Sym14 01a

Tutorial: Everything I Know About
Information Security I Learned From Being

an Evil Overlord
U.S. Symposium/ITxpo Ray Wagner
17–22 October 2004

Walt Disney World
Lake Buena Vista, Florida
These materials can be reproduced only with Gartner's written approval. Such approvals must be requested via e-
mail — quote.requests@gartner.com.
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
(Diabolical Laughter Here)...
! To the outsider, the practice of information security may

seem complex and confusing.
! In fact:
– The practice of information security is very similar to the practice of
being an Evil Overlord.
– Rules for Evil Overlords generally have analogs
in information security.
– We'll discuss seven InfoSec maxims.
– It's mostly common sense.
– Watch out for Handsome Heroes.
The Evil Overlord List©

Peter Anspach: Compiler and Chief Overlord
The practice of information security is often seen as complex and confusing to the outsider, manager or business
unit liaison who must deal with the security organization and try to understand security issues. In point of fact,
good security practice usually breaks down into a set of relatively simple, 'common sense' principles that security
practitioners apply to any given situation, planning initiative or design task.
The classic "Evil Overlord" from fiction and film is similar to the outsider. He appears to have little idea what
rules and principles to follow and often ends up falling in the volcano or ejected into deep space because he
doesn't seem to have any common sense. In an effort to provide support for these needy Evil Overlords, Peter
Anspach and other contributors put together a list of Rules for Evil Overlords. We will examine a number of
those rules and see how they apply to the practice of information security and seven of its major principles.
The Evil Overlord List is Copyright 1996-1997 by Peter Anspach. If you enjoy it, feel free to pass it along or
post it anywhere, provided that (1) it is not altered in any way, and (2) this copyright notice is attached.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 1
Rules for Evil Overlords

1. My Legions of Terror will have helmets with clear Plexiglas
visors, not face-concealing ones.
" Strong Authentication
181. I will decree that all hay be shipped in tightly packed bales.
Any wagonload of loose hay attempting to pass through a
checkpoint will be set on fire.
" Good Firewall Rules
120. Since nothing is more irritating than a hero

defeating you with basic math skills, all of my
personal weapons will be modified to fire one
more shot than the standard issue.
" Don't Use Defaults
Good security requires that business users, parties to transactions, and even processes and devices be strongly
authenticated before interacting with other resources. Shared access credentials (anyone wearing the regulation
white body armor is admitted) and weak methods of authentication (no picture ID) not only make unauthorized
access possible, they limit the ability of the organization to properly audit and trace such activities.
Ever since the firewall was invented, an arms race has pitted the attackers, who try to pass attacks through the
firewall masquerading as "normal" traffic, against the defenders, who try to recognize disguised attacks via
signatures and monitoring, incorporating these defenses into firewall rules.
A standard method for malicious attacks on protected systems consists of attempting to access accounts,
resources and privileges by using the out-of-the-box default credentials and methods distributed with the system
being attacked. This is often a very successful attack mechanism.
Ray Wagner
01A, SYM14, 10/04, AE Page 2
Rules for Evil Overlords

106. If my supreme command center comes under attack, I will
immediately flee to safety in my prepared escape pod and
direct the defenses from there. I will not wait until the troops
break into my inner sanctum to attempt this.
" Business Continuity Plans
9. I will not include a self-destruct mechanism unless absolutely

necessary. If it is necessary, it will not be a large red button labeled
"Danger: Do Not Push." The big red button marked "Do Not Push" will
instead trigger a spray of bullets on anyone stupid enough to
disregard it.
" Policy Enforcement
(RW) My fortress will not be inside a volcano, at the
bottom of the ocean or in space — it will be a 1975
3BR, 2.5B, 2700 Sq.f. ranch with attached two-car
garage in Fort Wayne, Indiana.
" Obscurity
An entire branch of IT that is often considered part of the practice of information security is business continuity
planning, which consists of modeling and creating plans for recovering critical business services in the event of
some kind of disaster or service outage.
Creating policy is one aspect of the practice of information security. Policy creation and education must be
paired with some level of policy enforcement.
Security practitioners will generally suggest that obscurity is not a good security defense. In practice, a
sophisticated attacker who is directly targeting a given resource or system will be able to pierce obscurity
defenses easily. However, obscurity can be used as one layer in a set of defenses which will deter some
undirected or unsophisticated attacks.
Ray Wagner
01A, SYM14, 10/04, AE Page 3
The Six Ultimate Guiding Principles of Evil

