Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Thu, 12 Apr 2007 08:52:56 +1000
As for Human life, I suggest that you read: Catastrophe: Risk and Response (Oxford University Press 2004) By Richard A. Posner And Morality, economics and life Author(s): Leslie Armour Journal: International Journal of Social Economics ISSN: 0306-8293 Year: Oct 1999 Volume: 26 Issue: 10/11 Page: 1199 - 1226 DOI: 10.1108/03068299910292497 As unfortunate as it may be, life is not infinitely valued and can not be so in a world of limited resources. Policy decisions are made daily by corporations, Judges and governments daily. The value of life is finite. We life on Earth, our resources are limited - there is no Garden of Eden to fall back on. As politically incorrect as it may seem - we all make value decisions, just some of us acknowledge them and others live in a state of denial. Security is an economic decision. There are always tradeoffs - people vs. technology; training vs. automated controls etc etc. There is always risk and always cost. To ignore this fact is to not provide the best level of security for the financial and other economic constraints being faced. All encryption is crackable. The only thing stopping this vulnerability is the cost. Putting enough money into enough time, people and machines makes this so. The issue is that the cost of an attack also rises and thus adding layers that increase the cost of an attack more than the cost of deployment are effective. Adding a layer that does not increase the cost of an attack is not effective. Craig Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: jay.tomas () infosecguru com [mailto:jay.tomas () infosecguru com] Sent: Thursday, 12 April 2007 5:10 AM To: Craig Wright; krymson () gmail com; security-basics () securityfocus com Subject: RE: Concepts: Security and Obscurity You make a lot of assumptions about how people interpret security through obscurity what it means and what costs are associated with it. I think it gets mentioned every time I post that no one layer will protect you, but a combination of them will better defend you. The idea is to slow the attacker, identify you are under attack and then remediate the exposure. No defense will protect you indefinitely. Also just because people don't implement a concept correctly doesn't mean the underlying premises are not valid. To your points on cost it evident that you do not nor have you ever participated in the military, law enforcement or other profession that could endanger your life. You can monetarily define how much a server costs, but you can't put a price on human life. If a credit car processor's has data loss leading to identity theft they have to pay folks Credit Monitoring for a year. If government , military or law enforcement shirk then people die. It's like saying don't wear camouflage because it can't stop a bullet. I have served in the military and know what its like to defend, protect life. I currently work for a bank, so I also know about cost benefit analysis . I just disagree with such a strong biased outcry against particular security approaches. "All" solutions should be evaluated based on environment, and particular implementation variables/requirements. There is a difference between risk and security. Risk can be calculated by on variety of models incorporating cost, loss exposure. Security is more absolute. You are either secure or not secure. Same goes for Threat vs. Vulnerability. Threats may or may not exist or have the capability to cause exposure. If you are vulnerable you are vulnerable regardless of what impact. Jay ----- Original Message ----- From: Craig Wright [mailto:Craig.Wright () bdo com au] To: krymson () gmail com,security-basics () securityfocus com Sent: Wed, 11 Apr 2007 08:50:45 +1000 Subject: RE: Concepts: Security and Obscurity Hello, I have at no point claimed absolute security measures or cost structures. Excuse me, but your idea that economics and finance has nothing to do with security is pure head in the sand ignorance. Security is a cost function - pure and simple. Would suggest that you think about the real costs and gains in obscurity. This is both short and long term. You may be thinking of just your role now and no more. This is a view that ignores the total economic costs. It also ignores the requirements of a control function. Obscurity is not a control that may be meaningfully measured and maintained. The effectiveness is reliant on an unknown quantity. Please demonstrate your hypothetical controls. Stating your hypothesis in an intestable way does nothing to further the argument. Now the issue with security through obscurity is that people take the initial value of the control to be the entire value of the control over time using a discrete risk model. However, this type of risk function is clearly a poisson model. There is research on this (other than my own) - [1], [2], [3], [4]. I could quote several hundred references on the scientific evaluation of