Security Basics mailing list archives
RE: Re: Re: Re: Concepts: Security and Obscurity
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Fri, 13 Apr 2007 08:26:46 +1000
Here we get to the real point. Obscurity is not the factor that is increasing the security of the site. You have a confounding variable in this model. That is monitoring. The confusion here is that you are assuming that this is the only (or best) method to increase log visibility and that this will find the attacker. First, increasing monitoring efficiency is a good (though uncommon) improvement. But the argument is that port knocking etc will find the people with a clue who are able to attack the SSH or other service. When scanning a site managed by a profession 24x7 firms, with notice, I have rarely had them become aware of (maybe 1 in 10) the fact that the client is being tested. It is randomised and over time and uses event sequence mining to reconstruct the ruleset (i.e. maths). I do however guess that gets ride of much of the "hacker" community of course these days as it requires that SAS, SPSS, R or some other statistical package is used and does not rely on a tool. Obscurity does not work. You are confounding the control from SSH with some additional but unmeasurable additional event as people do not know the sequence. This is not the same as having a firewall and AV. To test the effectiveness of obscurity scientifically you have to remove or make account for the confounding variables. In assessing the relative strength of a control, you can not compare in the manner that is being proposed as you have cross-correlated effects from the additional controls. In a test that is determined scientifically and without bias, the results show that obscurity does not reduce risk and is thus not a benefit. Regards, Craig PS there is no 100% secure system and this is mathematically provable. The best you do is reduce the risk and proability of a successful attack/intrusion. Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of levinson_k () securityadmin info Sent: Thursday, 12 April 2007 6:40 PM To: security-basics () securityfocus com Subject: Re: Re: Re: Re: Concepts: Security and Obscurity
Obscurity is just that, obscure. It's "hiding" rather than actually proactively keeping people out... just makes it slightly harder. The attackers must try a few doors before they find the one with the network gear, or call the company and say there's something wrong with the website - can they talk with the webmaster to let them know,
One might as well throw away your antivirus and firewalls, because those won't block social engineering either.
When we define things this way, then we can clearly see why "obscurity" doesn't add much benefit against targeted attacks.
Obscurity isn't intended to block targeted attacks, just as firewalls aren't intended to block social engineering. The people here who require countermeasures to be 100% effective against everything will quickly end up with no countermeasures at all. But at least they won't have, horror of horrors, a false sense of security! Obscurity does help you against targeted attacks, in that targeted attacks that hit your SSH server listening on a nonstandard port will tend to stand out, because your logs will have less noise in them. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- Re: RE: Concepts: Security and Obscurity, (continued)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 12)
- Message not available
- Message not available
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Concepts: Security and Obscurity Craig Wright (Apr 13)
- Message not available
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)