The business case for network security : advocacy, governance, and ROI

Understand the total cost of ownership and return on investment for network security solutions Understand what motivates hackers and how to classify threats Learn how to recognize common vulnerabilities and common types of attacks Examine modern day security systems, devices, and mitigation techniques Integrate policies and personnel with security equipment to effectively lessen security risks Analyze the greater implications of security breaches facing corporations and executives today Understand the governance aspects of network security to help implement a climate of change throughout your organization Learn how to qualify your organization's aversion to risk Quantify the hard costs of attacks versus the cost of security technology investment to determine ROI Learn the essential elements of security policy development and how to continually assess security needs and vulnerabilities The Business Case for Network Security: Advocacy, Governance, and ROI addresses the needs of networking professionals and business executives who seek to assess their organization's risks and objectively quantify both costs and cost savings related to network security technology investments. This book covers the latest topics in network attacks and security. It includes a detailed security-minded examination of return on investment (ROI) and associated financial methodologies that yield both objective and subjective data. The book also introduces and explores the concept of return on prevention (ROP) and discusses the greater implications currently facing corporations, including governance and the fundamental importance of security, for senior executives and the board. Making technical issues accessible, this book presents an overview of security technologies that uses a holistic and objective model to quantify issues such as ROI, total cost of ownership (TCO), and risk tolerance. This book explores capital expenditures and fixed and variable costs, such as maintenance and upgrades, to determine a realistic TCO figure, which in turn is used as the foundation in calculating ROI. The importance of security policies addressing such issues as Internet usage, remote-access usage, and incident reporting is also discussed, acknowledging that the most comprehensive security equipment will not protect an organization if it is poorly configured, implemented, or used. Quick reference sheets and worksheets, included in the appendixes, provide technology reviews and allow financial modeling exercises to be performed easily. An essential IT security-investing tool written from a business management perspective, The Business Case for Network Security: Advocacy, Governance, and ROI helps you determine the effective ROP for your business. This volume is in the Network Business Series offered by Cisco Press (R). Books in this series provide IT executives, decision makers, and networking professionals with pertinent information about today's most important technologies and business strategies.

Introduction. I. VULNERABILITIES AND TECHNOLOGIES. 1. Hackers and Threats. Contending with Vulnerability Realizing Value in Security Audits Analyzing Hacking Assessing Vulnerability and Response Hackers: Motivation and Characteristics The Enemy Within: Maliciousness and Sloppiness Threats Classification The Future of Hacking and Security Summary End Notes 2. Crucial Need for Security: Vulnerabilities and Attacks. Recognizing Vulnerabilities Design Vulnerabilities Issues Human Vulnerability Issues Implementation Vulnerability Issues Categories of Attacks The Human Component in Attacks Reconnaissance Attacks Access Attacks Denial of Service Attacks Additional Common Attacks Footprinting Scanning and System Detailing Eavesdropping Password Attacks Impersonating Trust Exploitation Software and Protocol Exploitation Worms Viruses Trojan Horses Attack Trends Wireless Intrusions Wireless Eavesdropping Man-in-the-Middle Wireless Attacks Walk-By Hacking Drive-By Spamming Wireless Denial of Service Frequency Jamming The Hapless Road Warrior Social Engineering Examples of Social Engineering Tactics Summary of Attacks Cisco SAFE Axioms Routers Are Targets Switches Are Targets Hosts Are Targets Networks Are Targets Applications Are Targets Summary 3. Security Technology and Related Equipment. Virus Protection Traffic Filtering Basic Filtering Advanced Filtering Filtering Summary Encryption Encrypted VPN SSL Encryption File Encryption Authentication, Authorization, and Accounting: AAA Authentication Authorization Accounting Public Key Infrastructure From Detection to Prevention: Intrusion-Detection Systems and Intrusion-Prevention Systems IDS Overview Network- and Host-Based IDS IPS Overview Target-Based IDS Content Filtering URL Filtering E-Mail Content Filtering Assessment and Audit Assessment Tools Audit Tools Additional Mitigation Methods Self-Defending Networks Stopping a Worm with Network-Based Application Recognition Automated Patch Management Notebook Privacy Filter Summary End Notes 4. Putting It All Together: Threats and Security Equipment. Threats, Targets, and Trends Lowering Risk Exposure Security Topologies SAFE Blueprints SAFE Architecture Using SAFE Summary II. HUMAN AND FINANCIAL ISSUES. 