Apple reports that 250M iOS devices have been sold & 18M apps have been downloaded. While the popularity of these devices increases, many don’t understand the basic security features that Apple makes available to them. Here are the top five security settings for these devices: http://wifi-cs.co/vphAmA

Many of you have asked me how to download my presentations or see videos of the presentation. You can do this by going to the Cisco Live Mexico Virtual site.

At Cisco Live Virtual, you can:

• Access over 1,000 live and on-demand technical training sessions, keynotes, and Super Sessions.
• Download session PDFs
• Build a virtual “briefcase” to manage and organize the content that interests you
• Network with your peers, Cisco experts, and Cisco partners using text and webcam-based chats, buddy lists and v-card exchanges
• Participate in games and win prizes
• Join the conference conversation in the blog center and social media, including Twitter, Facebook, and LinkedIn

Full access to Cisco Live Virtual is now FREE! You now get unlimited access to the world-class content and networking tools that are an essential resource to networking and communications professionals from more than 195 countries.

You can also download my presentations here:

• “You Spent Millions on Network Security and Still Got Hacked!!” (Breakout Session)
• “Deploying and Troubleshooting AnyConnect Secure Mobility on the Cisco ASA“. (Lab Presentation).

Note: CSIRTs operate differently depending on the organization, its staff, their expertise, and budget resources. On the other hand, the best practices described in this chapter apply, generally, to any organization.

Who Should Be Part of the CSIRT?

Finding and retaining qualified security professionals is challenging. It can be also a struggle for organizations to justify additional headcount, especially for network security. Traditionally, information technology (IT) expenses are justified based on return on investment (ROI) and productivity metrics. On the other hand, security has been historically viewed as an additional cost. The opinion of many executives is changing, as organizations discover that better network security makes business transactions safer and reduces a big ticket item—liability.

In some cases, additional headcount is needed to create a formal CSIRT within an organization. However, on many occasions, the CSIRT can comprise staff from different departments within an organization. For example, an organization can have representatives from IT, Information Security (InfoSec), and engineering to be part of the CSIRT. The decision of whether to hire new staff or develop an in-house team depends on your organizational needs and budget. Clearly identify who needs to be involved at each level of the CSIRT planning, implementation, and operation. For instance, one of the most challenging tasks is the process of identifying the staff that will be performing security incident response functions.

In addition, identify which internal and external organizations will interface with the CSIRT. Evangelize and communicate the CSIRT responsibilities accordingly.

A question that many engineers, managers, and executives commonly ask is this: what skills should the CSIRT staff possess? The answer certainly goes beyond the in-depth technical expertise that the CSIRT contributor must have. Communication skills—both written and oral—are a plus. The CSIRT personnel must be able to communicate effectively to ensure that they obtain and supply the necessary and appropriate information. This leads to other critical qualities: the ability to respect confidentiality and integrity. This is obvious: integrity and confidentiality are crucial. Other key skills include:

• Handling stressful situations competently
• Managing time
• Problem solving/troubleshooting skills
• Working with teams effectively
• Handling situations diplomatically

Note: CERT has a section within its website dedicated to information about CSIRTs:

http://www.cert.org/csirts

First, Facebook is continuously changing to become more about personal expression and over-sharing. I do use Facebook probably more than any other social networking website. The reason is because I use it a lot to talk to my family. Recently do a lot of video chats with family and friends. Most of my friends tell me: “we use Facebook and other social networking sites because we need to keep up with the gossip” — and as they say it back home in P.R. “el chisme”.

Twitter still has the “stay simple” mentality, instead of getting caught up in a feature race (which is also good). I use Twitter a lot, mostly to keep up with real-time Internet Security topics and also to share some articles and thoughts with many other security professionals. I admit, I do automate some of my postings. I do this by following several RSS feeds and creating scripts by ranking what to publish (based on keywords and many other things). However, Twitter is a good way to keep up (in real time) of some of the trending topics of whatever you like.

