Always Learning

Advanced Search

Business Case for Network Security, The

Business Case for Network Security, The

Advocacy, Governance, and ROI

Catherine Paquet, Warren Saxe

Jan 2005, Paperback, 408 pages
ISBN13: 9781587201219
ISBN10: 1587201216
This title is ordered on demand which may result in extended delivery times.
  • Print pagePrint page
  • Email this pageEmail page
  • Write a reviewWrite a review
  • Share

Understand the total cost of ownership and return on investment for network security solutions

  • Understand what motivates hackers and how to classify threats
  • Learn how to recognize common vulnerabilities and common types of attacks
  • Examine modern day security systems, devices, and mitigation techniques
  • Integrate policies and personnel with security equipment to effectively lessen security risks
  • Analyze the greater implications of security breaches facing corporations and executives today
  • Understand the governance aspects of network security to help implement a climate of change throughout your organization
  • Learn how to qualify your organization’s aversion to risk
  • Quantify the hard costs of attacks versus the cost of security technology investment to determine ROI
  • Learn the essential elements of security policy development and how to continually assess security needs and vulnerabilities

The Business Case for Network Security: Advocacy, Governance, and ROI addresses the needs of networking professionals and business executives who seek to assess their organization’s risks and objectively quantify both costs and cost savings related to network security technology investments. This book covers the latest topics in network attacks and security. It includes a detailed security-minded examination of return on investment (ROI) and associated financial methodologies that yield both objective and subjective data. The book also introduces and explores the concept of return on prevention (ROP) and discusses the greater implications currently facing corporations, including governance and the fundamental importance of security, for senior executives and the board.

Making technical issues accessible, this book presents an overview of security technologies that uses a holistic and objective model to quantify issues such as ROI, total cost of ownership (TCO), and risk tolerance. This book explores capital expenditures and fixed and variable costs, such as maintenance and upgrades, to determine a realistic TCO figure, which in turn is used as the foundation in calculating ROI. The importance of security policies addressing such issues as Internet usage, remote-access usage, and incident reporting is also discussed, acknowledging that the most comprehensive security equipment will not protect an organization if it is poorly configured, implemented, or used. Quick reference sheets and worksheets, included in the appendixes, provide technology reviews and allow financial modeling exercises to be performed easily.

An essential IT security-investing tool written from a business management perspective, The Business Case for Network Security: Advocacy, Governance, and ROI helps you determine the effective ROP for your business.

This volume is in the Network Business Series offered by Cisco Press®. Books in this series provide IT executives, decision makers, and networking professionals with pertinent information about today’s most important technologies and business strategies.

Understand the total cost of ownership and return on investment for network security solutions

  • Understand what motivates hackers and how to classify threats
  • Learn how to recognize common vulnerabilities and common types of attacks
  • Examine modern day security systems, devices, and mitigation techniques
  • Integrate policies and personnel with security equipment to effectively lessen security risks
  • Analyze the greater implications of security breaches facing corporations and executives today
  • Understand the governance aspects of network security to help implement a climate of change throughout your organization
  • Learn how to qualify your organization’s aversion to risk
  • Quantify the hard costs of attacks versus the cost of security technology investment to determine ROI
  • Learn the essential elements of security policy development and how to continually assess security needs and vulnerabilities

The Business Case for Network Security: Advocacy, Governance, and ROI addresses the needs of networking professionals and business executives who seek to assess their organization’s risks and objectively quantify both costs and cost savings related to network security technology investments. This book covers the latest topics in network attacks and security. It includes a detailed security-minded examination of return on investment (ROI) and associated financial methodologies that yield both objective and subjective data. The book also introduces and explores the concept of return on prevention (ROP) and discusses the greater implications currently facing corporations, including governance and the fundamental importance of security, for senior executives and the board.

Making technical issues accessible, this book presents an overview of security technologies that uses a holistic and objective model to quantify issues such as ROI, total cost of ownership (TCO), and risk tolerance. This book explores capital expenditures and fixed and variable costs, such as maintenance and upgrades, to determine a realistic TCO figure, which in turn is used as the foundation in calculating ROI. The importance of security policies addressing such issues as Internet usage, remote-access usage, and incident reporting is also discussed, acknowledging that the most comprehensive security equipment will not protect an organization if it is poorly configured, implemented, or used. Quick reference sheets and worksheets, included in the appendixes, provide technology reviews and allow financial modeling exercises to be performed easily.

