques
Information security incident management
20--

1
:
a) ,
;
b) ;
c) , ;
d)
.

.
, , ,
.
,
.

2
.
,
( ).
ISO/IEC 270001 . .
. .

__________________________________________________________________________________________
,
1

ISO/IEC 27000-2012

ISO/IEC 27035/_1
3
, ISO/IEC 15408-1,
ISO/IEC 18045, :
3.1 (information
security incident response team) ISIRT: ,

.
ISIRT ,

, . (
) .
, ISIRT, :

CERT: ,
(ICT). ,
, CERT.
CSIRT:
, ,
. , ,
,
, , , ,
; ; .
3.2 (information security incident):
,

.
[ISO/IEC 27000:2009]
3.3 (information security event):
, ,
,
, .
[ISO/IEC 27000:2009]
3.4 (information security forensics):
,
.

4
4.1
,
,
, ,
.
,

.
,
, - , /
, ..
.
, ( )
, ,
, ,
, . 1
.
,
.

ISO/IEC 27035/_1

,

1

4.2
,
,

.

, .
,
, :
;
;
;
.
:
a) ,
,
;
b) ,
;
c)
,
;
d)
;
e) ,
.
,
,
.
, ,


.

.
, , ,
, , ISO/IEC 27001
( ISO/IEC 27002). ,
3

ISO/IEC 27035/_1
.

ISO/IEC 27001 B ISO/IEC 27002 , A.
4.3
,
, ,
:
a) .
, ,
,

,
,
. ,
, .

;
b) .

,
, .
, , ,
(
. ISO/IEC 27005:2008);
c) .


, . ,
, ,
, ,
;
d) .


,
. ,
,
.
, ,
;
e) .

.
.
, ,
, ;
f) .


. ,
, :

;
;
,
, , .


.
, ,
.
;
4

ISO/IEC 27035/_1
g)
.

:

;
.

.
.
,
(
. ISO/IEC 27005:2008).
h)
.

,
,
. .
,
/
;
i)
.
,
,
( ,
).
, , .
4.4
, , ,
, .
, , ,
, ,
,
:
a) , ;
b) ,
;
c) , ;
d) .
, , ,
.
4.5
4.2
:
;
;
;
;
.
,
.

.
2.

ISO/IEC 27035/_1


;
,
, , ;
;
;
( );

;


, ;


;
;
;

;

2
4.6

(, ),
. ,
, ,
, .
, , ,
.
B
. ,
.

ISO/IEC 27035/_1
5
5.1

.
, ,
,
. ,
:
a)

// ,
.
,

(. 5.2).

. , ,
.
, ,
;
b)
, .
, .

(. 5.3);
c)
.
, ,
, ,

. :
1) /
/ .
- .

;

2) //
:
I) (..,
ISIRT),
, //
;
II) ,
,
, . ,
. ,
// .
//
;
III) (
, , ,
), ,
// .
, (.
web-), //
. ,
. , ,
.
D;

3) , , ..
, ,
7

ISO/IEC 27035/_1
, /
;
4) ISIRT,
,
( , , ), , :
I) , / ,
,
/ -;
II) , / , ;
III) , , / ;
IV)
, / ;
V) , ,
;
VI)
.

(. 5.4);
d) ISIRT, , ,
. , ,
ISIRT, , ,
. ,
/, ISIRT
(ICT, ,
, .). ,
, , ,
, ,
(. 5.5);
e)
, ,
;
f) ,
( )
(, , ISIRT), ,
(.
5.6). :
1)
;
2) (
);
3) ;
4) (
. ISO/IEC 18043);
5) , (
. ISO/IEC 27033);
6) ;
7) ;
8) ;
g)
,
. /
,
, ,
( ). ,
,
, ,
, ,
, .
, ,
(. 5.7);
h) ,
, .
8

ISO/IEC 27035/_1
,
, ISIRT .
, ,
(. 5.8). ,
, ( ).

.

.
,
.
, ,
.
5.2
5.2.1
,
.
(. 4.2.1 b)
ISO/IEC 27001:2005), (. 5.1.1
ISO/IEC 27002:2005). , ,

, .
,
.
, ,
, ,
,
.
5.2.2
,
,
.
,
(. 5.7).
5.2.3
,
:
a)
;
b) ,
,
.

, , , ,
.
;
c) ,
, , , ;
d) , ,
;
e) ,

,
, ,
;
f) ,

;
g) ;
9

ISO/IEC 27035/_1
h) , , ;
i) ISIRT, :
1) ISIRT, ISIRT ,
:
I) ;
II) , , .;
III) ( );
2) , ,
ISIRT , , . ,
, ISIRT ISIRT
;
3) ISIRT,
. ISIRT, ,
.
, ;
4) ISIRT. , ISIRT
, .
, - , , ,
, , ;
5) ,
, ISIRT,
ISIRT.
ISIRT, ISIRT. ,
, ;
6) , , ,
(. 5.5.4);
j) ;
k)
;
l) , (
. E).
5.3

5.3.1


, ,
.
:
a) , ,
, , ;
b)
, ..
;
c) ;
d) ,
, .
.
ISO/IEC 27005:2008.
5.3.2

,
, .
.
a) ;
b) ;
c)
;
d) , ,
, ;
10

ISO/IEC 27035/_1
e) ,
/ (, offline ).
,
. , ,

.