What about Google+? Google+ has a combination of both, Facebook and Twitter. However, it also concentrates on simplicity and is also part of the ”feature race”. For instance, I use very heavily the “hangout” feature from Google+, if I want to talk to multiple friends or family members. On the other hand, I don’t check Google+ as often as I check Facebook and Twitter.

I cannot comment if Google+ usage is fluctuating or falling. I can tell you that I do not got here much for family sharing, because pretty much all of my family is in Facebook and roughly 1/10 of my family is in Google+.

I just gave you some social engineering information: my family is mostly on Facebook and only 1/10th is in Google+. Well… most families are on Facebook and not on Google+. Don’t get me wrong, I do like Google+, it is “just not there yet”.

Ok, what about Tumblr? Yes, I use Tumblr — once in a blue moon. I see it as a teenager hangout place. There are some good content shared there, but it is more of a teenager platform. Don’t get me wrong, I do like to see some of the funny pictures that my nieces and nephews post there

So, what about security? A good friend of mine recently posted several tips on social networking privacy at Cisco’s Security Blog. He pointed out several good basic guidelines:

1. Do not share too much information – in other words, include the minimum amount of information. For example, chances are your “Friends” should already know if you are male or female! Here is a non-exhaustive list of personal information that should NOT be shared.
   • Your age
   • Your gender
   • Your Social Security number
   • Your street address
   • Your phone number
   • Family financial information – bank account and credit card numbers
2. Do not post pictures, video, or words that can damage a reputation (including your own!) or hurt someone’s feelings.
3. Pictures, particularly with EXIF data embedded, should be avoided if at all possible. EXIF data may include, among other things, date, time, and GPS location data of photos, which could provide details of where you live, go to school, or work.
4. Tagging photos – restrict who is able to see your photos.
5. Post only information that you are comfortable with other people (meaning potentially EVERYONE!) seeing.
6. Do not post information about upcoming trips, vacations, etc. Share where you’ve been, not where you are going! To keep it simpler, always post in “past tense”!
7. Reputation – once information is posted, it is available for reference by others FOREVER!
8. Remember…. Teachers, parents, coaches, college recruiters, prospective employers, and the police may end up seeing the information you post! Are you sure you want to take that chance???

At the town hall, Anderson spoke with Lee Hirsch, the director of “The Bully Project.” With an intimate glimpse into homes, classrooms, cafeterias and principals’ offices, the documentary offers insight into the often cruel world of the lives of bullied children. The film aims to be a catalyst for change in the way we deal with bullying as parents, teachers, children and society as a whole. Find out more at thebullyproject.com.

Many of you have asked me if I can post the presentation online. You can obtain a copy of the presentation HERE.

I will also be presenting at Cisco Live Mexico (in November 2011) and Cisco Live Europe in London (in February 2012).

The lack of credible and relevant network security operational metrics can contribute to this paradigm. The understanding security operational metrics doesn’t require classes on Nobel Prize-winning theories or very complicated math that may make the process too complicated to even execute. You have to understand what you are trying to protect and first establish a high level process map via your own research. Use common knowledge a broad survey to validate and identify metrics in each procedure or operational area. For instance, build a set of metrics for things like, but not limited to, the following: Incident Management

• Patch Management
• Device Compliance
• Security Device Monitoring
• Network and Internet Access
• Device Identity Management
• User Identity Management
• User Access
• Application Robustness
• User Security Awareness

These are just some examples, the list can be much longer. The goal is to define a set of subprocesses for each high-level process (or operational area), then build metrics for each sub-process. More importantly, assemble these metrics into a model which can be used to track operational improvement.

I will give some examples of metrics you can collect and examine for each of the processes or operational areas I mentioned.

Operational Metrics for Incident Management

An incident is a chain of events that may signal an attack in your network. It is, of course, very important to have a good methodology to simplify and expedite the detection, mitigation, reporting, and analysis of an incident.  All this information can be captured in a case report with a case management tool and escalated to the relevant personnel. So, my question is, how effective are you or your organization in the detection, mitigation, reporting, and analysis of an incident in your network? You should at the very minimum ask the following questions and collect the corresponding metrics.

