RE: This computer security column is banned in Canada

[InfoSec News <isn () c4i org>]

Forwarded from: "Skroch, Michael" <mjskroc () sandia gov>

All,

I appreciate the side discussion on obscurity as an issue in security.
While I agree that unbounded reliance on obscurity is ignorant, one
should also consider that obscurity is a vital component of a
strategic or system view of security--it is valuable and useful.  As
such, I wanted to point out that unbounded belief that "obscurity is
no form of security" ignores useful techniques.  I also acknowledge
that my point is somewhat off topic considering the specific topic at
hand, but might be useful overall.

Here are some examples:

=> Symmetric-key Cryptography uses a key that must be maintained as
"obscure" or a secret in order for security to be maintained.

=> It makes sense to keep an identified particular flaw or
vulnerability "obscure" until one issues a method to resolve the flaw.  
Computer incident response groups often use this technique.

=> In the paradigm of "deter-prevent-detect-react-recover" on a
network one wishes to defend, one may implement an obscuring mechanism
after detection (as a reaction). The purpose of this is to temporarily
stop or slow down the adversary until one can further react or
recover.

A common thread here is that these methods of obscurity have
diminishing value over time.  In the first case, one should
periodically change keys in a symmetric-key cryptographic system.  In
the second case, it is foolish to not issue a patch or solution in
rapid order.  In the third solution, one cannot use the obscuring
mechanism all the time because either the adversary would know about
it before the attack or a performance degradation may be a feature of
the mechanism that is acceptable under attack, but not during other
periods.  Also, the obscuring mechanism can be analyzed over time, and
the attack may only lend the defenders minutes, hours, or days.

So I suggest that even with issues surrounding malicious code,
obscurity has a place, but must be considered as a tool with
diminishing value over time. How fast that value decays depends on the
system context and other risks, such as those suggested by Mark and
Tony.

--
Michael J. Skroch (skraw)
Manager, Information Operations Red Team & Assessments
http://www.sandia.gov/iorta/


-----Original Message-----
From: InfoSec News [mailto:isn () c4i org]
Sent: Thursday, June 12, 2003 1:40 AM
To: isn () attrition org
Subject: Re: [ISN] This computer security column is banned in Canada


Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Nice Tony,

You are absolutely correct!!

Obscurity does not make a problem go away, if fact it does nothing to
solve the problem. What it does do is increase the risk of the
vulnerability becoming exploited. Obscurity is not a form of risk
acceptance but rather a form of plain ignorance.

Like most counter measures we need to understand the problem before
solving it. The bad guys are writing malicious code so why don't the
good guys learn how to do it to so that they can mitigate the
likelihood of exploitation.

When we do vulnerability assessments or security assurance reviews we
write code, check standards, policies and back doors etc... Learning
to write malicious code is just another tool for the old tool box.


Best regards,
Mark, CISM.


----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Thursday, June 05, 2003 5:39 AM
Subject: RE: [ISN] This computer security column is banned in Canada


> Forwarded from: Tony | AVIEN / EWS <tony () avien org>
> Cc: steve () entrenchtech com, Rob () vmyths com
>
> There are articles and papers everywhere talking about why Security
> Through Obscurity doesn't work as an effective security measure. It is
> a bureaucratic dream that if only you pretend the problem doesn't
> exist or hide its existence from the general population that the
> problem will go away.
>
> Do the students have to develop new viruses to learn about viruses-
> no. But, to quote Albert Einstein "You cannot solve the problem with
> the same kind of thinking that has created the problem."
>
> I think that to develop the next generation of virus defense we need
> people to get into the minds of the virus writers and think like them-
> use their tools, work the way they work. Maybe by doing so they can
> find the chinks in the armor before the bad guys and develop proactive
> tools instead of the reactionary virus defense we currently have.
>
> Read the article I wrote on this controversial topic:
> http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm
>
>
> Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+
> About.com Guide for Internet / Network Security
> http://netsecurity.about.com
>
> Click here to sign up for the weekly Internet / Network Security
> Newsletter: NetSecurity Newsletter



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.