,
, .
5.4
5.4.1


, ,
,

. :
a) ;
b) ,
;
c) ;
d) ,
e) /
;
f) .
5.4.2
,
, ICT -,
, , :
a) (

);
b) ,

,
(
PoC ( ), ISIRT, ,
);
c) (
)
.
,
,
, ,
.
5.4.3
,
:
a) ;
b) ;
c) , , :
1)
:
I) /
, .

;
C
.

11

ISO/IEC 27035/_1
II) //
, , ,
,
;
III) ,
.
, ,
, , ,
.
, , . ,

,
, ,
.
, ;
IV) , , ,

, ,
;
V) , ,
, ,
//
;
VI) ;
VII) (IDS),
, .
,
. IDS ISO/IEC 18043:2006;
VIII) ,
, , ,


;
IX)
, ;
X)
;
XI)
;
XII) ISIRT , ;
XIII) .
2) :
I)
( );
II) , ;
III) ;
IV) ,
;
3) :
I)
( ),
/ (
, /) ,
;
II) ISIRT ,
,
,
/ ,
( )
(). ,
, ,
;
12

ISO/IEC 27035/_1
III) (

), ,
, , ;
IV)
;
4) :
I) ISIRT, ,
, :
- , , (
, ) ;
-
,
;
II) ,
;
III) ;
IV) ;
V) ,
;
VI) ,
;
VII) , , , ,
//
;
VIII)
;
IX) ;
X) , ,
.
,

, .
,
-, , (,

). , ,
,
,
. ,
, .
5) :
I)
;
II)
;
III) ,
( / ),
;
IV) , , ,
;
V) , , , /


, ,
;
VI) //
;
VII) (
).

13

ISO/IEC 27035/_1
5.4.4

, , ,
. , , PoC
/ ISIRT, . ,

, ,
. ,
PoC ISIRT, ,
,
.


.
, . ,
ISIRT,
. ISIRT , ,
,
, , .

. , ,
, ,
,
.
,
,
,
. ,
(, , ,
, ) .
, .
(, ISIRT , ),
.

, .
, ,
. :
a) ;
b) ,
- ;
c)
.
5.4.5
ISIRT . ISIRT
,
. , ISIRT ,
. ,

.
,
,
,
. ,
,
. ISIRT
,
. ,
, , .
, ISIRT, ,
.ISIRT
, , ISIRT ,
, , .
14

ISO/IEC 27035/_1
ISIRT , ,

. ISIRT
, -
.
,


. ,
.
5.4.6

, , ,
. ,
() .
//
, , , .
, ,

, (), , ,
.
5.5 ISIRT
5.5.1
ISIRT
, ,
, , .
ISIRT ,
, .
5.5.2
, ISIRT
. ISIRT ,
,
. , ,
, .
, ISIRT, .
ISIRT
, .
, , .
ISIRT .
, , ,
.
, , ISIRT
ISIRT. ISIRT
(, -, ICT, , ).
ISIRT;
ISIRT .
, ,
, .

, .
ISIRT , ,
, -. /
, ,
ISIRT, .
ISIRT
/ , ().

15

ISO/IEC 27035/_1
5.5.3
ISIRT ,
ISIRT /
, .
,
, . ,

ISIRT .

.

ISIRT.
5.5.4
ISIRT .
:
a) , ;
b) ISIRT;
c) , ,
- ;
d) ;
e) ;
f) ;
g) ;
h) /
;
i) -;
j) ;
k) .
5.6 ( )
,
, .
:
a)
-;
b) , ;
c) ;
d) //
,
(
); ;
e) ;
f) //
( . ISO/IEC 27031).
, ,
, ,
:
g) //
;
h)
(, , ),
, ,
), ;
i) , ,
, ,
, / (
);
j) , /
;
k) ,
, , , /
;
16

ISO/IEC 27035/_1
l) (,

, CD DVD ROM);
m) (, ),
,
;
n) , /
, :
1) ;
2) ;
3)
;
4) ;
5) , .

.
,
, , .
, / .
( ),
,
, / , . ,
.
, ,
, ,
. ISO/IEC 18043.

PoC
,
,
. , PoC
. PoC
,
. , PoC ,
,
ISIRT. , PoC .
5.7
- ,
, , , ,
,
.

.
,
, , ,
.
,
,
, , , .
,

.


.
, ,
. PoC,
ISIRT, - , ,
. , ,
, , ,

.
:
17

ISO/IEC 27035/_1
a) ,
, , ;
b) ,
,
;
c) ,
;
d)

// ;
e) ;
f) ;
g) ;
h) , ;
i)
;
j)
.


(,
).
,
, .


,
.
.
PoC ISIRT, ,
, .
,
" " ,
,
/
.
5.8
,
,

. ,
,
. , ,
, ,
, .

6.1

,

.