An essential IT security-investing tool written from a business management perspective, The Business Case for Network Security: Advocacy, Governance, and ROI helps you determine the effective ROP for your business.

This volume is in the Network Business Series offered by Cisco Press®. Books in this series provide IT executives, decision makers, and networking professionals with pertinent information about today’s most important technologies and business strategies.

Introduction.

I. VULNERABILITIES AND TECHNOLOGIES.

1. Hackers and Threats.

Contending with Vulnerability

Realizing Value in Security Audits

Analyzing Hacking

Assessing Vulnerability and Response

Hackers: Motivation and Characteristics

The Enemy Within: Maliciousness and Sloppiness

Threats Classification

The Future of Hacking and Security

Summary

End Notes

2. Crucial Need for Security: Vulnerabilities and Attacks.

Recognizing Vulnerabilities

Design Vulnerabilities Issues

Human Vulnerability Issues

Implementation Vulnerability Issues

Categories of Attacks

The Human Component in Attacks

Reconnaissance Attacks

Access Attacks

Denial of Service Attacks

Additional Common Attacks

Footprinting

Scanning and System Detailing

Eavesdropping

Password Attacks

Impersonating

Trust Exploitation

Software and Protocol Exploitation

Worms

Viruses

Trojan Horses

Attack Trends

Wireless Intrusions

Wireless Eavesdropping

Man-in-the-Middle Wireless Attacks

Walk-By Hacking

Drive-By Spamming

Wireless Denial of Service

Frequency Jamming

The Hapless Road Warrior

Social Engineering

Examples of Social Engineering Tactics

Summary of Attacks

Cisco SAFE Axioms

Routers Are Targets

Switches Are Targets

Hosts Are Targets

Networks Are Targets

Applications Are Targets

Summary

3. Security Technology and Related Equipment.

Virus Protection

Traffic Filtering

Basic Filtering

Advanced Filtering

Filtering Summary

Encryption

Encrypted VPN

SSL Encryption

File Encryption

Authentication, Authorization, and Accounting: AAA

Authentication

Authorization

Accounting

Public Key Infrastructure

From Detection to Prevention: Intrusion-Detection Systems and Intrusion-Prevention Systems