Overlords and Information Security
23. I will keep a cache of low-tech weapons and train my troops to use them. If
the hero renders my high-tech energy weapons useless, my troops will not
then be overrun by a handful of savages with spears and rocks.
125. Should I decide to kill the hero in an elaborate escape-proof

deathtrap, I will not leave him alone five minutes prior to
"imminent" death, but will instead stick around and enjoy
watching my adversary's demise.
221. My force-field generators will be located

inside the shield they generate.
224. I will build machines which simply fail when

overloaded, rather than wipe out all nearby
henchmen in an explosion or worse yet set
off a chain reaction.
1. Defense in Depth
As information systems have become more complex and networking more ubiquitous, providing security has
become significantly more difficult. At the same time, attackers and their methods have become much more
sophisticated at finding and exploiting vulnerabilities in defenses. Many defensive mechanisms are designed to
thwart a single type of class of attack and are thus generally unable to react to new types of attacks, especially
those designed specifically to avoid the defense mechanism. Defense in depth refers to the practice of providing
multiple defenses in layers around the protected resources. Layered defenses are less brittle — an attack that
avoids one defensive mechanism runs into others — and more difficult to attack. An organization that uses
defense in depth around its critical assets also will likely be less affected in the face of a successful attack against
one of those resources, as other resources are less likely to be exposed as a result of the compromise.
Ray Wagner
01A, SYM14, 10/04, AE Page 4
Strategic Planning Assumption: By the first quarter of 2005, companies that don't enforce
security policies during network login will experience 200 percent more network downtime
than those that do (0.7 probability).
Defense in Depth in Practice: Scan and Block

Corporate Policy
Laptop Server
Scan Results Scan Good:

Allow Connect
VPN Scan Bad:
Block
Scan
Results
Radius Switch DHCP

Scan Server Server
Results
Contractor
Laptop
Home PC
There are two mechanisms to limit damage from these scenarios: proactive — only allow connection by
computers that are judged to be safe, and reactive — detect the actions of a malicious computer and quickly
isolate it from the rest of the network. A combination of the two strategies will be required to meet the demands
of future threats. Scan and Block: Once infected PCs attach to the internal network, worms can infect all
vulnerable internal PCs and Windows servers within minutes. Since there will always be some internal PCs and
servers that are in vulnerable states, security policies need to be enforced before network connections are
established. The basic protection requirement is a scan of the system as it attempts to connect to the network and
a block of network connection if the scan discovers missing patches, out-of-date antivirus signatures, a
misconfigured or missing personal firewall, or a combination of any of these. A scan after a full network
connection is established is a little too late, as attacks from a corrupted system can begin immediately at
connection. The methods to deploy a scan-and-block process with currently available technology and the depth
of the scan will vary based on whether or not the system is corporate-managed and the method of connection.
Ray Wagner
01A, SYM14, 10/04, AE Page 5
The Seven Ultimate Guiding Principles of

Evil Overlords and Information Security
165. I will have several hearing-impaired bodyguards. That way, if I wish to
speak confidentially with someone, I'll just turn my back so the guards
can't read my lips instead of sending all of them out of the room.
105. I will design all doomsday machines myself. If I must hire a

mad scientist to assist me, I will make sure that he is
sufficiently twisted to never regret his evil ways.
46. If an advisor says to me "My liege, he is but

one man. What can one man possibly do?", I
will reply "This," and kill the advisor.
147. I will classify my lieutenants in three