:
, (. 7) (. 8).
(. 9),

. 4.5.

. ,

18

ISO/IEC 27035/_1
,
, , (
ISIRT). ,

// , ISIRT.
D
.
3 .

,

/
. ,
,
,
.
,
:
a)

/ :
1) , IDS/IDP, ,
( , , ,
, ,
,
[ISO/IEC 18043:2006]) "tarpits" (,
), ,
, .;
2) , , ,
- .;
3) , , , ,
4) , ICT;
5) , ;
6) ;
7) , , ISIRT,

,
-,

, ISIRT;
b) ,
c) PoC ,
;
d)

.
(ISO/IEC 27037)
, , ;

e) ,
,
//
;
f)
, / ;
g) .
,
, //
, ISIRT. ,
, ,
, .

19

ISO/IEC 27035/_1

ISIRT


(24h7d)

ISIRT
( )


,
,

3 -
.

20

ISO/IEC 27035/_1
6.2

, -, ,
. , ,
/
( ).
, ,
, , ,
, (
),
.

:
a) ;
b) ;
c) ;
d) ,
( 2- );
e) ( 1- );
f) ( ISP, ,
);
g) ISIRT-;
h) ,
;
i) (, , .);
j) -
(
-

,
-
, - , .).
6.3
, ,

, .
,
.

,
, , ,
. , ,
,
, , ,
.

, (
, , ,
). ,
,
.
.

:
/ ;
;
().
( e-mail web)
ISIRT
. /
/ / ,
.
( )
,


. " ", ,
21

ISO/IEC 27035/_1
(
).
,
, , .
.
, ,
, ,
. / .
PoC ( 24 7 ),
ISIRT.
A.
ISIRT ,
, , , ,
.
.
,
.
, ,
.
, . ,
(, )
.
, ,
.
.
- , ,
. ,
(, ) .

(, ),
,
. , ,
.
, ,
,
, .
,
.
PoC ISIRT , ..
// .
, ,
,

.
, , /
.

7
7.1

,
,
.

:
a) PoC ,
, ,
.
/ (
, /, )
,
(. ).
22

ISO/IEC 27035/_1
(, , )
, ,
, :
1) ( );
2) , , , , ,
;
3) ;
b) ISIRT PoC,
.

/ ,
( ) () (.
). ,
,
.
,

,
,
( . 8);
c)
, / ;
d) , ISIRT,
;
e)

;
f) ,
,
//
.
/
//
ISIRT. ,
,
, , .
,
:
g)
,
, , , ;
h) , ,
, ,
(
);
i)
;
j)
,

;
k) //
.
,
, (
,
),
, , .
7.2 PoC
PoC ,
/
.
23

ISO/IEC 27035/_1

, , ,
. ,

(
). ,
ISIRT
// ,
.
, ,
. ,
, .
()
:
( ) ;
;
( );
( );
.

, PoC
, .
,
.
,
( , ),
ISIRT.
, ,

ISIRT .
ISIRT
.
, PoC
.
, , :
a) ;
b) , ;
c) ;
d)
;
e)
( , );
f) .

, :
a) ;
b) ;
c) ;
d) / ;
e) / ;
f) .
, . ,
,

.
. :
a) / -;
b) ;
c) , ;
d) ;
e) ;
f) ;
g) .
24

ISO/IEC 27035/_1
,
(, ,

). , ,
ISIRT
// .
,
,
, .
, PoC, ,
,
, :
a) ;
b) , , PoC,
.
6.2 6.3
,
,
(, ).
7.3 ISIRT
,
,
ISIRT. ISIRT :
a) , PoC;
b) //
, PoC,
;
c) PoC ;
d) ;
e) PoC
, , - .
-
, ISIRT

(
). ,
,
//
ISIRT. PoC, , , /
.

/, ISIRT. , ,
/
, ..
(DoS) (DDoS).
ISIRT.
,
ISIRT, , .
:
a) , ,
, , ,
,
/ ( ,
). ,
(. 8.2.4);
b)
, / , :
1) , / ,
;
2) , , ,
;
25

ISO/IEC 27035/_1
3) , ,
;
c) (,
,
, );
d)
.

, / ,
7.2, ,
. 7.2 C.

ISIRT
. ,
,
,
.

,
,
. ,
,
. , , ,
, .

,

. C D.

8
8.1


.
,
,
.

:
a) ISIRT ,
, , :
1) ,
, .
, , /
,
(, ), ,
;
2) ,
,
(. 8.2.4).
,
ISIRT ( ),
, , (
. ISO/IEC 27031
ISO/PAS 22399:2007);
b)
;
c)

;
d)
, / ;
26

ISO/IEC 27035/_1
e) , ISIRT,
;
f)

;
g) ,
,
//
;
h)

, // (
) / ,
.
/
//
ISIRT. ,
,
, , .

, :
a)
,
, , , ;
b) , ,
, ,
(
);
c)
;
d)
,

;
e) //
.

,
. ,

.

.

8.2.
8.2
8.2.1
8.2.1.1
ISIRT

,
, //
.
(,
, /
- / -) /
,
. ,
,
, ,
.
27

ISO/IEC 27035/_1
, ,
,
, ISIRT .
:
a) (
);
b) .

