THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI

Transcription

1 THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI Introduction. I. VULNERABILITIES AND TECHNOLOGIES. 1. Hackers and Threats. Contending with Vulnerability Realizing Value in Security Audits Analyzing Hacking Assessing Vulnerability and Response Hackers: Motivation and Characteristics The Enemy Within: Maliciousness and Sloppiness Threats Classification The Future of Hacking and Security 2. Crucial Need for Security: Vulnerabilities and Attacks. Recognizing Vulnerabilities Design Vulnerabilities Issues Human Vulnerability Issues Implementation Vulnerability Issues Categories of Attacks The Human Component in Attacks Reconnaissance Attacks Access Attacks Denial of Service Attacks Additional Common Attacks Footprinting Scanning and System Detailing Eavesdropping Password Attacks Impersonating Trust Exploitation Software and Protocol Exploitation Worms Viruses Trojan Horses Attack Trends Wireless Intrusions Wireless Eavesdropping Man-in-the-Middle Wireless Attacks Walk-By Hacking Drive-By Spamming Wireless Denial of Service Frequency Jamming The Hapless Road Warrior Social Engineering Examples of Social Engineering Tactics of Attacks Cisco SAFE Axioms Routers Are Targets

2 Switches Are Targets Hosts Are Targets Networks Are Targets Applications Are Targets 3. Security Technology and Related Equipment. Virus Protection Traffic Filtering Basic Filtering Advanced Filtering Filtering Encryption Encrypted VPN SSL Encryption File Encryption Authentication, Authorization, and Accounting: AAA Authentication Authorization Accounting Public Key Infrastructure From Detection to Prevention: Intrusion-Detection Systems and Intrusion-Prevention Systems IDS Overview Network- and Host-Based IDS IPS Overview Target-Based IDS Content Filtering URL Filtering Content Filtering Assessment and Audit Assessment Tools Audit Tools Additional Mitigation Methods Self-Defending Networks Stopping a Worm with Network-Based Application Recognition Automated Patch Management Notebook Privacy Filter 4. Putting It All Together: Threats and Security Equipment. Threats, Targets, and Trends Lowering Risk Exposure Security Topologies SAFE Blueprints SAFE Architecture Using SAFE II. HUMAN AND FINANCIAL ISSUES.

3 5. Policy, Personnel, and Equipment as Security Enablers. Securing the Organization: Equipment and Access Job Categories Departing Employees Password Sanctity Access Managing the Availability and Integrity of Operations Implementing New Software and Privacy Concerns Custom and Vendor-Supplied Software Sending Data: Privacy and Encryption Considerations Regulating Interactivity Through Information and Equipment Control Determining Levels of Confidentiality Inventory Control: Logging and Tagging Mobilizing the Human Element: Creating a Secure Culture Employee Involvement Management Involvement: Steering Committee Creating Guidelines Through the Establishment of Procedural Requirements Policy Fundamentals Determining Ownership Determining Rules and Defining Compliance Corporate Compliance User Compliance Securing the Future: Business Continuity Planning Ensuring a Successful Security Policy Approach Security Is a Learned Behavior Inviting the Unknown Avoiding a Fall into the Safety Trap Accounting for the Unaccountable Workflow Considerations Striving to Make Security Policies More Efficient Surveying IT Management The Need for Determining a Consensus on Risk Infosec Management Survey Infosec Management Quotient 6. A Matter of Governance: Taking Security to the Board. Security-A Governance Issue Directing Security Initiatives Steering Committee Leading the Way Establishing a Secure Culture Securing the Physical Business Securing Business Relationships Securing the Homeland Involving the Board Examining the Need for Executive Involvement Elements Requiring Executive Participation

4 7. Creating Demand for the Security Proposal: IT Management's Role. Delivering the Security Message to Executive Management Recognizing the Goals of the Corporation Knowing How the Organization Can Use ROP Understanding the Organization's Mandate and Directives Acknowledging the Organization's Imperatives and Required Deliverables Establishing an Appropriate Security Posture Outlining Methods IT Managers Can Use to Engage the Organization Lobbying Support Assessing Senior Business Management Security Requirements Every Question Counts: Delivering the Survey to Respondents Infosec Operational Survey Infosec Operational Quotient 8. Risk Aversion and Security Topologies. Risk Aversion The Notion of Risk Aversion Determining Risk Tolerance What Assets to Protect Short-Term and Long-Term Risks Risk-Aversion Quotient Calculating the Risk-Aversion Quotient Risk-Aversion Quotient and Risk Tolerance Using the Charts Security Modeling Topology Standards One Size Rarely Fits All Security Throughout the Network Diminishing Returns 9. Return on Prevention: Investing in Capital Assets. Examining Cost of Attacks Determining a Baseline Providing Alternatives Budgeting for Security Equipment Total Cost of Ownership Present Value Analyzing Returns on Security Capital Investments Net Present Value Internal Rate of Return Return on Investment Payback Period The Bottom Line Acknowledging Nonmathematical Security Fundamentals III. POLICIES AND FUTURE. 10. Essential Elements of Security Policy Development. Determining Required Policies Constructing Reliable and Sound Policies Reliability

5 Access Constancy Answerability Using Policy Tools and Policy Implementation Considerations Useful Policy Tools Policy Implementation Performing Comprehensive Monitoring Knowing Policy Types Physical Security Policies Access-Control Policies Dialup and Analog Policies Remote-Access Policies Remote Configuration Policies VPN and Encryption Policies Network Policies Data Sensitivity, Retention, and Ethics Policies Software Policies of Policy Types Handling Incidents 11. Security Is a Living Process. Security Wheel Secure Monitor Test Improve Scalability Jurisprudence Hacking Internal Issues Negligence Privacy Integrity Good Netizen Conduct SWOT: Strengths, Weaknesses, Opportunities, and Threats Strengths Weaknesses Opportunities Threats End Note IV. APPENDIXES. Appendix A. References. Appendix B. OSI Model, Internet Protocol, and Packets. Appendix C. Quick Guides to Security Technologies. Appendix D. Return on Prevention Calculations Reference Sheets. Glossary. Index.