categories: untrusted, trusted and completely
trusted. Promotion to the third category will
be awarded posthumously.
2. Principle of Least Privilege
The most "common sense" of all information security principles is most likely the Principle of Least Privilege,
which states that any user, process or resource within the organization or interacting with it should only have
access to the minimum set of organization resources (processes, users) necessary to execute its function. In
simpler terms, every resource within the organization should only be usable on a "need to know" basis. All
organizational access controls, from file permissions to centralized identity management to digital rights
management to even physical security, are designed to implement the Principle of Least Privilege. Least
privilege was merely a difficult problem in the batch processing era, when only the computer operator was
allowed into the machine room. With networked digital resources, however, completely meeting the Principle of
Least Privilege has remained an extremely difficult to near-impossible task, and it has gotten more difficult as
business needs have required even greater levels of openness of data.
Ray Wagner
01A, SYM14, 10/04, AE Page 6
Client Issue: What business issues drive the identity and access management solution?
Decision Framework: Companies will use multiple products to manage the complexity of user
authentication and authorization in a heterogeneous environment.
Least Privilege in Practice: Identity and

Access Management
Identity Management Access Management
(Administration) (Real-Time Enforcement)
Administer Authenticate Authorize

Authentication Services Alarm/
A Business Single Sign-On Alerting
Password Management
U
Identity User Provisioning
D Administration Metadirectory
I Business Relationship/Role Mgmt.

Business Access Management Accounting
T Federated Identity Management
Physical Security Operating

Applications Databases Directories
Resources Systems Systems
As intranets, extranets and corporate Internet access evolves, security will become an even bigger issue than it is
today. Access by more users, from more locations and using more types of devices will become the norm.
Identity Management: The capability to manage (create, modify, delete) all user accounts, user profiles and so
forth that can be identified with each person across the heterogeneous IT environment via a combination of user
roles and business rules. Also, the capability to abstract and automatically correlate data from HR, customer
relationship management, e-mail systems (and other "identity stores") and from the managed systems. Fulfilment
is accomplished in a variety of ways: in response to a self-service request, for example, self-registration; a line
management request, for example, the manager has a new employee starting on a certain date, or an existing user
needs access to an existing application; a change in an HR system, for example, employee termination; or a bulk
load for purposes of a new application or merger/acquisition.
Access Management: The capability to manage (across multiple target systems) an access control policy (or
policies), including both policy administration and enforcement.
Ray Wagner
01A, SYM14, 10/04, AE Page 7

28. My pet monster will be kept in a secure cage from which it cannot
escape and into which I could not accidentally stumble.
64. I will see a competent psychiatrist and get cured of all

extremely unusual phobias and bizarre compulsive
habits which could prove to be a disadvantage.
211. If my chief engineer displeases me, he will

be shot, not imprisoned in the dungeon or
beyond the traps he helped design.
26. No matter how attractive certain members

of the rebellion are, there is probably
someone just as attractive who is not
desperate to kill me.
3. The Weakest Link
The primary challenge of the security practitioner in assessing a security system is to find vulnerabilities and
"fix" them. The principle at work in this scenario is that the security of a given system is only as good as the
weakest link. Therefore, only fixing the weakest link will increase the security of the system as a whole. Of
course, this does not mean that vulnerabilities in "stronger" links should not be fixed, but it does point out the
importance of being able to identify strong and weak areas of a security system, so as not to concentrate on areas
that are unlikely to be attacked. Good security is built on a firm foundation of security policy, security
standards/architecture, security culture and security technologies — any flaws in the lower levels will undermine
the effectiveness of security technologies you may deploy.
Unfortunately, a corollary to the Principle of the Weakest Link is that, very often in security systems, people are
the weakest link. Organizations often expend significant resources on security awareness training, key employee
background checking and security systems that remove responsibility for security from users.
Ray Wagner
01A, SYM14, 10/04, AE Page 8
The Weakest Link in Practice: Defending

Against Social Engineering
Information Development of Exploitation of Execution
Gathering to Achieve the
Relationship Relationship
Objective
Social Engineering Attack Cycle
Auditing/Review
Technical (IT) Security
Physical and Organizational Security
User, Admin. and Management Education
Security Policies and Plans
Building Your Defenses
Defenses are built in layers and must start with clear, consistent, comprehensive and enforceable security
policies that are written in a security plan. Management, users and administrators must be trained on the policies
themselves, as well as on general security issues. If users understand the security issues, they are more likely to
comply with them or take note of suspicious behavior. The single strongest defense against social engineering is
education.
Security plans must be coordinated with physical/organizational security. It's common for a terminated employee
to have his or her building keys taken away, but keep an e-mail account or intranet access. Many social
engineering attacks depend on some kind of a physical breach; no firewall can protect a server in an unlocked
closet that an attacker can access directly.
After physical and technical issues are addressed and coordinated, the entire system must be regularly audited
and reviewed as the company evolves. This review must be incorporated into the security plan and operations,
including user education as appropriate.
Ray Wagner
01A, SYM14, 10/04, AE Page 9