,
.
8.2.1.2

, / ,
. -
, ,
, / .
.
"", "" . ,
.
:
a) , ,
/ , ,
, / , ,
, / ;
b) ,
/ , / .
.

. , ,
, .
,
.
,
, .
, / (
/
-) .
, , /
.
(,
"honeypots" . ISO/IEC 18043). ,
.
,
, ISIRT
, .
,
.
8.2.1.3
, ISIRT
,
// ,
ISIRT . :
a) , ;
b) , , ;
c) ;
d)
;
e)
( , );
f) , .
28

ISO/IEC 27035/_1
,
(,
,

). //
ISIRT .
, ISIRT ,
,
.
, ,
, .


, / .
,
, , :
a)
;
b) , / , ,
;
c) ;
d)
,
;
e)
,
.
ISIRT , ,
(
) .
8.2.1.4
ISIRT
:
a) ;
b) ,
, , , .

//
ISIRT.
, ,
.
ISIRT, ,
,
, :
a) ;
b) ISIRT
.
,
(, web), , , ,
, , ,
, .
ISIRT

,
, .

, , / ,
.

- .

29

ISO/IEC 27035/_1
8.2.2
ISIRT ,

, .
ISIRT , ISIRT /
.
,
, ISIRT
,

.
,
, ISIRT .
,
, ,

. ,
, ,

. ,

.
,
, , ., ,
, ,
.
8.2.3
,
, ISIRT
.
(),
() / () . /

// ,
, .

// ,

.

. , ,

- ,
.
,
.
,
.

.

, /
.

,
.
,
.
,
,
, .
,
30

ISO/IEC 27035/_1
,
,
.

(), () / () .
(), () / ()
.


, , / .
.
,
, , , ,
, .
8.2.4
(. 8.2.2), ISIRT
, ,

, .

, , ,
, .

- , ,
, ,
. :
a) , ;
b) ,
;
c) () .
() ()
(), ,
.
,

. , , :
a) ;
b) ;
c) ;
d) ;
e) .
8.2.5

,
ISIRT.
,
,
.
,
.
(,
, ) ,
, .
, ,
, .
, () , ,
.
, .
, ,
, ..,

31

ISO/IEC 27035/_1
.
, ,

, , .
ISIRT ,
.
.
, ,
, ,
. , ISIRT ,
, ,
, / , , ,
, , .
,
ISIRT.

, ,
(, , , , ..),
. ,
,
. ,
.
,
, .
:
a) , /
, ,
( ),
;
b) ,
(
);
c) , / ,
, , ;
d) ;
e) IP-, , web-;
f) , ,
, ;
g)
( );
h) , ( )
;
i) , ;
j) // ;
k) / //;
l) ;
m) , "",
, ;
n) , , ,
, , ,
;
o) ,
,
. ,
,
;
p) ,
,
, ;
q)
.
() ()
ISIRT.
32

ISO/IEC 27035/_1
ISIRT
( , , , ),
/ ( ),
,
.
:
a) ,
;
b) (..
), /
;
c)

.
8.2.6
,
ISIRT,
( ISIRT ), , .
, :
,
,

.
,
, , .
, , , :
a) ( , .);
b) (, , , , .);
c) , / .
,
.
,
, ,
, .


/ .
,
,
. ,
, ,
,
.

.
, ,
, .

8.2.7 ()
, ,
.
, , ,
, /
. ,
,
.
, 7.2 7.3,
, . ,
, .. PoC ISIRT,

.
33

ISO/IEC 27035/_1
8.2.8
, ,
,
.
//
,
,
.

. , ,
,
// ,
.

9
9.1

/
,
() .
:
a) ;
b) ,
;
c) ,
( / ),
,
, (
, ).
, , ,
;
d) ,

;
e) , , , /
,

.
;
f) //
;
g) ,
( ).
,
, ,
.

,
.
9.2

. ISIRT
, 8.2.5.
9.3

, , ,
. ,
. :
34

ISO/IEC 27035/_1
a) .
( ) .

(
, ) / ;
b) , ,
, ,
;
c)
, , / ,
// .

,
/,
.
, ,
.
//
, :
a) / ;
b) ;
c) ,
.
,
, / (
),

,
.

, ISIRT
.
, / ,
,
, / ,
.
, / .
,
, /
, .
,
, ,
, .


/ ,
.
9.4

,
,
.
,
.
. ,
, ,
.
,
/ . ( ) ,

( ,
) / . ,
35

ISO/IEC 27035/_1
/ , ,
,
//.
, ,
,
,
.

, ,
. ISIRT
,
.
9.5



(
), ,
.

(. 9.4).
9.6

ISIRT

.

.
, ,

. ,
,
. :
a) ,
?
b) , ?
c) ,
?
d) ,
?
e)
, ?
. ,
,
, ,
. ,

.
9.7
,
, , ,
.
.