• How long does it take to identify an event?
• How long does it take to identify an incident?
• How long does it take to contain or mitigate an incident?

Let’s look at the following figure:

• To – is the time when an event occurs on the network
• Te – is the time when the event is detected on the network
• Ti – is the time when the event is classified as an incident
• Tc – is the time when the incident is contained on the network

Measure the time that takes your organization for each step and try to understand how to reduce it and be more effective.

Operational Metrics for Patch Management

Everyone understands that patch management is a critical issue. We also understand that every organization must create a consistently environment that is patched or configured against known vulnerabilities. Unfortunately,  good and practical solutions aren’t often applied as everyone thinks. How do you know how effective you are in patch management, if you do not collect operational metrics that can help you measuring success or identifying gaps in such process.

The following figure summarizes (in a high-level) a typical patch management process.

First a vendor identifies and announces a vulnerability for a product or software. In the case of Cisco, we announce all of our vulnerabilities in Cisco’s Security Center.

Note: The Cisco Product Security Incident Response Team (PSIRT) — which is my team — creates and maintains publications for security issues that affect Cisco products. For more information, review a description of the types of documents and the issues that they address.

If you are subscribed to receive notifications, you quickly identify all the devices that are affected within your network for that vulnerability/advisory.  It is possible that the vendor has identified workarounds that you can implement quickly. You need to identify those workarounds and understand how to apply them in your environment. While a workaround is being placed, you obtain the patch or the fix for that vulnerability. In most cases you do not have a lot of time to test the new software before you deploy that patch or fix in your network. However, once the patch or image is certified, you schedule a maintenance window to roll it out into the production environment.

You will always need to keep up with the vulnerability announcements from the vendors. You can do this by subscribing to RSS, CVE announcements, monitoring aliases such as bugtraq, or any other mechanism that vendors use to notify their customers that a vulnerability exists. Additionally you must have an understanding of what devices are affected within your network so you can easily implement any workaround.

The following are some of the questions you can ask yourself to start building the operational metrics that will help you in patch management:

• How long does it take you to become aware of the new vulnerability announcements from vendors?
• How long does it take to identify affected devices?
• How long does it take to implement workarounds (when available)?
• How long does it take for you to test and implement the fix/patch?

Operational Metrics for Device Compliance

Since we talked about patch management, let me share a few metrics you can collect for device compliance. The first question is:

• Do you have devices that are not using a “certified image/version”?

The biggest risk in running a “non-certified” software version is the exposure to software vulnerabilities. If a new security advisory is released with a highly-critical vulnerability that may even impact hundreds of different products, it will be difficult to identity the impacted devices in a timely fashion. Furthermore, software version control is a best practice while deploying consistent software versions on similar network devices. This improves the chance for validation and testing on the chosen software versions and greatly limits the amount of software defects and interoperability issues found in the network. Limited software versions also reduce the risk of unexpected behavior with user interfaces, command or management output, upgrade behavior and feature behavior. This makes the environment less complex and easier to support. Overall, software version control improves network availability and helps lower reactive support costs.

The following are a few more questions

• What percent of devices are in compliance with certified software images?
• What percent of devices are in compliance with standard configuration templates?

I always recommend creating standard configurations for each device classification, such as routers, switches, firewalls, and any other security or network device. Each standard configuration should contain the global, media, and protocol configuration commands necessary to maintain network consistency, resiliency, and overall security. You can use several global configuration commands or templates in all devices that are alike and include things such as service commands, IP commands, TACACS commands, vty configuration, banners, SNMP configuration, and Network Time Protocol (NTP) configuration. Additionally, make sure to document device
and interface “descriptors”. These “descriptors” includes the purpose and location of the interface, other devices or locations connected to the interface, and circuit identifiers. This helps your support and security groups to better understand the scope of problems related to an interface and allows faster resolution of problems, such as security incidents.

