In order to receive savings, you must present your privilege card at the time of purchase. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. Play five hands with a group of three to six people. When the next player is ready, they visit the url recorded in the previous step and verify the last played card is correct. Computer security tutorial 1 elevation of privilege game. Comparison of privilege authorization features wikipedia. Elevation of privilege threat modeling card game with privacy. Elevation of privilege results from giving an attacker authorization permissions beyond those initially granted. Elevation of privilege card game board game boardgames. If the player cant link the threat to the system, play proceeds. Mar 02, 2017 elevation of privilege eop is the easy way to get started threat modeling, which is a core component of the design phase in the microsoft security development lifecycle sdl. Elevation of privilege eop threat modeling card game agile. It differs in that the eop cards are ordered more like a traditional card deck, and the rules provide a very different structure for play, described below.
This game was developed by adam shostack who is a product manager at microsoft and the main goal is the identify bugs and security holes. The names of the people you play with, a short description of the system that you used for the game, your scorecard, and a short 1paragraph reflection of your experiences with this game. Impersonation is the ability of an application to use the context of another entity user, process to access resources local to. For example, an attacker with a privilege set of read only permissions somehow elevates the set to include read and write. A game of cards ive written about adam shostacks brilliant computer security card game elevation of privilege once or twice before. The eop card game helps clarify the details of threat modeling and examines possible threats to software and computer systems.
Now that we are finally in possession of our first inhouse manufactured deck, im busy pulling together an introductory course that hopefully will include enough background for us soon to organise an actual game. About elevation of privilege eop threat modelling card game. Week 2discussion formsecurity architecture and design. The threat modeling game, security cards from the university of washington, the commercial card game controlalthack presentation, owasp snakes and ladders, and web application security training tools incorporating gamification such as owasp hackademic. The one privileges card can be used anywhere across our network of venues, subject to the expiry date shown. Many people dont know or havent heard of threat modeling let alone know. Elevation of privilege abbreviated eop is a card game developed by adam shostack with assistance from many patient microsoft developers, and is designed to provide a fun and educational introduction to the concepts and practice of threat modeling. Agile stationery elevation of privilege threat modeling cyber security card game. This video discusses and demonstrates the new privilege elevation feature of dynamic environment manager formerly called user environment manager 9. Inference of personal data from other personal data, for example, through correlation. The elevation of privilege eop card game helps clarify the details of threat modeling and examines possible threats to software and computer systems.
Only elevation of privilege eop or the lead suit can take a. Feb 07, 20 elevation of privilege eop is the easy way to get started threat modeling. I created elevation of privilege while at microsoft. The elevation of privilege game is designed to be the easiest way to start looking at your design from a security perspective.
The elevation of privilege eop card game helps clarify the details of threat modeling. The high card played takes the trick, with elevation of privilege taking precedence over the suit lead. Instructions elevation of privilege instructions draw a diagram of the system you want to threat model before you deal the cards. Each card can only be used by the named and photographed cardholder. Threat modeling card game elevation of privilege eop. We also offer a performance guarantee in the unlikely event you ever have a problem. Only elevation of privilege eop or the lead suit can take a trick.
The games here range from actionable elevation of privilege, which actively helps you threat model to educational control alt hack to classroom activity to spur conversation. Elevation of privilege types of threats occur with when an attacker is able to gain elevated access rights through unauthorized means, in this case a process may be able to impersonate the context of an external entity in order to gain additional privilege. Players should always have ve cards in their hands. About forging facilitators program about speaking about y. The following offers are for holders of the rockefeller center privilege card only. It is designed to make threat modeling easy and accessible for developers and architects. Elevation of privilege eop is the easy way to get started threat modeling, which is a core component of the design phase in the microsoft security development lifecycle sdl.
The elevation of privilege card game is designed to help you easily and quickly find threats to software or computer systems. Elevation of privilege card game board game boardgamegeek. Elevation of privilege was inspired by protection poker. The game consists of 84 cards, including 2 instruction cards, 1 play and strategy flowchart card, 74 playing cards, 6 reference cards, and an about card. After playing a card the player should take a new card from the top of the deck. This lesson offers a demonstration of the elevation of privilege eop card game. Participants receive step by step instructions along with diagrams as to how to. So i had the english version of the cards printed at a company who offers printing of custom playing cards and who did a great job of it. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Card decks are available at microsoft s rsa booth, or for download here. Assignment for week 2 a discussion of threat modeling using the elevation of privilege game. Play clockwise, and each player in turn follows in the suit if they have a card in the suit. To play a card, read the card, announce your threat and record it. Elevation of privilege ois software assurance vamis wiki.
A built in bench is positioned across the front of the deck to add definition, an element of style, and a functional seating area. Elevation of privilege card number 1 2afsgrqoxha3tjb3. It is a card game that developers, architects or security experts can. If they dont have that suit, they can play another suit. Jan 26, 2019 it is helpful to list of all of the characteristics that make a standard deck of cards such a rich sample space. Field of study since about 1970 serious games in the sense that these games have an explicit and carefully thoughtout educational purpose and are not intended to be played primarily for amusement. Transport of personal data across geopolitical or contractual boundaries. You can play this game with or without the original elevation of privilege deck.
