Bloghorn

Here’s the slides from my talk at The Next HOPE about how to conduct a risk analysis. I’ll follow this up with the audio and video once it’s available.

Presentation slides:
Risk Analysis for Dummies (PPTX)

View the PowerPoint online
———-

Audio:

Risk Analysis for Dummies (MP3 Audio)
———-

Video:

Risk Analysis for Dummies (MKV Video)

Video on Vimeo

———-

For more information on how to conduct a risk analysis and other resources on the field, visit the following websites:

SARMA: Security Analysis and Risk management Association
Professor McGill’s blog (he taught me everything I know)

I HIGHLY recommend the following books on the subject:

Peter Bernstein: Against the Gods
Nassimm Taleb: The Black Swan

After speaking at The Last H.O.P.E. in 2008, I wanted to come up with another talk I could give on a topic that would interest the 2600 community. After racking my brain for some cool thing I had done that would interest them, I finally figured out what skill I possessed that I could pass on to these computer security enthusiasts, network administrators, IT professionals and people interested in security in general.

From The Full List of Talks:

Risk Analysis for Dummies

Nick Leghorn

We all get that “gut feeling” about what is risky, but how do we communicate that to managers or other people in a meaningful way? And how can we determine what risks are worse than others in a justifiable manner? How do you even define “risk?” In this talk, you’ll learn about the most up to date methods of identifying risk, evaluating risk, and communicating risk to others, as well as some models used by the U.S. government and others to identify attack targets, evaluate building security, diagram attacks, and more. And no math problems harder than simple addition, guaranteed.

Friday 2100 Bell

The synopsis doesn’t really capture what I hope this talk will be. It’s intended for IT professionals and aspiring penetration testers to understand how to take their experience and their intuition regarding what risks and vulnerabilities are int heir network and relate it in a quantifiable manner to managers and clients who may not either believe in their expertise or want to have to justify that new security staff and all those expensive security appliances. I plan to cover:

• Probability
• The equation for risk
• How to scope a problem
• How to show results of an analysis
• Types of scales and how to use them
• Factor based models and their use
• The six questions of risk analysis and management

Here’s the list of other talks for Friday.

If anyone has any suggestions for topics to cover, drop me a comment.

As you know, creating the new Penn State 2600 club has been my pet project this semester. For the last few months, we’ve slowly been gaining members and building towards becoming an official Penn State club. After this past Friday, we meet all the requirements, and then some.

The latest meeting was the much anticipated “Lockpicking Workshop”, and much like my mother, I couldn’t help myself from alerting the press. The Daily Collegian sent a pair of photographers and reporters to check out the event, and did a really great job of reporting about what the club was doing in terms of educating the public about security risks. Here’s a link to the article. I’m trying to get the pictures from the event from the photographers, so hopefully they’ll be posted soon.

We approved our constitution, elected the officers (I’m president, big surprise there), and approved Doc Gerry as our advisor. That, combined with the 35 people in attendance (PSU requires 20 minimum) puts us over the line in terms of requirements. All that’s left is for me to get our new advisor to sign off on the paperwork and drop it off in the HUB, and then wait for their response. But even if Penn State doesn’t want to sponsor us, I’m sure meetings will continue unabated for the forseeable future.

Since I’ve decided to come home to New Rochelle for the weekend, I decided it was a good time to upgrade my home server (affectionately named “OMNIVORE”) to Windows Server 2008, simply for the purpose of getting more experience with the OS. Some readers may remember the purpose behind Omnivore from previous posts, and its crucial role in delivering the freshest downloads straight to my dorm room.

I’ve been playing with Server 2008 in a VM for a few days, and I thought I had gotten the hang of it. So I decided on Saturday morning to wipe Server 2003 off the box and put Server 2008 on instead. The initial configuration process, that of formatting the system drive (data is on a seperate disk), installing 2008 and its drivers and updates, and finally setting up LogMeIn on the system, took a grand total of about an hour, most of that time spent employing the “hurry up and wait” technique. An hour after that, all the usual programs were back in place, the server was pointed to the appropriate directory, and the firewall rules reconfigured to allow my super secret port number to accept incoming connections (Optimum Online blocks the standard array of HTTP, SSL and IRC ports from incoming connections on residential lines).

In comparison to Server 2003, 2008 is already looking better. The first-run menu where the server holds your hand through the initial configuration was far more helpful than its predecessor, giving a better overview of what’s been done and what still needs to be done to prep the box. And the management console seems much more intuitive, with everything on the same tree instead of configuring each role from a different window. I’ll have to play with the box some more, but it also looks like error reporting and performance management have been drastically improved in terms of usability.

In general, the only changes I’ve actually seen are asthetic, but as I start pen testing the box, I hope to see a lot more improvements over the previous incarnation of the server. But for now, it’s stable and on-line, and that’s all I really care about.

As promised (but a little late), the audio and video from my HOPE presentation: NYC Taxi System: Privacy vs. Utility is now available for free as a download from my website. Grab them from the links below, and enjoy!

HOPE Video

HOPE Audio