Operational Metrics for Monitoring

One of the first steps in the process of preparing your network and staff to successfully identify security threats is achieving complete network visibility. You cannot protect against or mitigate what you cannot view/detect. You can achieve this level of network visibility through existing features on network devices you already have and on devices whose potential you do not even realize. In addition, you should create strategic network diagrams to clearly illustrate your packet flows and where, within the network, you may enable security mechanisms to identify, classify, and mitigate the threat. Remember that network security is a constant war. When defending against the enemy, you must know your own territory and implement defense mechanisms in place.

Security monitoring is similar to network monitoring, except it focuses on detecting changes in the network that may indicate a security incident. You must also understand and identify what the level of monitoring is required based on the threat to a system or network. For instance, a firewall is considered a high-risk network device, which indicates that you should monitor it with high priority. This means that you always should check for things such as failed login attempts, unusual traffic, changes to the firewall, access granted to the firewall, and connections setup through the firewall, etc.

Following this example, create a monitoring policy for each area identified in your risk analysis. It is often recommended monitoring low-risk equipment weekly, medium-risk equipment daily, and high-risk equipment hourly. If you require more rapid detection, monitor on a shorter time frame. However, this all depends on your environment and your staff.

These are some high-level questions that you should always ask when building operational metrics for monitoring and visibility:

• What percent of network and security devices are being successfully remotely monitored?
• What percent of the network is adequately documented?
• What percent of unauthorized data flows are found on firewalls and other networking devices?
• How often do you audit and analyze your network traffic baselines?

Operational Metrics for Network and Internet Access

The following are a few questions that you can use to develop metrics for general Internet and network access.

• What percent of edge interfaces are protected by anti-spoofing mechanisms?
• How often do you audit your firewall rules?
• How often do you audit the configuration of network and security devices that are considered critical?
• What percent of unauthorized data flows are found on the firewalls?
• What percent of devices are logging administrative logins and configuration changes?
• What often do you audit AAA systems for unauthorized users?
• What percent of unauthorized users have attempted access to network infrastructure devices?

Some of these questions tie back to the items I described earlier.

Operational Metrics for Device Identity Management

Device identity is the understanding of what a specific network device is on the network, what is its function and purpose. The following are a few questions that you can use to develop metrics for device identity management.

• What percent of unauthorized devices are on the network?
• How long does it take to locate a device from its IP address in real-time?
• How long does it take to locate a device from its IP address using historical logs?

I invite you to do a quick test within your organization. Ask any network engineer or security engineer those questions. Especially, how long does it take for them to locate a device from its IP address in real-time and by using historical logs. They will provide you some answer (i.e., 5 minutes, 10 minutes, an hour, etc.). Ask them to prove it. You will be surprised with the actual results!

Operational Metrics for User Identity Management

You can ask similar questions to develop metrics for user identity management.

• What percent of unauthorized users are on the network
• How long does it take to identify a user from its IP address in real-time?
• How long does it take to identify a user from its IP address from historical logs?

There’s no right or wrong answer for some of these metrics/questions. However, what is important is to understand these metrics and use them develop better processes and procedures to reduce the time that it takes someone to identify a device.

Do you often ask yourself these questions and track similar metrics? Please share what you are currently doing to improve and completely understand operational security metrics.

Bruce Schneier had a good comment/note back in 2008 about this:

The whole insiders vs. outsiders debate has always been one of semantics more than anything else. If you count by attacks, there are a lot more outsider attacks, simply because there are orders of magnitude more outsider attackers. If you count incidents, the numbers tend to get closer: 75% vs. 18% in this case. And if you count damages, insiders generally come out on top — mostly because they have a lot more detailed information and can target their attacks better.

Both insiders and outsiders are security risks, and you have to defend against them both. Trying to rank them isn’t all that useful.