36

ISO/IEC 27035/_1

A
()
ISO/IEC 27001 ISO/IEC 27035
ISO/IEC 27001:2005
4.2.2
:
h)
,

4.2.3
:
a)

,
:
2)


;
4)


;
b)


),
, ,

,


4.3.3

, 4.2,

,

.13

.13.1

ISO/IEC 27035
4 ( )

.
5 ( )

.
6 ( ).
7 ( ).
8 ( )
9 ( )

9 ( )


5.1
(

), 6 ( )
D ( ,


)

4 ( )

.
5 ( )

5 ( ) ( ,
. 5.4
, 5.5 ISIRT,
5.6 , 5.7
5.8
)
37

ISO/IEC 27035/_1
ISO/IEC 27001:2005

ISO/IEC 27035

,
,

6 ( ), C
(

)
D ( ,


)

.

.13.1.10
:

,
.
.13.1.2

,
,

,

.13.2

D.2.1 (

) D.4.1 (

)
.
D.2.3 (

7 ( ), 8 (
), 9 ( ) B
(
), (


) ( ).

.13.2.1


, ,

.13.2.2

7 ( ), 8 (
), D.2.2 (

) D.4.2 (

)


9 ( ), B (

)
(

.12.2.3
:

( )
,

,

38

7 ( ), 8 (
) ( , . 8.2.5

(- )

ISO/IEC 27035/_1

B
()


.1
,
, , . ,
IRCA (International Registerof Sertificated Auditors
)
, .

/ .
.1.1
(DoS) (DDoS)
, . ,
, ,
.
DoS/DDoS, : .
DoS/DDoS :
ping-
;
, , ,
, ;
, ,
, , (.., ,
).
-, (
), . - ,
.
DoS ,
,
. DoC
, ,
. ,

. ,
DoS (.. ).
DoS, , ,
/ , , :
, ,
;
(/ )
;
, , (..,
- );
;
;
.
.1.2

, .
:
;
, (,
) ;
,
.
39

ISO/IEC 27035/_1
,
,
, , :

;
/ -
.
.1.3
,
, ,
, ,
, , .
: , , "",
.
, .
, ,
.
.1.4
,
.
, ISIRT.
:
;
e-mail ;
-;

(, , ).

.2
,
,
. ,
:
, ,
;
,
.
, :
DNS - ( DNS);
, , ;
(, )
;

(, e-mail, FTP, web .) ;

( ).

, , , ,
.
, ,
, /
.
, , :
;
, ;
, , ;
(,
);
, :
40

ISO/IEC 27035/_1

, ,
, , ;
/ -
,
,
.

41

ISO/IEC 27035/_1

C
()



.1

.
,
:

;

;

;

;

.

,
.

.2

, .

. ( , ISO/IEC 27005:2008, . ,
).
.1.
.1

42

, , ,
, , , , .

, , ,
.

(,
, , ),
,

, ; , ;
, , .
,
, ,
, .

,
, , ,
, .

ISO/IEC 27035/_1


,

,

, (

),

, .

, , "",
-, ,
- ;
, , .

.
, , ,
, ,

.
,
,

.
""
,


,
.
-
("zombie") ,
-,

-.
-

-.

, "",
.

,
, "" - .


. ,

, "" .
-
- ,

, .
, ,
-
,

43

ISO/IEC 27035/_1



,
, ,

, ,
"backdoor", ,
, DoS, .

,
,
, .

, ,
, .
"backdoor" "
"

.
,
.

,
-
, -
, .
DoS

,
CPU, ,
,

,
, SYS-a, PING-,

,
, .


,

,



.


,

, ,
,
, , .

.

.
-
, / ().

44

ISO/IEC 27035/_1

,
,
,
.

, , ,
, , ,
"" , , ,
, ,
, .
,
.


.
,
.

,

.
,
.

, ,
, , .
""

,

e-mail.

.


.

.

, ,
,
..

,
, ,
, ,
, , .
,

,
,
.

,
, , ,
.

,
, ,

45

ISO/IEC 27035/_1
.3

.
, . , FIRST/
(CVSS)
(SWIF).
.3.1 1
.3.1.1
.3.1.1.1

:
;
;
.

.3.1.1.2
,
, -
.
, ,
.
:
, .
.3.1.1.3
,
,
- ,
.

,
/ .
: ,
, ,
:
a) -
, / ,
-.
.
;
b)
, , / ,
-.
.
;
c)
, -, /
, -.

. ;
d) -
-, /
, -.

.
.3.1.1.4
, ,
,
46

ISO/IEC 27035/_1
, .
: ,
,
, .
I) ,
/,
, ,
/
;
II) ,
, ,
,
, / ;
III)

,
,
, ,
, / ;
IV)

,

, , ,
, .
.3.1.2
.3.1.2.1

, . ,
"" "" , , :
: ;
: ;
: ;
: ,
, .

:
(IV );
(III );
( ) (II );
(I ).
, .
.
.
.3.1.2.2 (IV )
, :
a) ;
b) ;
c) .
.3.1.2.3 (III )
, :
a) ;
b) ;
c) .
.3.1.2.4 (II )
, :
a) ;
b) ;
c) .
.3.1.2.5 (I )
, :
47

ISO/IEC 27035/_1
a)
b)
c)
d)

;
;
;
.

