security management (risk analysis,legals)
Transcription
security management (risk analysis,legals)
5MMSSI - Information Systems Security 2 - security management (risk analysis,legals) Fabien Duchene1 Karim Hossen1 1 Laboratoire d’Informatique de Grenoble, VASCO team Grenoble Institute of Technology - Grenoble INP Ensimag [email protected] 2011-2012 Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 1/53 2011-2012 1 / 53 Outline 1 Risk Analyzing/assessing risk Security risk methodologies and norms Mitigating risk Security management principles 2 Legals and ethics Legals Vulnerability disclosure 3 Certification 4 Conceive, Develop, and Integrate secured software Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 2/53 2011-2012 2 / 53 Objectives CISO stakes and duties perform a risk analysis on a case study legal issues regarding information security systems certification security management principles how to integrate security in the SDLC? Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 3/53 2011-2012 3 / 53 OSA metamodel Relationships between business processes, IT security, risk... Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 4/53 2011-2012 4 / 53 Building a security policy A cyclic process Audit / assess Assets identification Security objectives/goals/properties on those assets Threats identification Pen-testing Risk assessment Incident detection Procedures: continuity, recovery (“PCA”, “PRA”) redaction training Security policy redaction implementation ... loop ... Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 5/53 2011-2012 5 / 53 Risk Risk I 1 what is what should we do about it? Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 6/53 2011-2012 6 / 53 Risk Risk II Why? FACTS: no corporation will [(Microsoft) 2011] implement security counter-measures only by pure pleasure provide YOU an unlimited budget to implement security counter-measures knowing this: where to start? how to prioritize? [It is About Risks, Not Weaknesses] [OWASP Top 10 Application Security Risks - 2010] on which to act? how much to invest? how to proceed? Risk management 1 [Top 10 application security risk] Top 10 application security risk Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 7/53 2011-2012 7 / 53 Risk Analyzing/assessing risk Risk assessment No single methodology Some risk assessments methods oriented from a business management perspective (eg: OCTAVE) However common questions do arise: Which ... ... do we want to protect? ... against which If a threat has to happen what will be the ... (in other means, how critical are the property(ies) we will to ensure on those asset(s)) ? Which .. could be exploited by attackers? Who are the potential ? In order to handle the risk, which ... could we use? Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 8/53 2011-2012 8 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) I 1. Identity assets, and their values (examples) hardware: computers, laptops, servers people: highly skilled ones data: customers PII, source code for software editors... Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 9/53 2011-2012 9 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) II 2. Identity threats .. and threat agents (examples) [OWASP Risk Rating Methodology] Human errors physical intrusion inside building developer, administrators major disaster (eg: nuclear plant, war, tornado, floods...) intranet users electronic intrusion authenticated users supplier QoS lower than expected (eg: cloud) anonymous internet users partners obsolescence spying Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 10/53 2011-2012 10 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) III [Schneier 2011] “the Rise of Big Data” , without consumer awareness, powerful industry “Ill Conceived Regulations”: Internet kill switches, anonymity elimination “proliferation of cyber-weapons”: by accident, wrong hands, hard traceability, cost Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 11/53 2011-2012 11 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) IV 3. How critical is that asset? what would be the impact / cost? [OWASP Risk Rating Methodology] Business impact Technical impact financial loss confidentiality business reputation integrity life loss availability non compliance accountability privacy violation Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 12/53 2011-2012 12 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) V 4. Identity vulnerabilities that could be exploited. And how easy is it to exploit them? ( = “likelihood”) : wait for a system administrator (“sysadmin”) to go to his car, threat him (eg. regarding his family) if he does not give the password : we have redundant internet connectivity, however we use the very same tubes (cable connectivity) : [What Microsoft’s online outage says about its cloud strategy 2011] (emails delayed for up to 9 