If you count damages, insider attacks often are far worse. They are more extensive and go undetected longer. It is all about the attack surface and how well you understand the level of exposure (internally and externally). The problem sometimes is not technical, but organizational. In other words, sometimes people tend to focus on building a fort that protects them from outsider threads (using the best security technologies and processes in their Internet edge), but then fail to implement the same level of protection internally and develop processes and procedures to audit and assess their internal network.

One of the reasons why mitigating the insider threat has been difficult is because there are various definitions used, and the definition tends to depend on the perspective of the one defining the problem. So who’s an insider a contractor that is in the company for 3 months and still can connect to most of the internal resources; a guest on a conference room who is already behind your Internet edge firewalls; or a 10-year-old disgruntled employee? All those can be a threat, right?

As we can see, insider can mean many different things to different people. In fact, some might even use the term insider when in fact they are referring to insiders with malicious intent. In my opinion, an insider is anyone with any level of authorized access to an organization’s infrastructure. By access, we refer to the ability to connect to and interact with the infrastructure. What if a naïve ”trusted user” is compromised and now his machine is used as a stepping stone from an outsider? Attacks nowadays are borderless (just like the Cisco marketing buzzword ). The number of organizations hit by advanced persistent threats (APTs) grows on a daily basis. Example, RSA attack.

The following are several real-life examples of insider attacks/threats from the media:

A 63-year-old, former system administrator that was employed by UBS PaineWebber, a financial services firm, allegedly infected the company’s network with malicious code. The malicious code he used is said to have cost UBS $3 million in recovery expenses and thousands of lost man hours. He was apparently irate about a poor salary bonus he received. In retaliation, he wrote a program that would delete files and cause disruptions on the UBS network. After installing the malicious code, he quit his job. Following, he bought “puts” against UBS. If the stock price for UBS went down, because of the malicious code for example, he would profit from that purchase. His malicious code was executed through a logic bomb which is a program on a timer set to execute at a predetermined date and time. The attack impaired trading while impacting over 1,000 servers and 17,000 individual work stations.

A Chinese national—a programmer at Ellery Systems, a Boulder, Colorado software firm working on advanced distributive computing software—transferred via the Internet, the firms’ entire proprietary source code to another Chinese national working in the Denver area. The software was then transferred to a Chinese company, Beijing Machinery. Subsequently, foreign competition directly attributed to loss of the source code drove Ellery Systems into bankruptcy.

In Detroit a former security guard at General Motors was accused of taking employee social security numbers and using them to hack into the company’s employee vehicle database. He was arraigned on eight counts of obtaining, possessing, or transferring personal identity information, and on one count of using a computer to commit a crime.

n Pune, India, police unearthed a major siphoning racket that involved former and present call center employees. One of the employees—who had worked in the call center for six months before quitting—had the secret PIN codes and customer e-mail IDs used to transfer money. In league with friends, the former employee allegedly transferred the equivalent of three hundred and fifty thousand dollars from four accounts of New York-based customers into their own accounts opened under fictitious names. They then used the money to buy cars and electronics.

Zhangyi Liu, a Chinese computer programmer working as a subcontractor for Litton/PRC Inc., illegally accessed sensitive Air Force information on combat readiness. He also copied passwords that allow users to create, change, or delete any file on the network, and then posted the passwords on the Internet.

In Charlotte N.C., more than one hundred thousand customers of Wachovia Corp. and Bank of America Corp. had been notified that their financial records may have been stolen by bank employees and sold to collection agencies. In all, nearly seven hundred thousand customers of four banks may be affected.

A disgruntled employee is suspected of hacking a global networking consultancy’s computer systems and then e-mailing staff confidential information about forthcoming restructuring plans. New York-based networking consultancy ThruPoint, which partners with Cisco and KPMG spin-off BearingPoint, confirmed that it is conducting an investigation into the embarrassing incident.

A Management Information Systems (MIS) professional at a military facility learns she is going to be let go due to downsizing. She decides to encrypt large parts of the organization’s database and hold it hostage. She contacts the systems administrator responsible for the database and offers to decode the data for ten thousand dollars in “severance pay” and a promise of no prosecution. The organization agrees to her terms before consulting with proper authorities. Prosecutors reviewing the case determine that the administrator’s deal precludes them from pursuing charges.

