Evil Overlord Security


Published on

Slides of the excellent presentation by Glyn Wintle (@glynwintle) & Sheila Ellen (@sheilaellen) at the BCS Kent branch (Dec 2012)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Evil Overlord Security

  1. 1. THE EVIL OVERLORDSGUIDE TO SECURITY @glynwintle | @sheilaellen
  2. 2. INTRODUCTION TO THE ORIGINAL EVIL OVERLORD LIST BY PETER ANSPACH © 1996-1997Being an Evil Overlord seems to bea good career choice. It pays well,there are all sorts of perks and youcan set your own hours. http://www.eviloverlord.com/lists/overlord.html
  3. 3. INTRODUCTIONTO THE ORIGINAL EVIL OVERLORD LIST BY PETER ANSPACH © 1996-1997 However every Evil Overlord Ive read about in books or seen in movies invariably gets overthrown and destroyed in the end. Ive noticed that no matter whether they are barbarian lords, deranged wizards, mad scientists or alien invaders, they always seem to make the same basic mistakes every single time. http://www.eviloverlord.com/lists/overlord.html
  4. 4. THE TOP 100THINGS ID DOIF I EVER BECAMEAN EVIL OVERLORDhttp://www.eviloverlord.com/lists/overlord.html
  5. 5. 1 My Legions of Terror will have helmets with a clear plexiglass visor, not face‑concealing onesTRANSLATIONI will ensure that itsobvious when someoneattempts to gainunauthorised access tomy systems JDHancock
  6. 6. 1 I will ensure that its obvious when someone attempts to gain unauthorised access to my systemsSTRATEGIES● Log everything● Keep another log just for uncommon events● If someone has made 100 log-in attempts, send me an email● When a config file changes, send me an email
  7. 7. 2 My ventilation ducts will be too small to crawl throughTRANSLATIONMy ports will beclosed
  8. 8. 2 My ports will be closedSTRATEGIES● Run a port scan on every computer you use● If it connects to a network, run a port scan on it, even the printer● Know what services youre running● Only open ports for services that you use
  9. 9. 3 My noble half-brother whose throne I usurped will be killed, not kept anonymously imprisoned in a forgotten cell of my dungeon.TRANSLATIONWhen someoneleaves a project, Iwill revoke all theirprivileges
  10. 10. 3 When someone leaves a project, I will revoke all their privilegesSTRATEGIES● Delete their user account/s● Change all shared passwords● Hang on, why are we using shared passwords..?!
  11. 11. 4 Shooting is not too good for my enemiesTRANSLATION complexity == bugs
  12. 12. 4 complexity == bugsSTRATEGIES Its complicated
  13. 13. 5 The artifact which is the source of my power will not be kept on the Mountain of Despair beyond the River of Fire guarded by the Dragons of Eternity. It will be in my safe‑deposit box. The same applies to the object which is my one weaknessTRANSLATIONIf it doesnt need to be public,it wont be
  14. 14. 5 If it doesnt need to be public, it wont beSTRATEGIES● Hash passwords, dont store them as plain text● Dont store your pentest report on your webserver● Turn off debug
  15. 15. 6 I will not gloat over my enemies predicament before killing themTRANSLATIONI will not claim to beunhackable
  16. 16. 6 I will not claim to be unhackableSTRATEGIES● I will patch my systems as soon as patches are published● I will monitor for patches...● If a server doesnt need to be connected to the internet, dont connect it
  17. 17. 7 When Ive captured my adversary and he says, "Look, before you kill me, will you at least tell me what this is all about?" Ill say, "No." and shoot him. No, on second thought Ill shoot him then say "No."TRANSLATIONI will not give awayinformation that doesnot need to be shared
  18. 18. 7 I will not give away information that doesnt need to be sharedSTRATEGIES● Dont broadcast what hardware or software youre using, especially which version it is● Dont add a humans.txt file to your webserver● Dont accidentally give away valid usernames
  19. 19. 8 After I kidnap the beautiful princess, we will be married immediately in a quiet civil ceremony, not a lavish spectacle in three weeks time during which the final phase of my plan will be carried out.TRANSLATIONI will secure everythingfrom the beginning, notas an afterthought
  20. 20. 8 I will secure everything from the beginning, not as an afterthoughtSTRATEGIES● Think about how someone might abuse your system before you begin building it.● Hire a pentester● Ensure you have sufficient time to fix the bugs your pentester finds before the big launch
  21. 21. 9 I will not include a self-destruct mechanism unless absolutely necessary. If it is necessary, it will not be a large red button labelled "Danger: Do Not Push". The big red button marked "Do Not Push" will instead trigger a spray of bullets on anyone stupid enough to disregard it. Similarly, the ON/OFF switch will not clearly be labelled as such.TRANSLATIONI will disable “features” that allowpeople to take control of my system
  22. 22. 9 I will disable “features” that allow people to take control of my systemSTRATEGIES● Nothing that an ordinary user can do should have the potential to shut the system down● For bonus points, entrap intruders
  23. 23. 10 I will not interrogate my enemies in the inner sanctum – a small hotel well outside my borders will work just as wellTRANSLATIONI will apply a “need toknow” policy to segregateand control access to mydata and systems
  24. 24. 10 I will apply a “need to know” policy to segregate and control access to my data and systemsSTRATEGIES● Use firewalls to isolate teams from each other● If they must talk to each other, do it through an intermediary