Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Wed, 11 Apr 2007 15:36:36 +1000
To translate: "Limiting access to a potentially vulnerable daemon by 99.9% of the Internet population." You get.... Control: Limit the number of people who are likely to access this daemon to 1,114,274 people. Of this - these are skewed to contain a greater number of people who are likely to attempt to exploit the vulnerable daemon. Of this, the sample of people contains a greater number of people by proportion that are able to break the service and also cover their tracks than the normal population of users. Costs: 1 Running a vulnerable service with a false sense of security and little concern 2 Documentation of the service and the time to reconfigure devices Thus the summary is that there is no gain and some cost. Now if you consider the number of people who scan well know ports against those who scan for "hidden" ports and the levels of skills - what you have done is make the site a target. You have done nothing to stop those with skills (and thus who are more likely to compromise the system) from attacking - but have removed some of the noise element as the script kiddies generally scan for attacks they have exploits for. Thus the resultant population consists of people who have a greater likelihood of compromising the system and these people have not been controlled at all. Bering that the population of users who have found the port are unlikely to be those with valid reasons; you have not secured the daemon at all. With the current Honeynet statistics, you may survive in this state for 72 hours or so... The system of algebraically assigning a number for each control is not mathematically valid. Survival in this situation forms a poisson model on the length of time that the service is maintained in a "secure" state. In this, the additional benefit would (even if algebraically equal - which is not the case) be included as an additional factor to an inverse exponential. Thus it would have a minimal additional effect. The manner which you have assigned values to risk is not mathematically sound. There are centuries of research into risk. Survival models apply to IT risk as well. Making up numbers to state that an added layer of security is an improvement is unscientific at best and does nothing to improve the risk modelling process. Regards, Craig (1) World Internet User Statistics were updated on Mar. 10, 2007 [Total World Internet Users = 1,114,274,426] References: Cynthia Bailey Lee, Chris Roedel, Elena Silenok "Detection and Characterization of Port Scan Attacks" Department of Computer Science & Engineering University of California, San Diego S. Northcutt, Network Intrusion Detection Analyst's Handbook. New Riders, Indianapolis, 1999. p.125. Agenda and Work Plan. Computer Security Incident Response Team (CSIRT), Florida State University, http://www.security.fsu.edu/csirt_mtg S Staniford, V. Paxson and N. Weaver, How to 0wn the Internet in Your Spare Time, USENIX Security Symposium, August 2002. And of course: "Know Your Enemy: Statistics" http://www.honeynet.org/papers/stats/ Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: Daniel Miessler [mailto:daniel () dmiessler com] Sent: Wednesday, 11 April 2007 2:52 PM To: Craig Wright Cc: krymson () gmail com; security-basics () securityfocus com Subject: Re: Concepts: Security and Obscurity On Apr 10, 2007, at 6:50 PM, Craig Wright wrote:
Please demonstrate your hypothetical controls. Stating your hypothesis in an intestable way does nothing to further the argument.
Control: Limiting access to a potentially vulnerable daemon by 99.9% of the Internet population. So legitimate users are allowed in without issue, while nobody else on the Internet even knows a daemon exists. Cost: Configure your firewall device to handle PK or SPA and deploy the augmented client. -- In my view this is a big win for the organization if the technologies can be used. Not all infrastructures support PK or SPA technology yet, but one can imagine them being used for VPNs and a number of other applications. But that isn't even the point: the point is that just because obscurity is used as part of the total approach does NOT mean the system is somehow weakened. The Kerckhoff Principle applies when security RESTS on secrecy, not when it's added as a layer on top of existing systems. As an example, if you have a tested VPN system that gave, say, 7 points of security (lame, but bear with me). So you then added a layer of obscurity on top of it that gave an additional 2 points, you'd have a total of 9. Well, if you have a compromise to your obscurity of said system, what would you fall back to? 4? 2? No -- 5. 5 is what you started with WITHOUT the layer, so you can't fall below that. This is true simply because the two layers are independent of each other. We're not talking about a cryptographic algorithm where the scrutiny of the algorithm is PART of the security itself. In this case we're building a completely isolated and independent layer, and as such the Kerckhoff principle does not apply. Again, 5 + 2 - 2 = 5, not less than 5. -- Daniel Miessler E: daniel () dmiessler com W: http://dmiessler.com G: 0xDA6D50EAC
Current thread:
- RE: Concepts: Security and Obscurity, (continued)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 10)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity jay.tomas (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity danogh (Apr 11)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
(Thread continues...)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 10)