Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Thu, 12 Apr 2007 07:55:13 +1000
Except that the **Very* few is NOT 50,100 or even 1000 - it is many many times that. Unless you have cheanged the nature of the hypothesis as I suspect that you have done in the response (ie limiting access addresses) Adding a false sense of security is not adding security. An insecure system remains an insecure system. It is mathematically provable that you have no real gain. As for: "Why do we hide missile launch sites?" We don't. They are public. They are known. "Why does the presidential motorcade not disclose which car the president is actually in?" To increase the attack time and scope. The tagrget is increased - having 3 cars reduces the risk to 1/3, having 4 cars makes a random target of 1/4 or 25% if a single car is hit (etc). The analogy is not the same though. Scanning additional ports is not a linear probability function. Adding an additional car is (or at least approximates to one) You stated a potentially vulnerable service. Thus it remains so whether you change the port or not. Next you are now seeming to add a condition that the firewall is filtering IP addresses - a point that was not in the original hypothesis. If so this is than a new case. As for qualifications, several Gold GIAC, most of the other certs, multiple IT related degrees at PG level, 20 years experience including work in hostile environments (ie Australian Stock Exchange). Your failure to understand a concept does not make it either true or false. The scanning for IP services is possible - there is not a port per se, but there is a system response. I suggest that you learn a little more on risk and check the facts about situations before stating them. Craig Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: Daniel Miessler [mailto:daniel () dmiessler com] Sent: Thursday, 12 April 2007 2:59 AM To: Craig Wright Cc: krymson () gmail com; security-basics () securityfocus com Subject: Re: Concepts: Security and Obscurity On Apr 11, 2007, at 1:36 AM, Craig Wright wrote:
To translate: "Limiting access to a potentially vulnerable daemon by 99.9% of the Internet population." You get.... Control: Limit the number of people who are likely to access this daemon to 1,114,274 people.
I'm not sure if you are being argumentative for the sake of doing so, or if you really thought I meant that 0.01% of the Internet population would be given valid access to the PK/SPA client being used by our fictional organization. I'm going to assume the former since the latter just sounds too silly. I used 99.9% to mean "the vast majority", with *VERY* few exceptions (i.e. like 25, or 50, or 1,000)
Costs: 1 Running a vulnerable service with a false sense of security and little concern 2 Documentation of the service and the time to reconfigure devices Thus the summary is that there is no gain and some cost.
Where is the false sense of security if you already have your CURRENT security, only you've added something in addition to it? We're NOT MODIFYING existing security, whether that's via SSH, VPN, or whatever. That stays in place. All we're doing is making it so people can't see the service in the first place.
Now if you consider the number of people who scan well know ports against those who scan for "hidden" ports and the levels of skills - what you have done is make the site a target.
How about people who scan for closed ports? Are we worried about people making a list of sites NOT running certain services? I'm personally not so worried about being put on such a list.
You have done nothing to stop those with skills (and thus who are more likely to compromise the system) from attacking - but have removed some of the noise element as the script kiddies generally scan for attacks they have exploits for. Thus the resultant population consists of people who have a greater likelihood of compromising the system and these people have not been controlled at all.
Right, other than the fact that they'd never see the service in the first place due to the port not listening. Again, how do you expect this fictional super-hacker to open a port on a firewall that's NOT open? If there are people that can do that then every company in the world with an Internet presence is in grave danger.
Bering that the population of users who have found the port are unlikely to be those with valid reasons; you have not secured the daemon at all. With the current Honeynet statistics, you may survive in this state for 72 hours or so...
Wow.
The system of algebraically assigning a number for each control is not mathematically valid. Survival in this situation forms a poisson model on the length of time that the service is maintained in a "secure" state. In this, the additional benefit would (even if algebraically equal - which is not the case) be included as an additional factor to an inverse exponential. Thus it would have a minimal additional effect.
Easy killer. I'm still trying to figure out how to open closed ports on remote firewalls.
The manner which you have assigned values to risk is not mathematically sound. There are centuries of research into risk. Survival models apply to IT risk as well. Making up numbers to state that an added layer of security is an improvement is unscientific at best and does nothing to improve the risk modelling process.
You're trying to condescend but you don't seem qualified to do so. Let me leave you with a few simple questions that will hopefully jar you back to us: Why do we hide missile launch sites? Why does the presidential motorcade not disclose which car the president is actually in? The reason, my friend, is because no matter what security is placed on a given system -- making it difficult to actually INITIATE an attack against said security is still valuable! No algebra or list of references is going to make this less so. I ask you to reconsider. -- Daniel Miessler E: daniel () dmiessler com W: http://dmiessler.com G: 0xDA6D50EAC
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 05)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 09)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 09)
- RE: Concepts: Security and Obscurity krymson (Apr 10)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Young, Randy (Apr 11)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 11)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 10)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity jay.tomas (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity danogh (Apr 11)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 12)