IDS Overview

Network- and Host-Based IDS

IPS Overview

Target-Based IDS

Content Filtering

URL Filtering

E-Mail Content Filtering

Assessment and Audit

Assessment Tools

Audit Tools

Additional Mitigation Methods

Self-Defending Networks

Stopping a Worm with Network-Based Application Recognition

Automated Patch Management

Notebook Privacy Filter

Summary

End Notes

4. Putting It All Together: Threats and Security Equipment.

Threats, Targets, and Trends

Lowering Risk Exposure

Security Topologies

SAFE Blueprints

SAFE Architecture

Using SAFE

Summary

II. HUMAN AND FINANCIAL ISSUES.

5. Policy, Personnel, and Equipment as Security Enablers.

Securing the Organization: Equipment and Access

Job Categories

Departing Employees

Password Sanctity

Access

Managing the Availability and Integrity of Operations

Implementing New Software and Privacy Concerns

Custom and Vendor-Supplied Software

Sending Data: Privacy and Encryption Considerations

Regulating Interactivity Through Information and Equipment Control

Determining Levels of Confidentiality

Inventory Control: Logging and Tagging

Mobilizing the Human Element: Creating a Secure Culture

Employee Involvement

Management Involvement: Steering Committee

Creating Guidelines Through the Establishment of Procedural Requirements

Policy Fundamentals

Determining Ownership

Determining Rules and Defining Compliance

Corporate Compliance

User Compliance

Securing the Future: Business Continuity Planning

Ensuring a Successful Security Policy Approach

Security Is a Learned Behavior

Inviting the Unknown

Avoiding a Fall into the Safety Trap

Accounting for the Unaccountable

Workflow Considerations

Striving to Make Security Policies More Efficient

Surveying IT Management

The Need for Determining a Consensus on Risk

Infosec Management Survey

Infosec Management Quotient

Summary

6. A Matter of Governance: Taking Security to the Board.

Security-A Governance Issue

Directing Security Initiatives

Steering Committee

Leading the Way

Establishing a Secure Culture

Securing the Physical Business

Securing Business Relationships

Securing the Homeland

Involving the Board

Examining the Need for Executive Involvement

Elements Requiring Executive Participation

Summary

End Notes

7. Creating Demand for the Security Proposal: IT Management's Role.

Delivering the Security Message to Executive Management

Recognizing the Goals of the Corporation

Knowing How the Organization Can Use ROP

Understanding the Organization's Mandate and Directives

Acknowledging the Organization's Imperatives and Required Deliverables

Establishing an Appropriate Security Posture

Outlining Methods IT Managers Can Use to Engage the Organization

Lobbying Support

Assessing Senior Business Management Security Requirements

Every Question Counts: Delivering the Survey to Respondents

Infosec Operational Survey

Infosec Operational Quotient

Summary

8. Risk Aversion and Security Topologies.

Risk Aversion

The Notion of Risk Aversion

Determining Risk Tolerance

What Assets to Protect

Short-Term and Long-Term Risks

Risk-Aversion Quotient

Calculating the Risk-Aversion Quotient

Risk-Aversion Quotient and Risk Tolerance

Using the Charts

Security Modeling

Topology Standards

One Size Rarely Fits All

Security Throughout the Network

Diminishing Returns

Summary

9. Return on Prevention: Investing in Capital Assets.

Examining Cost of Attacks

Determining a Baseline

Providing Alternatives

Budgeting for Security Equipment

Total Cost of Ownership

Present Value

Analyzing Returns on Security Capital Investments

Net Present Value

Internal Rate of Return

Return on Investment

Payback Period

The Bottom Line

Acknowledging Nonmathematical Security Fundamentals

Summary

End Notes

III. POLICIES AND FUTURE.

10. Essential Elements of Security Policy Development.

Determining Required Policies

Constructing Reliable and Sound Policies

Reliability

Access

Constancy

Answerability

Using Policy Tools and Policy Implementation Considerations

Useful Policy Tools

Policy Implementation

Performing Comprehensive Monitoring

Knowing Policy Types

Physical Security Policies

Access-Control Policies

Dialup and Analog Policies

Remote-Access Policies

Remote Configuration Policies

VPN and Encryption Policies

Network Policies

Data Sensitivity, Retention, and Ethics Policies

Software Policies

Summary of Policy Types

Handling Incidents

Summary

11. Security Is a Living Process.

Security Wheel

Secure

Monitor

Test

Improve

Scalability

Jurisprudence

Hacking

Internal Issues

Negligence

Privacy

Integrity

Good Netizen Conduct

SWOT: Strengths, Weaknesses, Opportunities, and Threats

Strengths

Weaknesses

Opportunities

Threats

Summary

End Note

IV. APPENDIXES.

Appendix A. References.

Appendix B. OSI Model, Internet Protocol, and Packets.

Appendix C. Quick Guides to Security Technologies.

Appendix D. Return on Prevention Calculations Reference Sheets.

Glossary.

Index.

Catherine Paquet is a freelancer in the field of internetworking and return on security investment. Catherine has in-depth knowledge of security systems, remote access, and routing technology. She is a Cisco Certified Security Professional (CCSP™) and a Cisco Certified Network Professional (CCNP®). Her internetworking career started as a LAN manager; she then moved to MAN manager and eventually became the nationwide WAN manager. Catherine was also a certified Cisco Systems instructor with the largest Cisco® training partner, serving as the course director/ master instructor for security and remote access courses. Most recently she held the position of director of technical resources for Canada, where she was responsible for instructor corps and equipment offerings, including Cisco courses. In 2002 and 2003, Catherine volunteered with the UN mission in Kabul, Afghanistan, to train Afghan public servants in the area of networking. Catherine has an MBA with a major in management information systems (MIS).

Catherine coauthored the Cisco Press books Building Scalable Cisco Networks, CCNP Self-Study: Building Scalable Cisco Internetworks (BSCI), and CCNP Self-Study: Building Scalable Cisco Internetworks (BSCI), Second Edition, and she edited Building Cisco Remote Access Networks.

Warren Saxe has an extensive background in profit and loss (P&L) management as general manager for a Fortune 1000 semiconductor distributor. As a top- and bottom-line-focused senior manager, he brings a unique perspective to this business decision maker—oriented book. He applies an overriding business strategy to drive IT decisions by utilizing a value-driven approach. He has extensive background in sales management, marketing management, and demand creation fundamentals. He directed a large multidisciplinary team composed of managers, engineers, sales, and marketing professionals. He was responsible for strategic and tactical planning, and he negotiated directly with CxO-level executives, both internally and with customers across many industries. He is currently focusing in the areas of security governance, risk management, and return on security investment planning. He earned his degree at McGill University.

Your opinions count

Be the first to review this product. Write your review now.