THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI By Catherine Paquet, Warren Saxe Publisher: Cisco Press Pub Date: December 13, 2004 ISBN: 1-58720-121-6 Pages: 408 The Business Case for Network Security: Advocacy, Governance, and ROI addresses the needs of networking professionals and business executives who seek to assess their organization's risks and objectively quantify both costs and cost savings related to network security technology investments. This book covers the latest topics in network attacks and security. It includes a detailed security-minded examination of return on investment (ROI) and associated financial methodologies that yield both objective and subjective data. The book also introduces and explores the concept of Table of return on prevention (ROP) and discusses the greater implications currently • Contents facing corporations, including governance and the fundamental importance of security, for senior executives and the board. • Index Making technical issues accessible, this book presents an overview of security technologies that uses a holistic and objective model to quantify issues such as ROI, total cost of ownership (TCO), and risk tolerance. This book explores capital expenditures and fixed and variable costs, such as maintenance and upgrades, to determine a realistic TCO figure, which in turn is used as the foundation in calculating ROI. The importance of security policies addressing such issues as Internet usage, remote-access usage, and incident reporting is also discussed, acknowledging that the most comprehensive security equipment will not protect an organization if it is poorly configured, implemented, or used. Quick reference sheets and worksheets, included in the appendixes, provide technology reviews and allow financial modeling exercises to be performed easily. An essential IT security-investing tool written from a business management perspective, The Business Case for Network Security: Advocacy, Governance, and ROI helps you determine the effective ROP for your business. This volume is in the Network Business Series offered by Cisco Press®. Books in this series provide IT executives, decision makers, and networking professionals with pertinent information about today's most important technologies and business strategies. THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI By Catherine Paquet, Warren Saxe Publisher: Cisco Press Pub Date: December 13, 2004 ISBN: 1-58720-121-6 Table of • Contents Pages: 408 • Index Copyright About the Authors About the Technical Reviewers Acknowledgments Icons Used in This Book Introduction Part I. Vulnerabilities and Technologies Chapter 1. Hackers and Threats Contending with Vulnerability Analyzing Hacking Threats Classification The Future of Hacking and Security Summary End Notes Endnotes Chapter 2. Crucial Need for Security: Vulnerabilities and Attacks Recognizing Vulnerabilities Categories of Attacks Additional Common Attacks Wireless Intrusions Social Engineering Summary of Attacks Cisco SAFE Axioms Summary Chapter 3. Security Technology and Related Equipment Virus Protection Traffic Filtering and Firewalls Encryption Authentication, Authorization, and Accounting: AAA Public Key Infrastructure From Detection to Prevention: Intrusion-Detection Systems and Intrusion-Prevention Systems Content Filtering Assessment and Audit Additional Mitigation Methods Summary End Notes Endnotes Chapter 4. Putting It All Together: Threats and Security Equipment Threats, Targets, and Trends Lowering Risk Exposure Security Topologies Summary Part II. Human and Financial Issues Chapter 5. Policy, Personnel, and Equipment as Security Enablers Securing the Organization: Equipment and Access Managing the Availability and Integrity of Operations Implementing New Software and Privacy Concerns Regulating Interactivity Through Information and Equipment Control Mobilizing the Human Element: Creating a Secure Culture Creating Guidelines Through the Establishment of Procedural Requirements Determining Rules and Defining Compliance Securing the Future: Business Continuity Planning Ensuring a Successful Security Policy Approach Surveying IT Management Summary Chapter 6. A Matter of Governance: Taking Security to the Board SecurityA Governance Issue Directing Security Initiatives Establishing a Secure Culture Involving the Board Summary End Notes Chapter 7. Creating Demand for the Security Proposal: IT Management's Role Delivering the Security Message to Executive Management Recognizing the Goals of the Corporation Outlining Methods IT Managers Can Use to Engage the Organization Assessing Senior Business Management Security Requirements Summary Chapter 8. Risk Aversion and Security Topologies Risk Aversion Risk-Aversion Quotient Security Modeling Diminishing Returns Summary Chapter 9. Return on Prevention: Investing in Capital Assets Examining Cost of Attacks Budgeting for Security Equipment Analyzing Returns on Security Capital Investments Acknowledging Nonmathematical Security Fundamentals Summary End Notes Part III. Policies and Future Chapter 10. Essential Elements of Security Policy Development Determining Required Policies Constructing Reliable and Sound Policies Using Policy Tools and Policy Implementation Considerations Performing Comprehensive Monitoring Knowing Policy Types Handling Incidents Summary Chapter 11. Security Is a Living Process Security Wheel Scalability Jurisprudence SWOT: Strengths, Weaknesses, Opportunities, and Threats Summary End Note Part IV. Appendixes Appendix A. References Appendix B. OSI Model, Internet Protocol, and Packets OSI Model Internet Protocol IP Packet Appendix C. Quick Guides to Security Technologies Cheat Sheet 1: Routers Cheat Sheet 2: Hubs and Switches Cheat Sheet 3: Perimeter Routers and Firewalls Cheat Sheet 4: Intrusion-Detection Systems Cheat Sheet 5: Virtual Private Networks and Authentication Cheat Sheet 6: Comprehensive Security Topology Appendix D. Return on Prevention Calculations Reference Sheets Security Costs Calculations Financial Value Calculations Glossary Index