.3.1.3

.
,
, :
;
;
;
.
,
, ,
.2.
.2


(
)

(
)

(
).

(,

(,

(
)

.3.2 2
.3.2.1

,
1 () 10 (). ( , ,
1 5, ,
).
:
, , " ".
- , , ,
( 1 10)
, .3.2.2 .3.2.7.
( 1 10)
, -

" ". ,
,
,

48

ISO/IEC 27035/_1
, , , " ". ( ,
" " ).
,
,

;
;
;
/ ;
/ .
,
.
- ( )
.
.3.2.2 / -
,
,
, , ,
.
-.
/ -
.
.
,
. ,
1 ./. /, / .
:
1) / x1 ,
2) / x1+1 x2;
3) / x2+1 x3;
4) / x3+1 x4;
5) / x4+1 x5;
6) / x5+1 x6;
7) / x6+1 x7;
8) / x7+1 x8;
9) / x8;
10) ,
xi (i = 1, 2, ..., 8) / /,
.
.3.2.3

,
.
, :
1) , ;
2) , y1
();
3) , y1+1
y2 () , ,
,
, ;
4) , y2+1
y3 ();
5) , y3+1
y4 ();
6) y4+1 ();
7) 1);
1)

" " ,
.
49

ISO/IEC 27035/_1
8) ;
9)
;
10) ,
yi (i = 1, 2, ..., 4)
/, .
.3.2.4
, ,
,
,
, ,
,
. , ,
, , ,
, ,
. , , ,
,
,
,
.
, :
1) () (, ,
), ;
2) () (, , ),
;
3) , ,
,
;
4) , ,
,
;
5) , ,
, ;
6) , ,
,
;
7) ;
8) ;
9) ;
10) .
.3.2.5
, ,

. , ,
, .
/ .
:
1) ;
2) ;
3) , ,
/ z1 ;
4) , ,
/ z1+1 z2;
5) , ,
/ z2+1 z3 ;
6) , ,
/ z3+1 z4 10 ;
7) , ,
/ 10 ;

50

ISO/IEC 27035/_1
8) ;
9) ;
10) .
.3.2.6 -
,
. , ,
,
. ,
, ,
. ,

. :
1) ;
2) ;
3) ;
4) ;
5)
;
6)
;
7) ,
- ;
8) ;
9) ;
10) .
.3.2.7
,
,
,
.
:
1) ;
2) ;
3) , , ,
, , ,
/ ;
4) ;
5) , , ,
, , ,
;
6) ;
7) , , ,
, , ,
;
8) ;
9) ;
10) .

51

ISO/IEC 27035/_1

D
()

,

D.1
, ()
, ,
,
. . , ,
(IODEF).

D.2
D.2.1

,
, , , , .
.
.
.
/ ( ).
.
.
, , , , e-mail.
.
.
.
.
/.
.
.
.
.
.
.
D.2.2

,
, , , , ,
.
.
.
.
/ ( ).
.
.
, , , , e-mail.
PoC.
.
, , , , e-mail.
ISIRT.
.
, , , , e-mail.
.
.
.
.
/.
52

ISO/IEC 27035/_1
.
.
.
.
.
.
.
/.
/ .
.
.
()/ () ( ).
.
.
.
.
.
.
/ ,
/ ,
D.2.3

,
, , , .
.
.
.
/ ( ).
.
.
, , , , e-mail.
.
.

D.3
D.3.1
CCYY-MM-DD (, , HH-MM-SS).
, UTC ,
(, , UTC, ).
.3.2

, ,
,
, .
,
, , ,
, (.
)
,
.

, ,
( ), ,
, .
,
.
PoC, /
, ,
.

53

ISO/IEC 27035/_1
ISIRT.
,
, //
.
ISIRT,
, PoC,
,
, //
.

,
, .
:
1. (
,
(, ), ,
,
.
, );
, ,
- , .
, , ,
, ;
.

, .
, - ,
, .

, , , web-
// .

. , ,
.

54

ISO/IEC 27035/_1
D.4
D.4.1


1.
2. 1
3. /
4.
4.1 __________________ 4.2 ___________________
4.3 __________________ 4.4 ___________________
4.5 __________________4.6 E-mail___________________
5.
5.1

:



/


6.

6.1

6.2

6.3

6.4

( )

6.5

"", //

ISIRT .
55

ISO/IEC 27035/_1

D.4.2


1.
2. 1
3. /
4. PoC
4.1
__________________
4.3 __________________
4.5
__________________

4.2
___________________
4.4 ___________________
4.6 E-mail
___________________

5. ISIRT
4.1
__________________
4.3 __________________
4.5
__________________

4.2
___________________
4.4 ___________________
4.6 E-mail
___________________

6.
6.1

:



/


7.

7.1

7.2

7.3

7.4

( )

7.5

"", //

ISIRT
() .
56

ISO/IEC 27035/_1

8.
( ,

).