218. I will not pick up a glowing ancient artifact and shout "It's power is now
mine!!!" Instead I will grab some tongs, transfer it to a hazardous
materials container and transport it back to my lab for study.
166. If the rebels manage to trick me, I will make a note of what they
did so that I do not keep falling for the same trick over and over
again.
17. Before funding gothic arches, giant gargoyles

or other pieces of intimidating but cosmetic
architecture, I will see if there are any military
expenditures that could use the extra budget.
61. If my advisors ask "Why are you risking

Everything on such a mad scheme?", I will not
proceed until I have a response that satisfies
them.
4. Security Expertise Is Key
Security for information systems is a complex problem, the possible solutions to which are often counter to the
business goals of the organization. Security may be perceived as a cost center or as an inhibitor to the
achievement of business goals. At the same time, security is not a commodity like air conditioning or phone
service, because modern information systems are extremely complex and not standardized. Good security is not
a box that can be easily checked off for the lowest price — there may be many different ways to provide the
necessary security for a system. The objective of the organization is to provide system security commensurate
with the risks to the given system, and this requires experience and expertise.
Ray Wagner
01A, SYM14, 10/04, AE Page 10
Strategic Planning Assumptions: By 2005, 65 percent of the Global 2000 will staff a chief
information security office for the centralized development of information security policies,
standards and guidelines (0.8 probability).
Expertise in Practice: CISO Organisation

Board of Directors
CIO CEO CISO

Policy Management
! Policies and standards
! Risk assessment/profiling
! Policy compliance and consulting
! Awareness training
! Business security architecture
Security Administration
! Platform/application user management
Security Engineering
! Minimum platform standards
! Technical security architecture
Incident Response
! ID threat + solution
Business Unit Management BISO
Client Issue: What does a successful information security organization look like?
The CISO connects business process/policy directives and technical security. In the real-time enterprise,
companies must expand their security architecture to cover links with customers, trading partners and suppliers.
In centralized organizations, an administrator can handle thousands of users with a user provisioning tool, but
that is not true of e-business, where entire classes of users will administer their own access control rules. For
B2B, mechanisms that allow delegation of security administration to customers are required. For B2C, self-
service capabilities, such as self-registration and password reset, must be offered to keep the company profitable
and competitive.
As companies move more revenue into e-business channels, information security risks increase. They must
develop skills, tools, mechanisms and procedures to identify, isolate and correct information security attacks. A
computer incident response team must be able to respond to an incident within 30 minutes of detection. Proper
architecture, administrative procedures and emergency response processes will provide the new e-business
venture with lower risks.
Action Item: Establish a CISO office to ensure a formal business program will protect the company's
information assets. Centralized policy development/distributed implementation is a successful recipe.
Ray Wagner
01A, SYM14, 10/04, AE Page 11

27. I will never build only one of anything important. All important systems will
have redundant control panels and power supplies. For the same reason, I
will always carry at least two fully loaded weapons at all times.
62. I will design fortress hallways with no alcoves or protruding

structural supports which intruders could use for cover in a
firefight.
47. If I learn that a callow youth has begun a

quest to destroy me, I will slay him while he is
still a callow youth instead of waiting for him
to mature.
2. My ventilation ducts will be too small to

