I agree that ROI really isn't a good model for justifying network security costs. If
the customer has critical data that will cost the company dearly if lost, I present
network security as an "insurance policy". There is no real ROI on insurance, and you
only need it when things go badly. But if things do go badly and you don't have
insurance, ....
I think this is a valid approach and see on a fairly regular basis where someone has
attempted some level of suspicious activity. Port scans, TFN probes and things like
that mostly, but when I can show the firewall logs blocking this type of traffic, it
helps to validate the cost. Hackist did some probing, didn't find anything and gave
up. This is very worthwhile, I think. If the firewall wasn't there, how far would
they have gone?
VPN is a different story. VPN is a double hitter both as ROI and insurance. It's
cheaper than a dedicated WAN circuit AND it protects data.
-MJL
----------
From: Geoff Gates[SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, April 18, 2000 8:40 AM
To: [EMAIL PROTECTED]
Subject: re: Off Topic: Upper Management decision making
Yes, it is certainly true that you must prove that the cost of recovering a
compromised network is TREMENDOUS, to your upper management. The only problems that
we face
with network security is that there is no sound way to quantify what measures to
protect a network will succeed. Be careful when you present to your upper management
the
suggestion that spending 40k, will save 100k in the future.
Any network security specialist knows that no matter what measures are taken to
protect their network, they must cover every possible hole/exploit where an attacker
need
only find one. With the complexity of computer systems, it is nearly impossible to do
this, and this should be made well known to management. You must remember that it is
difficult to detect new attacks, since most of these are not incorporated into IDS's,
Firewalls, etc. In the end, the potential still exists that you may spend xx $$ on
security measures and still have your network compromised by an attacker costing an
additional sum of money. The key to point out to management would be that the
potential
is significantly reduced, but who knows how to quantify this into a tangible metric.
Luckily network security has been given much attention (PPD 63, Clinton's CIP, DDOS
attacks, etc.). Thus you have some "scare tactics" to bring to bat when this is
important.
Not to ramble further, but it is sad to point out that an overwhelming majority of
attacks are generated on the inside. It is here that Firewalls, Proxies, and general
measures usually fail completely, and these insiders may even have the passwords to
your security gear. I would make this known to management too, just don't make it look
so hopeless where management would come to the realization that it may cost too much,
and that the risk may be worthwhile.
Geoff Gates
Network Engineer
Lockheed Martin, NE&SS
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