8.1
( )

( )
8.3

8.2
(
)

( )

:
( )

8.4
( )

:
( )
8.5
( )


( , , , )







:
( )
8.6
( )



:
( )
8.7
( )

:
( )
8.8
( )


( )

57

ISO/IEC 27035/_1

8.
( ) 8.9
( )

-

Web-
,

:
( ) 8.10
( )


"backdoor"

(DoS)

:
( ) 8.11

( )

:
( ) 8.12
( )

,

:

:
( )

8.13
( )

,

:
( ) 8.14
( )



:
8.15
:

58

(
, )

ISO/IEC 27035/_1

9. /1
/
( /,
( )
,
, )
9.1
9.2
9.3
9.4
9.5
9.6
9.7

/_____________________________________________
____________________________________________
________________________________________
__________________________________________________
___________________________________________________
_______________________________________________________
__________________________________________________________

10. /
, ""
, , ,
1 10, : / -,
, , ,
- . (. .3.2 ).
"" (), , "".

()

10.1
(.. )
10.2
(.. )
10.3
(.. )
10.4
10.5

11.
(, ,

1 10 "" "").

()

/,
.
59

ISO/IEC 27035/_1

12.

12.1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _
12.2 () (), () _ _ _ _ _ __ _ __ _ _ _ __
12.3 __ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _
12.4 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
12.5 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
12.6 _ _ _ _ _ _ _ _ _ _

13.
( )

( ) /

(, , , )

14.
15.
( )

/
/

16.

(, " ", " ", " ", "


...")

17.

(, . )

18.

(, - , )

60

ISO/IEC 27035/_1

19.

( , ,
;
)

( ) __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _

20.

/ ,

(
,
,

. ,



)


/


(, )

ISIRT

(,

,
, ,
)

21.

/ /,

(
,
,

. ,



)

(,

ISIRT)

22.

________________
__________
________________

____________
_________
______
______
____________
____________

61

ISO/IEC 27035/_1
D.4.3


1.
2. 1
3

3.1 ________________
3.3 ______________
3.5 ______________
4

3.2 ___________________
3.4 _______________
3.6 E-mail___________________

4.1
4.2

, , .
, IT/ /
/, ,
,

5.1 ?

( )

5.2
5.3

5.4

5.5
5.6

5.7 E-mail

5.8 ?

( )

5.9 , ,
,

ISIRT .

62

ISO/IEC 27035/_1

E
()

-
-

:
1. .
, ,
, .
, , ,
, , ,
.

. :
- , , (),
() ,
- ,
, ,
- ,
, .. .
2. . ,
, .
.
(, ,

).
3.
. ,
,
,
,
. ( ,
, ISIRT,
,
.)
4. , .
,
, ,
/ ,
. .
5. . ,
,
, , .
6. , ,
. , , ,
ISIRT, ,
, .
7. . ,
,
, ,
.
8.
.
,


, . ,
, ,
, .

63

ISO/IEC 27035/_1
9. .
. ,
:
- (,
), ,
;
- , ;
- , , ,
,
,
;
- , , -, ,
.
;
- , ,
;
.
,
, , ,
- ;

. ,
,
, ""
, . ,
, , ,
.
, :
- ;
- ;
- IT-, ,
;
, .

. . ,
, ,
, . , ,
: / , /
. , / IDS, ,
ISO/IEC 18043;
.
/ ,
(,
,
,
).

64

ISO/IEC 27035/_1

[1]

[2]
[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

ISO/IEC 18043

Information technology Security techniques Selection,


deployment and operations of intrusion detection systems
(
.

. ,
)
ISO/IEC 2000 ( ) Information technology Service management
( . )
ISO/PASS 22399,
Societal security Guidelines for incident preparedness and
operational continuity management ( .
Societal security


)
ISO/IEC 27001
Information technology Security techniques Information
security
management
systems

Requirements
(
.

. )
ISO/IEC 27002
Information technology Security techniques Code of practice
for information security management
(
.

)
ISO/IEC 27003
Information technology Security techniques Information
security
management
system
implementation
guidance
(
.

)
ISO/IEC 27004
Information technology Security techniques Information
security management Measurement (
. .
. )
ISO/IEC 27005
Information technology Security techniques Information security
risk management ( .

)
ISO/IEC 27031
Information technology Security techniques Guidelines for
information and communication technology readiness for business
continuity ( .
.
)
ISO/IEC 27033-1
Information technology Security techniques Network security
Part 1: Overview and concepts ( .
. .
1: )
ISO/IEC 27033-2
Information technology Security techniques Network security
Part 2: Guidelines for the design and implementation of network
security ( .
. . 2:
)
ISO/IEC 27033-3
Information technology Security techniques Network security
Part 3: Reference networking scenarios Threats, design
techniques and control issues ( .
. .
3: ,
)
Internet Engineering Task Force (IETF) Site Security Handbook
( IETF (
,
,

)),
http://www.ietf.org/rfc/rfc2196.txt?number=2196
65

ISO/IEC 27035/_1
[14]
[15]

[16]