An engineer at an energy processing plant becomes upset with his new supervisor. The engineer’s wife is terminally ill and the related stress leads to a series of angry and disruptive episodes at work that result in probation. After the engineer’s being sent home, the engineering staff discovers that the engineer has made serious modifications to plant controls and safety systems. When confronted, the engineer decides to withhold the password, threatening the productivity and safety of the plant.

– Source: “Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures“

So, how do you protect your “crown jewels”? — the information that makes your company/organization what it really is… Data centers often are the keepers of these “crown jewels”. Data centers house the data and applications that are critical to the success of many businesses. Subsequently, the data center must be secure and resilient in order to keep your enterprise running at maximum productivity, protecting your profitability, productivity and reputation.

There are many many white-papers already on data center security, network auditing, etc. They provide guidelines on how to implement the biggest, fastest, and shiniest security products and technologies out there. However, even before you explore what technology or product to implement, you must have a good understanding of your traffic flows in your environment and how to achieve visibility and control in all your network.

This is why I always suggest to create topology maps and other diagrams to visualize your network resources and apply security architecture decisions.   You can create circular diagrams like the one illustrated below (which is very simplistic, but this gives you the basic idea so that you can then customize the diagrams to fit your organizational needs). Typically, these types of diagrams include resources that surround a critical system or area of the network you want to protect. In the following figure, a very simplistic “cluster of  servers” is illustrated in the center of the diagram. Several layers describe the devices in the topology in relation to different sections of the network.

The illustration in the onion diagram above helps you visualize and understand the different layers of protection you can apply within your network to protect the mission-critical systems. The diagram has four major sections that portray the path from and to the protected system and the following sections of the network:

• Finance department users
• Internet
• Call Center
• Branch Office in Los Angeles, California (LA)

You can also visualize packet flows and understand how security policies can be applied to each network device to protect critical systems and the infrastructure as a whole. You can identify where you can apply the technologies that enable you to gain and maintain visibility of what is happening in your network, as well as apply security policies and identify “choke-points”. The following are two examples:

Visibility Techniques Applied

Policy Enforcement Techniques Applied

I have a lot more examples and details of these diagrams and security frameworks in one of my books (“End-to-End Network Security: Defense-in-Depth“). However, I would also like to share a few other good references about insider attack protection:

• SANS Whitepaper: Protecting Against Insider Attacks
• CERT has several good posts at their “Insider Threat Blog“

Many network security frameworks are in the marketplace and most of them have the common goal of providing a methodical and efficient approach to network security. No framework is perfect, you should choose an approach that can help reduce the time, cost, and resources needed to plan and deploy your security strategy.

Wings Over Wayne Air Show 2011

As you know, virtualized environments are very dynamic in nature. There are frequent additions, deletions, and changes across virtual machines (VMs) and tenants. In the past, each physical server was connected to an access port on a switch. Subsequently, all traffic between servers or to the corporate network traveled through a physical access switch and firewalls, IPS devices, load balancers, etc. However, traffic flows within virtualized environments sometimes do not even touch physical devices. For example, traffic between the following VMs do not even leave the physical hardware.

So how do we provide segmentation, policy enforcement and other security services? Cisco has introduced the Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series. It is a virtual firewall that allows you to enforce policy and segmentation virtual and cloud environments. The  Cisco VSG operates in conjunction with the Cisco Nexus 1000V (and vPath) in order to support a dynamic VM environment. All security profiles are associated to a Cisco Nexus 1000V port profile. These are authored on the Cisco Nexus 1000V Virtual Supervisor Module and published to the VMWare Virtual Center. A tenant is created with the Cisco VSG and on the Cisco Virtual Network Management Center (VNMC). All associated security profiles are configured to include trust zone definitions and access control rules. When a new VM is instantiated, you assign the respective port profile to the virtual Ethernet port of the VM.