hours, unavailability of web email, push email... for up to 3 hours) fake wireless access, what if attackers do come from the sky? [Theodore Reed 2011] Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 13/53 2011-2012 13 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) VI likelihood threat agent factors: Skill level Motive Opportunity Size vulnerability factors: ease of discovery ease of exploit awareness intrusion detection Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 14/53 2011-2012 14 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) VII 5. How to qualify the risk? Standard risk model “Risk = likelihood*impact” quantitative: mathematical computation based on metrics, repeatable process, automated. qualitative: low budget or time frame, estimations. interviews of representative employees samples. Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 15/53 2011-2012 15 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) VIII Quantitative risk assessment - calculus For a given threat t: a proposed IT risk model [Security Assessment of Information Systems Standards, Methods and Tools - Ensimag - SCCI MSc] Risk(t) = (P(t) ∗ (1 − Pcm (t))) ∗ C (t) C (t): incident cost - “SLE” Single Loss Expectancy P(t): of the threat to happen Pcm (t): efficiency of counter-measures Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 16/53 2011-2012 16 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) IX 6. Synthetic view of the risk R(t) associated to a given threat t Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 17/53 2011-2012 17 / 53 Risk Analyzing/assessing risk A proposed risk assessment method (focusing on information security threats) X 7. Which strategy will we use for managing that risk? A given risk was identified. We can either: reduce it: ... for reducing the risks to an acceptable level transfer it: accept it: being aware of the potential consequences 8. The overall IT risk A synthesis of all the previously estimated risks related to identified threats. Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 18/53 2011-2012 18 / 53 Risk Analyzing/assessing risk Exercise - Annual Loss Expectancy (2min) Your e-commerce website could be hacked. It is worth 100.000 EUR. The damages of such an attack are estimated to 60% (juridic liability, confidential data corruption, lost of exploitation days...). 2 What is the Single Loss Expectancy (SLE)? (how much money would you loose if a disaster had to happen?) According to the security defenses (counter-measures) you did set up, you consider that such a problem could happen once every two years. What is the Average Risk Occurence (ARO) in occurence/year? What is the maximum amount (Annual Loss Expectancy (ALE)) you should spend each year to protect that asset? 2 [(Microsoft) 2011] UVSQ - MSc SeCReTS (Cryptographie et Sécurité Informatique) - UE SECR403 - Sécurité windows et sécurité web Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 19/53 2011-2012 19 / 53 Risk Analyzing/assessing risk Exercice 2 - Risk analysis (5min) “Any resemblance to actual persons, living or dead, is purely coincidental.” ;) A hacker group (10+ persons) want to steal sensitive information (customer emails and password) from a famous video game company that runs several webservers. You are a security auditor of that company and are willing to perform a very brief risk analysis. You are aware that SQL injection is a common vulnerability within applications that performs operations on a database, and during the audit you discovered that there is no Intrusion Detection System. assets: threat: threat agents ... and factors: impact / cost: vulnerability ... and factors: risk: Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 20/53 2011-2012 20 / 53 Risk Security risk methodologies and norms Some security risk methodologies I France MEHARI [MEHARI - “MEthode Harmonisée d’Analyse de RIsques”] EBIOS [EBIOS - “Expression des besoins et identification des objectifs de sécurité”] OCTAVE [OCTAVE-S] Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 21/53 2011-2012 21 / 53 Risk Security risk methodologies and norms Some security risk norms I ISO 2700x 27001: “specification document”: specifying an Information Security Management System (ISMS) 27002: “code of practise” concrete counter-measures against specific vulnerabilities 27003: “implementation guidance” for an ISMS 27004: “metrics, measurement” 27005: “risk analysis and management” 27006: “auditing and certifying an ISMS” 27007: “continuity and contigency plan” Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 22/53 2011-2012 22 / 53 Risk Mitigating risk PCA, PRA Business Continuity Planning “Plan de Continuité d’Activité” (PCA) “identify exposure to threats hard and soft assets” “permit ” [Just waiting for the next big bang: business continutity planning in the UK finance sector.] Disaster Recovery Planning “... Recouvrement ...” (PRA) [Disaster Recovery Plan] Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 23/53 2011-2012 23 / 53 Risk Mitigating risk Risk analysis conclusion relatively simple methodology .. a key factor: dynamic: data: in a dynamic environment ; both do evolve .. so do vulnerabilities! Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 24/53 2011-2012 24 / 53 Risk Security management principles Attack on users: social engineering I “Social engineering is essentially ” 3 Some social-engineering techniques profiling (eg: thanks to social networks, publicly visible information) Symantec 2011 Money, Ideology , Coercion , Ego , Personal relation [Identification et exploitation des failles humaines par les “pr édateurs informationnels” : un risque sous-estimé par les entreprises ?] Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 25/53 2011-2012 25 / 53 Risk Security management principles Attack on users: social engineering II Security clearance ability to . investigation (family, friends, habits) required for accessing some confidential informations that the person “needs to know” eg (France): “Confidentiel Défense” (lasts 10 y), “Secret Défense” (investigation: 6-9 months, lasts 7 years), “Très Secret Défense” information disclosure: professional fault, penal offense Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 26/53 2011-2012 26 / 53 Risk Security management principles Attack on users: social engineering III 3 [Goodchild 2010] Social Engineering: The Basics Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 27/53 2011-2012 27 / 53 Risk Security management principles User education I High profile: eg. Chief Executive Officer “feeds you” but: overpass the security directives (eg: screen lock, smart card..) have access to the most sensitive/valuable information Chief Information Officer: IT teams: architects: conceived the systems. Know their weaknesses administrators: have “root” access to a lot of systems support: daily deal with end-users End-Users: daily use the IT infrastructure 4 a CISO task: 4 [Kerouanton 2011] Be a smart CISO (HIP2k11) Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 28/53 2011-2012 28 / 53 Risk Security management principles Least privilege (POLA “Authority”) “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” 5 Examples: you want to share a file with another student on ensibm.imag.fr, for him to be able to read it (+r). do not allow him to write on the file (+rw) or even execute it, if you do not want to. do not run your basic user programs (eg: web browser) with administrator privileges. In case of an exploitation, it will be run under that very same identity (eg: root, administrator). 5 [Protection and the Control of Information Sharing in Multics] Protection and the Control of Information Sharing in Multics Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 29/53 2011-2012 29 / 53 Risk Security management principles Multi-culture example: for applicative web firewall, use two levels: vendor1 (eg: Juniper) vendor2 (eg: NetASQ) Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 30/53 2011-2012 30 / 53 Risk Security management principles Defiance by default Problem increasing complexity of IT systems. Thus a minimal trust is sometimes required. In many protocols, only one entity among two has proven its identity. eg: within Public Key Infrastructure, we do trust the Root CA in Kerberos, we trust the KDC Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 31/53 2011-2012 31 / 53 Risk Security management principles In-depth defense Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 32/53 2011-2012 32 / 53 Risk Security management principles Nice management Competencies IT staff has to be able to use the software solutions: training, certifications solution experts have to be identified (eg: outsourcing, consulting) Patch management change management: reports, risk analysis a recovery plan and business continuity plan have to be ready major software companies have planified patch issue dates: Microsoft (Adobe follows the same scheme) ; Apple lacks clear predictable patching days Fabien Duchene, Karim Hossen (LIG) unified patching systems: Secunia CSI 2011-2012 [Corporate Security Inspector] 5MMSSI-2-security management (risk analysis, legals) 33/53 33 / 53 Legals and ethics Legals Legals in USA (extracts) “And we’re all subject, in the US, to the Patriot Act, and it is possible that that information could be made available to the authorities”, Eric Schmidt, CEO Google (2009) 2001, George W Bush 2011, Obama signed a 4 year extension (email, phone, medical, financial...) Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 34/53 2011-2012 34 / 53 Legals and ethics Legals Legals in France (extracts) I Internet access : each provider has to ensure (authentication and log mgmt) authenticated (nomadisme2, wifi-campus, eduroam) HADOPI: 2009, “motivated by content copyrights”, identification by IP address, guilty assumption LOPPSI 2 ISP to block IP addresses by simple request of the Ministry of Interior person identification by its DNA police databases: allows intersecting several ones allow law enforcement to hack into computer by suspicion of hosting pedophile images Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 35/53 2011-2012 35 / 53 Legals and ethics Legals Legals in France (extracts) II Reverse engineering (fr: rétro-ingénierie, rétro-conception) allowed for interoperability only. Express right required. employee private place (following “Nikon” case) “search warrant” (mandat de perquisition) required to open an employee armoire listen electronic communication (eg: email) requires legal basis (eg: investigation) employees contentment and CNIL statement Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 36/53 2011-2012 36 / 53 Legals and ethics Legals Legals in France (extracts) III PII data transiting outside the UE have to be encrypted and to be stored within UE (eg: Microsoft cloud services) Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 37/53 2011-2012 37 / 53 Legals and ethics Vulnerability disclosure Vulnerability disclosure I Scenario: You found a new vulnerability present on the latest major OS (eg: Windows 7, Android 2.3.4), and got a working “0-day exploit” (offensive security) What are your options? Full-vendor: report it Microsoft: 0 euro (2011) Google: depends (2011) [Stable Channel Update] Hybrid: to a vendor-neutral organization 200E [Zero Day Initiative] Underground market: $1M On your website: and make a mess within the world! 0E + potential criminal penalties! Keep it to yourself: only close people will know you found it before the others. Fame is for the other guys! 0E Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 38/53 2011-2012 38 / 53 Legals and ethics Vulnerability disclosure Vulnerability disclosure II Keep in mind New trend “coordinated vulnerability disclosure” (Microsoft, July 2010) [Coordinated Vulnerability Disclosure] goal: Ethics Consequences? Why do you work in Information Security? (beliefs, moral...) In each country.. a CERT USA: http://www.cert.org France: http://www.certa.ssi.gouv.fr ANSSI Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 39/53 2011-2012 39 / 53 Certification Certification important: scope of the certification (maybe only a subsystem) Some certifications norms TCSEC Common criteria Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 40/53 2011-2012 40 / 53 Certification TCSEC USA, Department of Defense standard, 1983, updated 1985, replaced by Common Criteria now applies to complete systems (HW+SW) concepts: trusted computing base, security reference monitor describes implementations mechanisms: reuse, audit, compartment 4 security levels D: insecure or not evaluated C: able to ensure a Discretionary Access Control B: ... Mandatory Access Control A: proved, documented and shown to be efficient security Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 41/53 2011-2012 41 / 53 Certification Common criteria I ISO 15408 ; 2005 Initially Europe, now recognized per Germany, Australia, New-Zealand, Canada, USA, France, England France: CESTI do evaluate products (eg. LEXSI, Sogeti-ESEC) certified products: http://www.commoncriteriaportal.org/products/ Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 42/53 2011-2012 42 / 53 Certification Common criteria II 7 Evaluation Assurance Level (EAL) EAL1 .. EAL4: common systems, best practises. Most important commercial products are EAL4 certified “conceived, tested and verified regarding a certain methodology” (eg: Windows 7) EAL5: conceived in a semi-formal way, and tested EAL6: conception verified in a semi-formal way and test EAL7: conception verified and tested in a formal way Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 43/53 2011-2012 43 / 53 Conceive, Develop, and Integrate secured software When and how to integrate security? Different approaches, models for software development lifecycle V model Waterfall model Agile development integrating security into those models Microsoft Security DLC In too many projects... security is integrated during the validation and or testing steps it is too late! the earlier in the process the better! Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 44/53 2011-2012 44 / 53 Conceive, Develop, and Integrate secured software V model overly simplified the one you saw during the “projet GL” (Software Engineering project) [V-model] Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 45/53 2011-2012 45 / 53 Conceive, Develop, and Integrate secured software Agile development 2001, [AgileManifesto] [Agile software development methodology] eg: eXtreme Programming (2 developers, 1 reviewing, 1 coding) Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 46/53 2011-2012 46 / 53 Conceive, Develop, and Integrate secured software Microsoft Security Development LifeCycle “SDLC” Created by Microsoft adapted for “traditional software developement” (waterfall, v-model) and Agile one 6 6 [Security Development Lifecycle] Security Development Lifecycle Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 47/53 2011-2012 47 / 53 Conceive, Develop, and Integrate secured software OWASP Especially for web applications: OWASP secure coding practises [Secure Coding Practises] Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 48/53 2011-2012 48 / 53 Appendix For Further Reading CERT, Carnegie Mellon Software Engineering Institute. OCTAVE-S. https://www.cert.org/octave/osig.html. Elliot D.; Swartz, E.; Herbane B. (1999). Just waiting for the next big bang: business continutity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp. 43-60. Here: p. 48. Français”, CLUSIF “Club de la Sécurité des Systèmes d’Information. MEHARI - “MEthode Harmonisée d’Analyse de RIsques”. https://www.clusif.asso.fr/fr/production/mehari/. Goodchild, Joan (2010). Social Engineering: The Basics. http://www.csoonline.com/article/51406 3/social-engineering-the-basics. Google. Stable Channel Update. http://googlechromereleases.blogspot.com/2011/0 9/stable-channel-update_16.html. Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 49/53 2011-2012 49 / 53 Appendix For Further Reading (IMAG), Florent Autreau. Security Assessment of Information Systems Standards, Methods and Tools - Ensimag - SCCI MSc. https: //intranet.ensimag.fr/KIOSK/Matieres/SCCISecurityAudit/. Iwochewitsch, Michel. Identification et exploitation des failles humaines par les “pr édateurs informationnels” : un risque sous-estimé par les entreprises ? SSTIC08. http://actes.sstic.org/SSTIC0 8/Identification_Exploitation_Failles_Humaines/SSTIC0 8-article-Iwochewitsch-Identification_Exploitation_Failles_ Humaines.pdf. Kerouanton, Bruno (2011). Be a smart CISO (HIP2k11). http: //www.hackinparis.com/slides/hip2k11/03-BeASmartCiso.pdf. Microsoft. Coordinated Vulnerability Disclosure. https: //blogs.technet.com/b/msrc/archive/2011/04/19/coordinated-v ulnerability-disclosure-from-philosophy-to-practice.aspx. — Security Development Lifecycle. http://www.microsoft.com/security/sdl/default.aspx. Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 50/53 2011-2012 50 / 53 Appendix For Further Reading (Microsoft), Pascal Sauliere (2011). UVSQ - MSc SeCReTS (Cryptographie et Sécurité Informatique) - UE SECR403 - Sécurité windows et sécurité web. http://www.master-secrets.uvsq.fr/. MIT, Jerome H. Saltzer. Protection and the Control of Information Sharing in Multics. CACM 1974, volume 17, issue 7, page 389. OWASP. It is About Risks, Not Weaknesses. https: //www.owasp.org/index.php/Top_10_2010-Notes_About_Risk. — OWASP Risk Rating Methodology. https: //www.owasp.org/index.php/OWASP_Risk_Rating_Methodology. — OWASP Top 10 Application Security Risks - 2010. https://www.owasp.org/index.php/Top_10_2010-Main. — Secure Coding Practises. https: //www.owasp.org/index.php/OWASP_Secure_Coding_Practices__Quick_Reference_Guide. — Top 10 application security risk. https://www.owasp.org/index.php/Top_10_2010-Main. Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 51/53 2011-2012 51 / 53 Appendix For Further Reading Schneier, Bruce (2011). Three Emerging Cyber Threats. https://www.schneier.com/blog/archives/2011/0 9/three_emerging.html. Secunia. Corporate Security Inspector. https://secunia.com/vulnerability_scanning/. Symantec (2011). Norton Cybercrime report 2011. http://www.symantec.com/about/news/resources/press_kits/det ail.jsp?pkid=threat_report_16. Systèmes d’Information”, ANSSI “Agence Nationale de la Sécurité des. EBIOS - “Expression des besoins et identification des objectifs de sécurité”. http://www.ssi.gouv.fr/en/the-anssi/publications-10 9/methods-to-achieve-iss/ebios-2010-expression-of-needs-an d-identification-of-security-objectives.html. Theodore Reed Joseph Geis, Sven Dietrich (2011). SkyNET: a 3G-enabled mobile attack drone and stealth botmaster. https: //db.usenix.org/events/woot11/tech/final_files/Reed.pdf. Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 52/53 2011-2012 52 / 53 Appendix For Further Reading TippingPoint. Zero Day Initiative. http://www.zerodayinitiative.com/. What Microsoft’s online outage says about its cloud strategy (2011). http://www.zdnet.com/blog/bott/what-microsofts-online-outag e-says-about-its-cloud-strategy/3308. Wikipedia. Agile software development methodology. https://secure.wikimedia.org/wikipedia/en/wiki/ Agile_software_development. — Disaster Recovery Plan. https://secure.wikimedia.org/wikipedia/en/wiki/ Disaster_recovery_plan. — V-model. https://secure.wikimedia.org/wikipedia/en/wiki/V-Model_ %28software_development%29. Fabien Duchene, Karim Hossen (LIG) 5MMSSI-2-security management (risk analysis, legals) 53/53 2011-2012 53 / 53