crawl through.
5. Build Security in Early
If security will ever be a requirement for a system, then it is best identified as a requirement early in the system's
design stage. It is easier to build an information system around a core of simple security functionality than to
attempt to graft security on top of a "finished" system right before or even after deployment. Unfortunately, large
numbers of systems are created in just this fashion, because system designers and implementers (logically) think
first about the new functionality that the system will deliver, rather than the security issues around all possible
uses of that functionality. Systems built and deployed in this way can, when security finally becomes an issue, be
subject to:
• More complex (and less secure) security systems, because security must adapt to the designed systems,
rather than vice versa. More complex systems will likely exhibit more unexpected vulnerabilities.
• Backward insecurity — if the system has reached deployment before security is implemented, there may
be backward compatibility issues that guarantee that some insecurity will persist.
• System redesign — often, systems designed without consideration for security are so difficult to secure
that major reengineering is necessary in order to implement security.
Ray Wagner
01A, SYM14, 10/04, AE Page 12
Strategic Planning Assumption: If only 50 percent of software vulnerabilities were removed

prior to production use for purchased and internally developed software, business
configuration management costs and incident response costs would be reduced by 75 percent
each (0.8 probability).
Early Security in Practice:

Software Security in the Development Cycle
Security Testing
Load Testing
Safety Analysis Security Debug Pre-prod QA Vuln. Scan
Prototype Code Debug
Security Modeling
Defect Tracking
Requirements Design Code QA Release
Development Phases
As the National Institute of Standards and Technology demonstrated in its 2002 study, "The Economic Impacts
of Insufficient Infrastructure for Software Testing," removing a software defect after a system is operational can
cost two to five times more than if the defect were fixed during final quality assurance (QA) testing. This study
emphasized that removing those defects during code and unit tests can reduce the cost impact by an additional
factor of between three and 20. Although defects ideally would be removed as early as the requirements analysis
and architectural design phase, Gartner estimates that if 50 percent of software vulnerabilities were removed
prior to production use for purchased and internally developed software, business configuration management
costs and incident response costs would be reduced by 75 percent each.
The cost of fixing vulnerabilities and regression testing the repaired code can be reduced by a factor of at least
three by detecting security errors during code and unit tests, compared with finding errors during integration
tests. By detecting commonly made coding errors during this phase, companies also can provide feedback to
other modules still in design and early coding to avoid repeating the same mistakes.
One problem: We estimate that there are only 500 software engineers with the skills and knowledge necessary to
scan code specifically for security problems efficiently and effectively.
Ray Wagner
01A, SYM14, 10/04, AE Page 13

89. After I capture the hero's superweapon, I will not immediately disband
my legions and relax my guard because I believe I am unstoppable. After
all, the hero held the weapon and I took it from him.
20. Despite its proven stress-relieving effect, I will not indulge in

maniacal laughter. When so occupied, it's too easy to miss
unexpected developments and adjust my actions accordingly.
90. I will not design my Main Control Room so

that every workstation is facing away from the
door.
146. If my surveillance reports any unmanned or

seemingly innocent ships found where they
are not supposed to be, they will be
immediately vaporized instead of brought in
for salvage.
6. Be Paranoid
The practice of information security is by definition detail-oriented. A truly secure system is one in which every
possible threat has been assessed and every vulnerability has been identified and closed. Attackers can generally
be assumed to have significant time and resources at their disposal with which to probe for malicious entry
points. System designers think long and hard about how their systems will be used by people or processes that
are trying to use them correctly — they may spend significantly less time thinking about how their systems
might be "used" by people or processes that are trying to maliciously attack them. For this reason, the
information security practitioner must be paranoid about both assessing systems for vulnerabilities and about
considering every new kind of threat discovered in the context of his or her organization's security profile.
Ray Wagner
01A, SYM14, 10/04, AE Page 14
Strategic Imperative: Information security threats will remain constant throughout the
planning period; businesses need to take a comprehensive, defensive view in an attempt to
achieve due care.
Paranoia in Practice: Cyberthreat Hype

Cycle
Visibility
"Phishing" Spam
Spyware
Peer-to-Peer Exploits
Wireless and Denial of Social

Mobile Device Service Engineering
Attacks
DNS Viruses
Attacks
Cyberterrorism Identity
Theft
Xeno Threats
Hybrid Worms
Zero-Day Threats War Chalking
As of January 2004
Technology Peak of Inflated Trough of Slope of Plateau of