When a  vMotion events occurs, VMs move across physical servers. The Cisco Nexus 1000V ensures that port profile policies and associated security profiles follow the VMs. Security enforcement and monitoring remain transparent to vMotion events. The Cisco VSG operates with the Cisco Nexus 1000V distributed virtual switch in the VMWare vSphere hypervisor. The Cisco VSG leverages the virtual network service data path (vPath) that is embedded in the Cisco Nexus 1000V Virtual Ethernet module (VEM). vPath steers traffic, whether external-to-VM or VM-to-VM, to the Cisco VSG of a tenant. A split-processing model is applied where initial packet processing occurs in the Cisco VSG for policy evaluation and enforcement. After the policy decision is made, the Cisco VSG off-loads policy enforcement of remaining packets to vPath.

Well, you can learn more of this at http://cisco.com/go/vsg

What happens to the firewall and security administrators? They have to collaborate more than ever with the switch and the server administrators. In small-to-medium organizations this may be the same team. However, in large enterprises these are often separate teams; and sometimes, their rational will be a LOT different. Collaboration between security, switching and server teams is crucial! Specially, since they are always forced to maintain administrative separation and reduce errors via a consistent and repeatable deployment model. How can we achieve that with this complex environment and across different mentalities?

Coordination and correlation for programmatic provisioning and management of security policies is not an easy task unless you use strong APIs and (again) complete collaboration within teams. The good news is that VNMC provides several visual and programmatic controls /APIs to manage security policies. However, is this sufficient? This is where processes, metrics, and technology need to meet. You can have the most sophisticated security device/software and if you do not have the appropriate processes in place you will fail. Let’s take a look at a few metrics that can help you evaluate if you have the correct processes in place for both, the physical and virtualized world within your infrastructure.

How long does it take for you to positively identify that a virtual “device” is compromised in comparison to how long does it take when a physical device is compromised? Have you ever made that comparison?

What is the frequency of audits conducted against your “virtual infrastructure”? How can you maintain visibility into network operations?  You must adjust your processes and procedures and audit the virtualized environment the same way you do for your physical network. By doing these audits/checks you will reveal important errors or omissions in the virtualized environment that probably are not present in the legacy physical world. What is the the average (mean) time elapsing between audits of the firewall systems and rules (for both virtual and physical firewalls)?

Additionally, what is the percent of the virtualized network that is documented and understood by the security team?  The lack of virtual topologies will contribute to delays in the incident response process, if/when your virtual network is compromised.

May I challenge you a little further? Measure how long does it take for you to detect an event occurring on the physical network vs. in the virtualized environment. I am assuming that you already have complete visibility of both, physical and virtual devices. How long does it take for you to obtain and correlate alerts that originate from software, hardware, or human observation?

You may think that this does not have anything to do about security, but it does. What is the number or ratio of physical and virtual devices that do not confirm to a standard build template? Go ahead and compare both of them. You should have standard build templates for all physical and virtual assets with all the respective security considerations.

Please share what are some other processes or metrics that security administrators should pay attention in this “somewhat-new virtualized world”…

The following is a picture of the Nikon D7000 attached to the Orion telescope:

Nikon D7000 attached to the telescope

The following are some of the pictures that I took with the camera/telescope:

The picture above and the two below were taken with the following exposure, aperture, and ISO speed settings:

• Exposure 0.02 sec (1/50)
• Aperture f/0.0 (infinity)
• ISO Speed 400

I also have a Tamron AF 200-500mm f/5.0-6.3 Di  lens, which I love to use to take pictures of the moon:

• Aperture f/9.0
• Focal Length 500 mm
• ISO Speed500
• Exposure  0.001 sec (1/800)

The Nikon D7000 has the capability of shooting full HD (1080p) video. When using auto-focus, the  AF-F gives continuous focus during movie recording, which is captured using MPEG4 AVC/H.264 compression. However, in this case I used manual focus (to infinity). The following is the video:

I am pretty happy for being my first time doing astrophotography and video.