RE: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

To translate: "Limiting access to a potentially vulnerable daemon by
99.9% of the Internet population."

You get....
Control:
Limit the number of people who are likely to access this daemon to
1,114,274 people. Of this - these are skewed to contain a greater number
of people who are likely to attempt to exploit the vulnerable daemon. Of
this, the sample of people contains a greater number of people by
proportion that are able to break the service and also cover their
tracks than the normal population of users.

Costs:
1       Running a vulnerable service with a false sense of security and
little concern
2       Documentation of the service and the time to reconfigure devices

Thus the summary is that there is no gain and some cost.

Now if you consider the number of people who scan well know ports
against those who scan for "hidden" ports and the levels of skills -
what you have done is make the site a target.

You have done nothing to stop those with skills (and thus who are more
likely to compromise the system) from attacking - but have removed some
of the noise element as the script kiddies generally scan for attacks
they have exploits for. Thus the resultant population consists of people
who have a greater likelihood of compromising the system and these
people have not been controlled at all.

Bering that the population of users who have found the port are unlikely
to be those with valid reasons; you have not secured the daemon at all.
With the current Honeynet statistics, you may survive in this state for
72 hours or so...

The system of algebraically assigning a number for each control is not
mathematically valid. Survival in this situation forms a poisson model
on the length of time that the service is maintained in a "secure"
state. In this, the additional benefit would (even if algebraically
equal - which is not the case) be included as an additional factor to an
inverse exponential. Thus it would have a minimal additional effect.

The manner which you have assigned values to risk is not mathematically
sound. There are centuries of research into risk. Survival models apply
to IT risk as well. Making up numbers to state that an added layer of
security is an improvement is unscientific at best and does nothing to
improve the risk modelling process.

Regards,
Craig

(1) World Internet User Statistics were updated on Mar. 10, 2007 [Total
World Internet Users = 1,114,274,426]

References:
Cynthia Bailey Lee, Chris Roedel, Elena Silenok "Detection and
Characterization of Port Scan Attacks" Department of Computer Science &
Engineering University of California, San Diego

S. Northcutt, Network Intrusion Detection Analyst's Handbook. New
Riders, Indianapolis, 1999. p.125.

Agenda and Work Plan. Computer Security Incident Response Team (CSIRT),
Florida State University, http://www.security.fsu.edu/csirt_mtg

S Staniford, V. Paxson and N. Weaver, How to 0wn the Internet in Your
Spare Time, USENIX Security Symposium, August 2002.

And of course:
"Know Your Enemy: Statistics" http://www.honeynet.org/papers/stats/



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: Daniel Miessler [mailto:daniel () dmiessler com] 
Sent: Wednesday, 11 April 2007 2:52 PM
To: Craig Wright
Cc: krymson () gmail com; security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity


On Apr 10, 2007, at 6:50 PM, Craig Wright wrote:

> Please demonstrate your hypothetical controls. Stating your hypothesis
> in an intestable way does nothing to further the argument.

Control:
Limiting access to a potentially vulnerable daemon by 99.9% of the  
Internet population. So legitimate users are allowed in without  
issue, while nobody else on the Internet even knows a daemon exists.

Cost:
Configure your firewall device to handle PK or SPA and deploy the  
augmented client.

--

In my view this is a big win for the organization if the technologies  
can be used. Not all infrastructures support PK or SPA technology  
yet, but one can imagine them being used for VPNs and a number of  
other applications.

But that isn't even the point: the point is that just because  
obscurity is used as part of the total approach does NOT mean the  
system is somehow weakened. The Kerckhoff Principle applies when  
security RESTS on secrecy, not when it's added as a layer on top of  
existing systems.

As an example, if you have a tested VPN system that gave, say, 7  
points of security (lame, but bear with me). So you then added a  
layer of obscurity on top of it that gave an additional 2 points,  
you'd have a total of 9. Well, if you have a compromise to your  
obscurity of said system, what would you fall back to?

4?

2?

No -- 5.

5 is what you started with WITHOUT the layer, so you can't fall below  
that. This is true simply because the two layers are independent of  
each other. We're not talking about a cryptographic algorithm where  
the scrutiny of the algorithm is PART of the security itself.

In this case we're building a completely isolated and independent  
layer, and as such the Kerckhoff principle does not apply. Again, 5 +  
2 - 2 = 5, not less than 5.

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC