Security Basics mailing list archives
Re: Re: Concepts: Security and Obscurity
From: levinson_k () securityadmin info
Date: 5 Apr 2007 17:59:09 -0000
I couldn't agree more with the article. The suggestion that obscurity is bad because it introduces brittleness or insecurity into an otherwise secure system only applies to certain circumstances. The quoted passage mentioning Kerckhoff's Principle applies more to some security topics (like cryptography and the open source vs. closed source debate) and not at all to other topics. Changing the TCP port that an SSH or other server listens on does not in any way make that server more brittle or vulnerable. (Unless maybe you argue that the server would be missed by corporate vulnerability assessment scanners that just scan standard ports and would otherwise discover it is missing patches.) Changing the listening TCP port can save you and your log files from lots of noise and script kiddie scans, making it easier to monitor your log files for intrusion and helping to protect you from future unpatched vulns. The argument that obscurity is bad because it is not a reliable countermeasure is also bogus. Few if any countermeasures are 100% reliable. Countermeasures are almost always meant to manage and reduce risk, not eliminate it. Antivirus, firewalls and SSL/TLS are not 100% reliable, and yet most of us continue to use and depend on them, and rightly so. Another argument used against obscurity is that the time and effort spent to configure it outweighs the potential benefit. That could be true in a few cases, but whether or not it is true would vary from situation to situation. In most cases, configuring obscurity takes very little time or money. One of the things that has historically made MS Windows such an attractive and easy target is its uniformity that makes such a large number of systems predictable and knowable in their configuration. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Mark Sutton (Apr 09)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 05)
- RE: Concepts: Security and Obscurity Mandelcorn, Seymour (Apr 09)
- RE: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- Re: Concepts: Security and Obscurity krymson (Apr 05)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- RE: Concepts: Security and Obscurity John Rodriguez (Apr 09)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 10)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 05)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 09)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 09)
- RE: Concepts: Security and Obscurity krymson (Apr 10)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Young, Randy (Apr 11)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 11)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)