Trigger Hyperbole Irrelevance Enlightenment Permanent
Annoyance
Maturity
Zero-day attacks are now being "hyped" — these occur before patches and signatures are available. eXtended
Enterprise Networks Overseas (Xeno) threats are anticipated because of increased outsourcing. Few viruses are
found on personal devices, but it is only a matter of time before these become more exploited. Spyware
programs probe systems and report user behavior to an advertiser or other party without the user's knowledge.
"Phishing" tricks users into revealing information, such as passwords, user IDs or credit card details, to
masquerading sites. Spam consumes resources and can lead to other problems. Seeking any open port, instant
messaging and other peer-to-peer programs can put networks and information at risk. Spim (unwanted
commercial messages delivered via instant messaging) is just emerging. Loss of confidence attributed to
speculated cyberterrorism has peaked and, barring new physical attacks or further evidence of cyberterrorist
activity, will remain static. Cyberterrorism hype causes more loss of confidence than actual attacks.
Organizations must protect wireless LANs, as they are prone to simple "find and mark" theft of service
techniques that can lead to loss of confidential information if targeted systems are unprotected. Hybrid worm
threats have moved rapidly through the hyperbole. Identity theft is a rampant and growing cybercrime. Viruses
remain a constant source of problems. Directory network service, social engineering and denial-of-service
attacks are almost unfashionable in terms of hype, but remain dangerous threats that organizations must address.
Action Item: Organizations should evaluate the changing threat landscape in the context of their specific
defensive requirements. As threats mature, so do defenses.
Ray Wagner
01A, SYM14, 10/04, AE Page 15

5. The artifact which is the source of my power will not be kept on
the Mountain of Despair beyond the River of Fire guarded by the
Dragons of Eternity. It will be in my safe-deposit box.
12. One of my advisors will be an average five-year-old child.

Any flaws in my plan that he is able to spot will be
corrected before implementation.
85. I will not use any plan in which the final

step is horribly complicated, e.g., "Align
the 12 Stones of Power on the sacred
altar then activate the medallion at the
moment of total eclipse." Instead, it will
be more along the lines of "Push the
button."
7. Simplify, Simplify, Simplify
Simple systems are easier to deploy, manage and maintain. They are also easier to secure. Unfortunately,
information systems and organizational IT environments tend to become larger and more complex over time. It
is important, therefore, for the security practitioner to continually identify ways to simplify systems, processes
and practices and to campaign for simplification efforts within the organization. There are several general
themes within this principle:
• Consolidation — any situation where multiple resources can be combined or redundant resources retired
reduces the complexity of the system as a whole. Consolidation has weaknesses as well, especially where
redundancy may be a security factor.
• Risk reduction — simpler, lower-value deployments not only reduce risk, they provide best-practice education
that will benefit later higher-value deployments.
• Replacement — newer technologies, when mature, often provide better functionality at less cost. This is also
true for security technologies.
• Automation — a policy that can be enforced automatically, even if it requires time to get exactly right, will
work better in the long run than a policy that requires manual intervention.
Ray Wagner
01A, SYM14, 10/04, AE Page 16
Tactical Guideline: Organizations should evaluate the changing information security

landscape in the context of their specific defensive requirements and avoid letting Hype
Cycle variations and the relative popularity of any particular security solution dictate plans.
Simplification in Practice: When to Invest

Visibility
Instant-Messaging Key: Time to Plateau
Deep Packet Security
Less than two years
Inspection Firewalls
Two to five years
All-in-One Appliances Anti-spam
Five to 10 years
Personal Intrusion Patch Management
Prevention More than 10 years
Secure Sockets Layer VPNs
Vulnerability Obsolete before Plateau
Management Web Services Security
Hardware
Scan and Block Federated Identity Smart Tokens
Identity
Mgmt. Cards
Managed Biometrics Secure Sockets

Trusted
Computing Group Security Public-Key Layer/Trusted
Service Operations Link Security
WPA
Security Providers Security Reduced
Platforms Sign-On
Data-at-Rest Encryption IDS Digital Rights

Mgmt. (Business)
Compliance Tools
As of June 2004
Technology Peak of Inflated Trough of Slope of Plateau of

