Full Disclosure mailing list archives
Re: Security & Obscurity: First-time attacks and lawyer jokes
From: "Mr. Rufus Faloofus" <foofus () foofus net>
Date: Thu, 2 Sep 2004 16:05:37 -0500
On Thu, Sep 02, 2004 at 12:24:29PM -0400, Peter Swire wrote: [snip]
A theme of the paper: when attacks are closer to first-time attacks (when they have high uniqueness), then secrecy can be an effective tool. When there is low uniqueness, security through obscurity is BS. And many, many cyberattacks fall into the second category.
Hrm. This seems to me like circular reasoning, but it might take me a little effort to explain; I hope you'll bear with me. One commonplace strategy for prioritizing risks is to estimate the rate of an undesirable event's occurrence (say, an Annual Rate of Occurence) and multiply that number by an estimate of such an event's severity (say a Single Loss Expectancy).[1] Thus, relative metrics can be derived: Risk = ARO * SLE It seems to me that security by obscurity is an attempt to reduce risk by hiding things as a means of minimizing ARO. This is, however, a "brittle" defense[2], in the sense that as soon as the hidden attack surface is identified, attacks tend to become readily reproducible. Put another way, if obscurity is your main security tactic, once the obscurity is lifted, that defensive measure is wholly negated. So, in the case of a system defended by obscurity, to say that an attack has "low uniqueness" seems to me to be putting the cart before the horse. If an attack has "low uniqueness" then has not the obscurity already been circumvented? Likewise, if the proper vector for attack is not known (i.e., the veil of security still lies thick and luxurious over the system's exploitable condition), is it really fair to say that secrecy can be "an effective tool?" If we take a strongly literal interpretation of "effective," perhaps this makes sense: there have not yet been any known attacks, so the effective security is perfect. The catch is that once the first successful attack takes place, the attacker may publish his or her discovery about our system's weakness, and attacks can instantly jump from high uniqueness to very low uniqueness. One important objective of security is to aid us in managing risk over time, not just on an instantaneous basis. We want systems that fail gracefully in the event of trouble: all-or- nothing security strategies (i.e., those that allow risk to escalate rapidly and in a manner outside of our control) are undesirable. In the service of this end, then, secrecy isn't really an "effective" tool: should our weakenss become no longer secret, obscurity loses its efficacy. In fact, it has evaporated more or less entirely. The statement "when there is low uniqueness, security through obscurity is BS" is misleading, in the sense that the condition of low uniqueness implies that obscurity has *already* been defeated. Likewise, to say that "many cyberattacks fall into the second category [i.e., low uniqueness]" also misses the mark, in the sense that automated/scripted attacks *depend* on knowledge of how to succeed. This is the classic story of the 0-day exploit. In a sense, each and every system is defended by the fact that the means of compromising it are unknown. Once they become known, it's a good idea to address the vulnerability that's being exploited, rather than just finding a way to make it secret again, or else we'll be in the very same position later, when the flaw is rediscovered. Full-disclosure is about the belief that we can actually reduce our risk overall by trading away some of our "high uniqueness." The absence of successful attacks might feel good, but I'd sacrifice some of that feeling in exchange for better assurance that my defenses won't crumble entirely the minute a discovery is made. But I digress. The point I'm trying to make is that the theme you're drawing out in the paragraph above is pleonastic in nature: a condition of "high uniqueness" doesn't suggest that obscurity can be an effective tool. "High uniqueness" means precisely that viable vectors of attack are not widely known. Likewise "low uniqueness" doesn't mean we should abandon obscurity: by the time we have "low uniqueness," obscurity is long gone, because the condition itself implies that vectors of attack are well known. --Foofus. [1] Some people may suggest refinements to this scheme, or variations on the equation, or different units of measurement. I have no desire to quibble about which scheme is the absolute best. This one is nice and simple, though. [2] I use this term in the sense that Schneier does (BEYOND FEAR); I cite this, because the term might get used in other senses elsewhere. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: New paper on Security and Obscurity, (continued)
- Re: New paper on Security and Obscurity gadgeteer (Sep 01)
- Re: New paper on Security and Obscurity stephane nasdrovisky (Sep 01)
- Re: New paper on Security and Obscurity stephane nasdrovisky (Sep 01)
- Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 01)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)
- RE: Response to comments on Security and Obscurity Dave Aitel (Sep 01)
- Security & Obscurity: First-time attacks and lawyer jokes Peter Swire (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Georgi Guninski (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Honza Vlach (Sep 03)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Dave Aitel (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Mr. Rufus Faloofus (Sep 02)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)
- Re[2]: Response to comments on Security and Obscurity 3APA3A (Sep 01)
- Re: Re[2]: Response to comments on Security and Obscurity James Tucker (Sep 01)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 01)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[4]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[4]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[6]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[6]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[8]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Response to comments on Security and Obscurity gadgeteer (Sep 01)