Contrast with netrunner below, which is a complex strategy game set in a cyberworld, but makes no attempt towards realism. The eop card game helps clarify the details of threat modeling and examines possible threats to software and computer. Inference of personal data from other personal data, for. While anyone who plays cards has encountered these traits, it is easy to overlook some features of a deck of cards. Elevation of privilege eop threat modeling card game. The card can also be used repeatedly at each venue, so the benefits are virtually unlimited. The game contents and card templates are provided by microsoft under creative commons cc by license but i havent found a source where you can purchase ready to play printed card decks. Download elevation of privilege eop threat modeling card. Privilege card is intended for use by the holiday home owners and their friends and family whilst they are staying in your holiday home on the park. The elevation of privilege threat modeling card deck. Elevation of privilege the easy way to threat model. Use privilege management to enable elevation of privileges or restrict rights for users or user. Elevation of privilege how is elevation of privilege. It is helpful to list of all of the characteristics that make a standard deck of cards such a rich sample space.
Our liability for damaged or faulty cards is limited to replacement of the privilege card and transfer of any available cash balance. Jun 25, 2019 the elevation of privilege threat modeling card deck. Im creating this repository to have a single location for bugfixes, encourage more derivative work, and all the other goodness that a git repository can bring. For example, an attacker with a privilege set of read only. Sold by agile stationery and ships from amazon fulfillment. Participants receive step by step instructions along with diagrams as to. It differs in that the eop cards are ordered more like a traditional card deck, and the rules provide a. The owasp cornucopia project with colin watson by devsecops podcast series published on 20140321t14. An elevation of privilege threat is aimed at obtaining privileged access to resources for gaining unauthorized access to information or to compromise a system. The elevation of privilege card game is a game released by microsoft which models threat modelling in software development. The elevation of privilege card game helps you quickly and easily find and model threats to software or computer systems.
Use privilege management to enable elevation of privileges or restrict rights for users or user groups and enable browser control to redirect or allow specific urls. Jan 31, 2011 a game of cards ive written about adam shostacks brilliant computer security card game elevation of privilege once or twice before. Defcon 8 meeting playing the elevation of privilege card game together. Play this card as per the eop instructions, and record your threat, making a note of the current url. Elevation of privilege eop is the easy way to get started threat modeling. Elevation of privilege is the easy way to get started threat modeling. Homework 1, due jan 14, 5pm university of washington. After each player has played a card, the trick is won by the player who has played the highest card in either the suit that was led or in the trump suit, elevation of privilege. Threat modeling is a core component of the design phase in the microsoft security development lifecycle sdl. When you first visit this site you will get a uniquely shuffled deck, and will be shown the first card drawn.
Unless theres a trump elevation of privilege card aces are for threats not listed on the cards. A privilege authorization feature, designed to be independent of the desktop environment in use and already adopted by gnome in contrast to earlier systems, applications using policykit never run with privileges above those of the current user. Its the easiest way to start looking at your design from a security perspective and to threat model, intended to be picked up and used by any software development group. Instead, they indirectly make requests of the policykit daemon, which is the only program that runs as root. The process by which a user obtains a higher level of privilege than that for which he has been authorized. Deck of cards definition of deck of cards by the free. The deck is built on a very low elevation and does not require guardrails.
The eop card game helps examine possible threats to software and computer system. May 16, 2017 this video discusses and demonstrates the new privilege elevation feature of dynamic environment manager formerly called user environment manager 9. Abuse or misuse of the privilege card the privilege card remains the property of. If your privilege card is damaged or faulty, please contact owners reception so that we can replace it. Download elevation of privilege eop threat modeling card game. Threat modeling is a core security practice during the design phase of the microsoft security development lifecycle sdl. It is a card game that developers, architects or security experts can play. The elevation of privilege threat modeling card deck github. Your privilege is showing is a social justice card game. Current revision posted to technet articles by maheshkumar s tiwari on 10620 6.
Sharepoint foundation 2010 elevation of privilege, a feature that was added in windows sharepoint services 3. If you are interested in using gaming for security, also see elevation of privilege. A malicious user may use elevation of privilege as a means to compromise or destroy a system, or to access unauthorized information. The highest card is the highest value card played in the suit led, unless there was one or more trump card played. This is a basic 12 x 12 deck with one clipped corner. After all players have played a card, the high card played takes the trick, with the elevation of privilege suit taking precedence over the lead suit. To track the game, use something that all your players can edit, like a wiki or git controlled file.
1048 956 504 1046 1154 1256 1298 907 151 1229 354 1202 62 392 1244 98 205 654 973 481 1475 63 1103 1365 530 256 1207 1336 737 1286 186 564 347 329 980 394 522 480 493 1290 1468