Trigger Expectations Disillusionment Enlightenment Productivity
Maturity
Each new wave of technology disrupts existing security measures and introduces new vulnerabilities. Each new
technology in security, privacy and risk follows the Hype Cycle. Determining when to adopt an emerging
technology is a critical decision. If the technology is adopted too soon, the company will suffer the pain and
expense of an immature technology. If the technology is adopted too late, the company runs the risk of being left
behind by competitors that have made the technology work to their advantage. In the case of information
security, failing to deploy defensive solutions at the right time can leave the organization vulnerable. Delays in
identity, authentication and access control products or services can leave the business in a catch-up mode
regarding business opportunity.
Action Item: Investing in an overhyped technology too early can result in a complete waste of security funds.
Organizations should focus on their business needs and threat assessment to prioritize security needs. This
analysis should be combined with the Gartner Information Security Hype Cycle to deflate the hype spread by
security product and service vendors.
Ray Wagner
01A, SYM14, 10/04, AE Page 17
'This cannot be! I am INVINCIBLE!!!'
1. Defense in Depth 5. Build Security in Early

2. Principle of Least Privilege 6. Be Paranoid
3. Only the Paranoid Survive 7. Simplify, Simplify, Simplify
4. The Weakest Link 8. Never Say That...
Thanks to:
The Evil Overlord List©
www.eviloverlord.com
Peter Anspach: Compiler and Chief Overlord
and all of its evil contributors
"Dr." Ray Wagner [ray.wagner@gartner.com]
Source: www eviloverlord.com
Ray Wagner
01A, SYM14, 10/04, AE Page 18
This is the end of this presentation. Click any
where to continue.
These materials can be reproduced only with Gartner’s written approval. Such approvals must be requested via
e-mail — quote.requests@gartner.com.

Sym14 01a

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sym14 01a

Uploaded by

Copyright:

Available Formats

Tutorial: Everything I Know About

Information Security I Learned From Being

U.S. Symposium/ITxpo Ray Wagner

17–22 October 2004

(Diabolical Laughter Here)...

! To the outsider, the practice of information security may

The Evil Overlord List©

Rules for Evil Overlords

" Strong Authentication

120. Since nothing is more irritating than a hero

" Don't Use Defaults

Rules for Evil Overlords

9. I will not include a self-destruct mechanism unless absolutely

The Six Ultimate Guiding Principles of Evil

125. Should I decide to kill the hero in an elaborate escape-proof

221. My force-field generators will be located

224. I will build machines which simply fail when

Defense in Depth in Practice: Scan and Block

Scan Results Scan Good:

Radius Switch DHCP

The Seven Ultimate Guiding Principles of

105. I will design all doomsday machines myself. If I must hire a

46. If an advisor says to me "My liege, he is but

147. I will classify my lieutenants in three

2. Principle of Least Privilege

Least Privilege in Practice: Identity and

Administer Authenticate Authorize

I Business Relationship/Role Mgmt.

Physical Security Operating

The Seven Ultimate Guiding Principles of

64. I will see a competent psychiatrist and get cured of all

211. If my chief engineer displeases me, he will

26. No matter how attractive certain members

3. The Weakest Link

The Weakest Link in Practice: Defending

The Seven Ultimate Guiding Principles of

17. Before funding gothic arches, giant gargoyles

61. If my advisors ask "Why are you risking

4. Security Expertise Is Key

Expertise in Practice: CISO Organisation

CIO CEO CISO

Business Unit Management BISO

The Seven Ultimate Guiding Principles of

62. I will design fortress hallways with no alcoves or protruding

47. If I learn that a callow youth has begun a

2. My ventilation ducts will be too small to

5. Build Security in Early

Strategic Planning Assumption: If only 50 percent of software vulnerabilities were removed

Early Security in Practice:

Safety Analysis Security Debug Pre-prod QA Vuln. Scan

Prototype Code Debug

Requirements Design Code QA Release

The Seven Ultimate Guiding Principles of

20. Despite its proven stress-relieving effect, I will not indulge in

90. I will not design my Main Control Room so

146. If my surveillance reports any unmanned or

Paranoia in Practice: Cyberthreat Hype

Wireless and Denial of Social

Technology Peak of Inflated Trough of Slope of Plateau of

The Seven Ultimate Guiding Principles of

12. One of my advisors will be an average five-year-old child.

85. I will not use any plan in which the final

7. Simplify, Simplify, Simplify