Security Basics mailing list archives
Re: Re: Re: Concepts: Security and Obscurity
From: lordl3ane () gmail com
Date: 9 Apr 2007 22:35:09 -0000
I agree with all of the comments that a determination of what controls to put in place need to result from a relevant assessment of the risk to that organization. That organization could be as simple as a small-town janitorial supply company or as complex and juicy as a national military or government agency. The first reaction for many people will be that the janitorial supply company needs nearly no security controls while the government needs all it can afford. What if the janitorial supply company were the target of a larger company with links to organized crime who wanted the state and municipal customers? What if the government/military were a small island-nation with a total national population of 50,000? I also think that along the way weve begun to use more and more security industry jargon, but some of the definitions have bled together. We use privacy synonymously with confidentiality with obscurity. My understanding is that were having a discussion about topics while using quotes and catch phrases about others. Privacy is what I want to keep, it is a state of being secured against people I dont want to know what I have/know/am doing, etc. Confidentiality describes the security methodology I use to ensure my Privacy. Obscurity is one of the controls I can implement on the road to building my Confidentiality solution, to protect my privacy. Obscurity is just that, obscure. Its hiding rather than actually proactively keeping people out. Its taking a sign off a door, removing your registration information from your Internet domain, even disabling the headers on your TCP/IP services. None of these things actively stops someone from gaining access; just makes it slightly harder. The attackers must try a few doors before they find the one with the network gear, or call the company and say theres something wrong with the website can they talk with the webmaster to let them know, or bang away at each port with multiple services until something answers correctly. Port-knocking, is not an obscurity-type control, its a form of authentication. Changing the port number a service listens on would probably be classified as obscurity. Using SSL or a tunnel VPN is encryption and authentication. Obscurity would be sending an e-Mail in-the-clear and just not telling anyone when you were sending it. When we define things this way, then we can clearly see why obscurity doesnt add much benefit against targeted attacks. If someone is looking for e-Mail, theyll probably intercept everything and sift through it for what they need. Theyll try every door to see which one is the communications closet. Theyll even use port scanners and bang away trying multiple services on each port; while they order take-away pizza and chat in IRC. Cheers! Eric
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Young, Randy (Apr 11)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 11)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 10)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity jay.tomas (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity danogh (Apr 11)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)