[17]
[18]
[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

66

NISTSpecialPublication
800-61

,
mailto:http://www.ietf.org/rfc/rfc2350.txt?number=2350
NISTSpecialPublication

800-61
(2004),
mailto:http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP80061rev1.pdf
TERENA's Incident Object Description Exchange Format Data Model and XML Implementation
(IODEF) (produced by IETF), RFC 5070
( TERENAS
XML (IODEF) ( IETF), RFC 5070)
IETFRFC 3227

IETF RFCCESG
(2008),
GOVCERTUK
http://www.govcertuk.gov.uk/pdfs/incident_response_guidelines.pdf
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, Incident
Management Capability Metrics Version 0.1 (2007)
( CERT Software EngineeringInstitute (SEI)
-,
0.1 (2007))
http://www.cert.org/archive/pdf/07tr008.pdf
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, Incident
Management Mission Diagnostic Method Version 1.0
( CERT Software EngineeringInstitute (SEI)

-,

1.0)
http://www.cert.org/archive/pdf/08tr007.pdf
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, Defining Incident
Management Processes for CSIRTs: A Work in Progress
( CERT Software EngineeringInstitute (SEI)
-,
CSIRTs: )
http://www.cert.org/archive/pdf/04tr015.pdf
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, Handbook for
Computer Security Incident Response Teams (CSIRTs)
( CERT Software EngineeringInstitute (SEI)
-,

(CSIRTs))
mailto:http://www.cert.org/archive/pdf/csirt-handbook.pdf
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, State of the
Practice of Computer Security Incident Response Teams
( CERT Software EngineeringInstitute (SEI)
-, CSIRTs)
mailto:http://www.cert.org/archive/pdf/03tr001.pdf
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, CSIRT Services
( CERT Software EngineeringInstitute (SEI)

-,

CSIRT)
mailto:http://www.cert.org/csirts/services.html
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, Action List for
Developing a Computer Security Incident Response Team (CSIRT)
( CERT Software EngineeringInstitute (SEI)
-,
(CSIRT))
mailto:http://www.cert.org/csirts/action_list.html
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, Staffing Your
Computer Security Incident Response Team What Basic Skills Are Needed?
( CERT Software EngineeringInstitute (SEI)
-,
-
?)
mailto:http://www.cert.org/csirts/csirt-staffing.html
Software Engineering Institute at Carnegie Mellon CERT Coordination Centre, Steps for
Creating National CSIRTs
( CERT Software EngineeringInstitute (SEI)

ISO/IEC 27035/_1

[28]

[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]

[37]
[38]
[39]
[40]

[41]
[42]

[43]

[44]
[45]

-,
CSIRTs)
mailto:http://www.cert.org/archive/pdf/NationalCSIRTs.pdf
SANS Institute, An approach to the ultimate in-depth security event management framework,
2008
(SANS ,
)
SANS Institute, Mining gold, A primer on incident handling and response, 2008
(SANS , , )
SANS Institute, Incident Handling for SMEs (Small to Medium Enterprises), 2008
(SANS , SME ( ))
SANS Institute, Breach Notification in Incident Handling, 2008
(SANS , )
SANS Institute, Baselines and Incident Handling, 2008
(SANS , )
SANS Institute, Documentation is to Incident Response as an Air Tank is to Scuba Diving, 2007
(SANS ,
ATSD)
SANS Institute, Creating and Managing an Incident Response Team for a Large Company, 2007
(SANS ,
)
SANS Institute, An Incident Handling Process for Small and Medium Businesses, 2007
(SANS , )
SANS Institute, Incident Management 101 Preparation & Initial Response (aka Identification),
2005
(SANS , 101 (aka
))
SANS Institute, Building an Incident Response Program To Suit Your Business, 2003
(SANS ,
)
ISACA, COBIT 4.1 ( DS5.11), www.isaca.org/cobit
ENISA, A step-by-step approach on how to set up a CSIRT
(ENISA,

CSIRT)
mailto:http://www.enisa.europa.eu/act/cert/support/guide
ENISA, CERT cooperation and its further facilitation by relevant stakeholders
(ENISA, CERT
) )
mailto:http://www.enisa.europa.eu/act/cert/background/coop
ENISA, A basic collection of good practices for running a CSIRT
(ENISA, CSIRT)
mailto:http://www.enisa.europa.eu/act/cert/support/guide2
TERENA's Incident Object Description and Exchange Format Requirements (IODEF) (produced
by IETF), RFC 3067
( TERENA (IODEF)
( IETF), RFC 3067)
CVSS A complete Guide to the Common Vulnerability Scoring System (Version 2.0), FIRST,
20 June 2007
(CVSS ( 2,0))
mailto:http://www.first.org/cvss/cvss-guide.html
SWIF Structured Warning Information Format (Version 2.3), ITsafe, 9 May 2008
(SWIF ( 2,3),
IT)
ITIL, ITIL framework document
(ITIL, ITIL )
mailto:http://www.itil-officialsite.com/home/home.asp

67

ISO/IEC 27035/_1

.
()



..1

ISO/IEC 27000:2009

IDT

ISO/IEC 27000-2012
.

68

ISO/IEC 27035/_1


" "

..

..

..

,
-

..

..

..

69