Evil Overlord Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Evil Overlord Security

on

  • 1,645 views

Slides of the excellent presentation by Glyn Wintle (@glynwintle) & Sheila Ellen (@sheilaellen) at the BCS Kent branch (Dec 2012)

Slides of the excellent presentation by Glyn Wintle (@glynwintle) & Sheila Ellen (@sheilaellen) at the BCS Kent branch (Dec 2012)

Statistics

Views

Total Views
1,645
Views on SlideShare
1,645
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Evil Overlord Security Presentation Transcript

  • 1. THE EVIL OVERLORDSGUIDE TO SECURITY @glynwintle | @sheilaellen
  • 2. INTRODUCTION TO THE ORIGINAL EVIL OVERLORD LIST BY PETER ANSPACH © 1996-1997Being an Evil Overlord seems to bea good career choice. It pays well,there are all sorts of perks and youcan set your own hours. http://www.eviloverlord.com/lists/overlord.html
  • 3. INTRODUCTIONTO THE ORIGINAL EVIL OVERLORD LIST BY PETER ANSPACH © 1996-1997 However every Evil Overlord Ive read about in books or seen in movies invariably gets overthrown and destroyed in the end. Ive noticed that no matter whether they are barbarian lords, deranged wizards, mad scientists or alien invaders, they always seem to make the same basic mistakes every single time. http://www.eviloverlord.com/lists/overlord.html
  • 4. THE TOP 100THINGS ID DOIF I EVER BECAMEAN EVIL OVERLORDhttp://www.eviloverlord.com/lists/overlord.html
  • 5. 1 My Legions of Terror will have helmets with a clear plexiglass visor, not face‑concealing onesTRANSLATIONI will ensure that itsobvious when someoneattempts to gainunauthorised access tomy systems JDHancock
  • 6. 1 I will ensure that its obvious when someone attempts to gain unauthorised access to my systemsSTRATEGIES● Log everything● Keep another log just for uncommon events● If someone has made 100 log-in attempts, send me an email● When a config file changes, send me an email
  • 7. 2 My ventilation ducts will be too small to crawl throughTRANSLATIONMy ports will beclosed
  • 8. 2 My ports will be closedSTRATEGIES● Run a port scan on every computer you use● If it connects to a network, run a port scan on it, even the printer● Know what services youre running● Only open ports for services that you use
  • 9. 3 My noble half-brother whose throne I usurped will be killed, not kept anonymously imprisoned in a forgotten cell of my dungeon.TRANSLATIONWhen someoneleaves a project, Iwill revoke all theirprivileges
  • 10. 3 When someone leaves a project, I will revoke all their privilegesSTRATEGIES● Delete their user account/s● Change all shared passwords● Hang on, why are we using shared passwords..?!
  • 11. 4 Shooting is not too good for my enemiesTRANSLATION complexity == bugs
  • 12. 4 complexity == bugsSTRATEGIES Its complicated
  • 13. 5 The artifact which is the source of my power will not be kept on the Mountain of Despair beyond the River of Fire guarded by the Dragons of Eternity. It will be in my safe‑deposit box. The same applies to the object which is my one weaknessTRANSLATIONIf it doesnt need to be public,it wont be
  • 14. 5 If it doesnt need to be public, it wont beSTRATEGIES● Hash passwords, dont store them as plain text● Dont store your pentest report on your webserver● Turn off debug
  • 15. 6 I will not gloat over my enemies predicament before killing themTRANSLATIONI will not claim to beunhackable
  • 16. 6 I will not claim to be unhackableSTRATEGIES● I will patch my systems as soon as patches are published● I will monitor for patches...● If a server doesnt need to be connected to the internet, dont connect it
  • 17. 7 When Ive captured my adversary and he says, "Look, before you kill me, will you at least tell me what this is all about?" Ill say, "No." and shoot him. No, on second thought Ill shoot him then say "No."TRANSLATIONI will not give awayinformation that doesnot need to be shared
  • 18. 7 I will not give away information that doesnt need to be sharedSTRATEGIES● Dont broadcast what hardware or software youre using, especially which version it is● Dont add a humans.txt file to your webserver● Dont accidentally give away valid usernames
  • 19. 8 After I kidnap the beautiful princess, we will be married immediately in a quiet civil ceremony, not a lavish spectacle in three weeks time during which the final phase of my plan will be carried out.TRANSLATIONI will secure everythingfrom the beginning, notas an afterthought
  • 20. 8 I will secure everything from the beginning, not as an afterthoughtSTRATEGIES● Think about how someone might abuse your system before you begin building it.● Hire a pentester● Ensure you have sufficient time to fix the bugs your pentester finds before the big launch
  • 21. 9 I will not include a self-destruct mechanism unless absolutely necessary. If it is necessary, it will not be a large red button labelled "Danger: Do Not Push". The big red button marked "Do Not Push" will instead trigger a spray of bullets on anyone stupid enough to disregard it. Similarly, the ON/OFF switch will not clearly be labelled as such.TRANSLATIONI will disable “features” that allowpeople to take control of my system
  • 22. 9 I will disable “features” that allow people to take control of my systemSTRATEGIES● Nothing that an ordinary user can do should have the potential to shut the system down● For bonus points, entrap intruders
  • 23. 10 I will not interrogate my enemies in the inner sanctum – a small hotel well outside my borders will work just as wellTRANSLATIONI will apply a “need toknow” policy to segregateand control access to mydata and systems
  • 24. 10 I will apply a “need to know” policy to segregate and control access to my data and systemsSTRATEGIES● Use firewalls to isolate teams from each other● If they must talk to each other, do it through an intermediary