5. Policy, Personnel, and Equipment as Security Enablers. Securing the Organization: Equipment and Access Job Categories Departing Employees Password Sanctity Access Managing the Availability and Integrity of Operations Implementing New Software and Privacy Concerns Custom and Vendor-Supplied Software Sending Data: Privacy and Encryption Considerations Regulating Interactivity Through Information and Equipment Control Determining Levels of Confidentiality Inventory Control: Logging and Tagging Mobilizing the Human Element: Creating a Secure Culture Employee Involvement Management Involvement: Steering Committee Creating Guidelines Through the Establishment of Procedural Requirements Policy Fundamentals Determining Ownership Determining Rules and Defining Compliance Corporate Compliance User Compliance Securing the Future: Business Continuity Planning Ensuring a Successful Security Policy Approach Security Is a Learned Behavior Inviting the Unknown Avoiding a Fall into the Safety Trap Accounting for the Unaccountable Workflow Considerations Striving to Make Security Policies More Efficient Surveying IT Management The Need for Determining a Consensus on Risk Infosec Management Survey Infosec Management Quotient Summary 6. A Matter of Governance: Taking Security to the Board. Security-A Governance Issue Directing Security Initiatives Steering Committee Leading the Way Establishing a Secure Culture Securing the Physical Business Securing Business Relationships Securing the Homeland Involving the Board Examining the Need for Executive Involvement Elements Requiring Executive Participation Summary End Notes 7. Creating Demand for the Security Proposal: IT Management's Role. Delivering the Security Message to Executive Management Recognizing the Goals of the Corporation Knowing How the Organization Can Use ROP Understanding the Organization's Mandate and Directives Acknowledging the Organization's Imperatives and Required Deliverables Establishing an Appropriate Security Posture Outlining Methods IT Managers Can Use to Engage the Organization Lobbying Support Assessing Senior Business Management Security Requirements Every Question Counts: Delivering the Survey to Respondents Infosec Operational Survey Infosec Operational Quotient Summary 8. Risk Aversion and Security Topologies. Risk Aversion The Notion of Risk Aversion Determining Risk Tolerance What Assets to Protect Short-Term and Long-Term Risks Risk-Aversion Quotient Calculating the Risk-Aversion Quotient Risk-Aversion Quotient and Risk Tolerance Using the Charts Security Modeling Topology Standards One Size Rarely Fits All Security Throughout the Network Diminishing Returns Summary 9. Return on Prevention: Investing in Capital Assets. Examining Cost of Attacks Determining a Baseline Providing Alternatives Budgeting for Security Equipment Total Cost of Ownership Present Value Analyzing Returns on Security Capital Investments Net Present Value Internal Rate of Return Return on Investment Payback Period The Bottom Line Acknowledging Nonmathematical Security Fundamentals Summary End Notes III. POLICIES AND FUTURE. 10. Essential Elements of Security Policy Development. Determining Required Policies Constructing Reliable and Sound Policies Reliability Access Constancy Answerability Using Policy Tools and Policy Implementation Considerations Useful Policy Tools Policy Implementation Performing Comprehensive Monitoring Knowing Policy Types Physical Security Policies Access-Control Policies Dialup and Analog Policies Remote-Access Policies Remote Configuration Policies VPN and Encryption Policies Network Policies Data Sensitivity, Retention, and Ethics Policies Software Policies Summary of Policy Types Handling Incidents Summary 11. Security Is a Living Process. Security Wheel Secure Monitor Test Improve Scalability Jurisprudence Hacking Internal Issues Negligence Privacy Integrity Good Netizen Conduct SWOT: Strengths, Weaknesses, Opportunities, and Threats Strengths Weaknesses Opportunities Threats Summary End Note IV. APPENDIXES. Appendix A. References. Appendix B. OSI Model, Internet Protocol, and Packets. Appendix C. Quick Guides to Security Technologies. Appendix D. Return on Prevention Calculations Reference Sheets. Glossary. Index.