Category: Security

Securing your Load Balanced WordPress Site with Rackspace Cloud Networks

A few months back I wrote an article about getting your load balanced WordPress site up and running with the Rackspace Cloud, an article that was picked up on the Rackspace blog. The focus of that article was getting everything running correctly rather than securing the data, mainly because it was a massive pain in the neck with first generation cloud servers. But since the launch of the Next Generation cloud servers and Rackspace’s Cloud Networks it has become amazingly simple to isolate your vulnerable traffic from prying eyes. I’ve been using the Rackspace Cloud Networks service since it was in beta testing, and given my experience I thought it would be a good idea to revisit this topic and add some pointers on how to quickly and efficiently secure your inter-server data in the Rackspace cloud.

continue reading

Risk Analysis Videos

A while back I worked with one of my professors to produce videos on a number of risk analysis related topics, including thought exercises and other brainstorming techniques. I just found a couple of those videos on YouTube and thought I’d share them.

Risk Analysis for Dummies

Here’s the slides from my talk at The Next HOPE about how to conduct a risk analysis. I’ll follow this up with the audio and video once it’s available.

Presentation slides:
Risk Analysis for Dummies (PPTX)

View the PowerPoint online


Risk Analysis for Dummies (MP3 Audio)


Risk Analysis for Dummies (MKV Video)

Video on Vimeo


For more information on how to conduct a risk analysis and other resources on the field, visit the following websites:

SARMA: Security Analysis and Risk management Association
Professor McGill’s blog (he taught me everything I know)

I HIGHLY recommend the following books on the subject:

Peter Bernstein: Against the Gods
Nassimm Taleb: The Black Swan

On the schedule for The Next HOPE!

After speaking at The Last H.O.P.E. in 2008, I wanted to come up with another talk I could give on a topic that would interest the 2600 community. After racking my brain for some cool thing I had done that would interest them, I finally figured out what skill I possessed that I could pass on to these computer security enthusiasts, network administrators, IT professionals and people interested in security in general.

From The Full List of Talks:

Risk Analysis for Dummies

Nick Leghorn

We all get that “gut feeling” about what is risky, but how do we communicate that to managers or other people in a meaningful way? And how can we determine what risks are worse than others in a justifiable manner? How do you even define “risk?” In this talk, you’ll learn about the most up to date methods of identifying risk, evaluating risk, and communicating risk to others, as well as some models used by the U.S. government and others to identify attack targets, evaluate building security, diagram attacks, and more. And no math problems harder than simple addition, guaranteed.

Friday 2100 Bell

The synopsis doesn’t really capture what I hope this talk will be. It’s intended for IT professionals and aspiring penetration testers to understand how to take their experience and their intuition regarding what risks and vulnerabilities are int heir network and relate it in a quantifiable manner to managers and clients who may not either believe in their expertise or want to have to justify that new security staff and all those expensive security appliances. I plan to cover:

  • Probability
  • The equation for risk
  • How to scope a problem
  • How to show results of an analysis
  • Types of scales and how to use them
  • Factor based models and their use
  • The six questions of risk analysis and management

Here’s the list of other talks for Friday.

If anyone has any suggestions for topics to cover, drop me a comment.

Penn State 2600 kicks off with a bang

As you know, creating the new Penn State 2600 club has been my pet project this semester. For the last few months, we’ve slowly been gaining members and building towards becoming an official Penn State club. After this past Friday, we meet all the requirements, and then some.

The latest meeting was the much anticipated “Lockpicking Workshop”, and much like my mother, I couldn’t help myself from alerting the press. The Daily Collegian sent a pair of photographers and reporters to check out the event, and did a really great job of reporting about what the club was doing in terms of educating the public about security risks. Here’s a link to the article. I’m trying to get the pictures from the event from the photographers, so hopefully they’ll be posted soon.

We approved our constitution, elected the officers (I’m president, big surprise there), and approved Doc Gerry as our advisor. That, combined with the 35 people in attendance (PSU requires 20 minimum) puts us over the line in terms of requirements. All that’s left is for me to get our new advisor to sign off on the paperwork and drop it off in the HUB, and then wait for their response. But even if Penn State doesn’t want to sponsor us, I’m sure meetings will continue unabated for the forseeable future.