risk models. The Cost function for obscurity is exponential and the protection/ risk model is poisson. Now what does an exponential cost with a poisson gain give us? It means that there may be some preliminary gains - but at an uncertainty that gives a wide prediction interval at any reasonable level of confidence. Next, the exponential model grows faster than the poisson models decreases. This means in time the cost of the control will exceed the benefit. The requirement is that the obscurity based control needs to be updated to remain effective and thus requires added input and thus cost. Risk is quantitatively calculable using hazard and survival functions. Even taking for the maximum likely benefit, obscurity is not cost effective. Craig References [1] J. Herrin (1), B. J. Dempsey III " WEB-Enabled Medical Databases: a Threat to Security?" Methods of Information in Medicine 2000 39 4: 298-302. Zeitschriften - Methods of Information in Medicine - Archive - Issue 4/5 2000 [2]Manish Karir John S. Baras "LES: Layered Encryption Security" Center for Satellite and Hybrid Communication Networks Department of Electrical and Computer Engineering & Institute for Systems Engineering University of Maryland, College Park, MD 20742, USA [3] Michael K. Bond "Understanding Security APIs" University of Cambridge Computer Laboratory Jan 2004 [4]Giovanni. Vigna, "Recent Advances in Intrusion Detection: third international workshop", RAID 2000, Toulouse [5] Lennart Erixon " Even the bad times are good: a behavioural theory of transformation pressure " Cambridge Journal of Economics, doi:10.1093/cje/bel035 And a little further related reading for the techniques: Bertoin, J. Levy Processes Bunday, B. D. An Introduction to Queueing Theory Freund, R. J. and Wilson, W. J. Statistical Methods Hall, P. The Bootstrap Estimate and Edgeworth Expansion Hills, J. (ed.) New Inequalities: the Changing Distribution of Income and Wealth in the United Kingdom Hughes, B. D. Random Walks and Random Environments: vol. 2, Random Environments Kelly, F. P., Zachary, S. and Ziedins, I. (eds) Stochastic Networks: Theory and Applications Kleinbaum, D. G. Survival Analysis-a Self-learning Text , p. 375 Robertson, B. and Vignaux, G. A. Interpreting Evidence: Evaluating Forensic Science in the Courtroom Schervish, M. J. Theory of Statistics Sen, P. K. and Singer, J. M. Large Sample Methods in Statistics, an Introduction with Applications Zaman, A. Statistical Foundations for Econometric Techniques Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 PO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com Sent: Wednesday, 11 April 2007 12:53 AM To: security-basics () securityfocus com Subject: RE: Concepts: Security and Obscurity I really think you just like hearing yourself talk. And while you spout some common axims and economics 101 terms, they don't mean much to this topic. Your whole fourth paragraph, while we can agree with what you said, has nothing to do with the topic. You assume that there are absolute security solutions instead of the incremental security that can be experienced by pairing up some forms of obscurity. I'll throw in my own axims that "security is not a state/product but rather a process/layering" and "there is no silver bullet to security." You also assume that gains are minimal with all obscurity, and that they have added difficulty and lost productivity. That is not necessarily true. If I have two forms of obscurity that both cost the same but together the total cost is less than the asset and thus worthwhile, I can't use them? I have to look for something that costs less than both those obscurities that secure the asset perfectly? <- snip -> What is forgotten is that there is an economic/financial cost to all controls. A control is only effective if the cost of the control provides more utility than not having the control. Thus a control that provides some security at a cost that is greater than another control is ineffective overall. Security by Obscurity is an ineffective control. The gains are minimal in economic terms. The cost however is more than the pure cash/money costs. The additional losses to productivity and added difficultly in maintaining secrecy does not provide the required level of gains to offset the costs and thus creates a dead-weight loss in economic terms. Thus security by obscurity is no security as the costs in real economic terms do not bring benefit. It is of no use to spend $1,000,000 protecting a $1,000 asset. This is a loss and thus it is not a decision that provides security as the loss exists even before the system goes live.
Current thread:
- RE: Concepts: Security and Obscurity, (continued)
- RE: Concepts: Security and Obscurity Young, Randy (Apr 11)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 10)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity jay.tomas (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity danogh (Apr 11)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)