RE: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

Except that there is little if any evidence that an attacker is slowed
through obscurity or that the information is made available about an
attack.

I was in the military, and I would suggest that you fail to understand
that even life has a cost. As politically incorrect as it seems,
resources are limited and thus there is a cost to life. The idea is to
minimise it.

You state that "you can't put a cost to human life", noble, but not
true. If this where to be true, we would put more resources to stopping
violent crime. There would be no war (as there are always casualties)
and total war would be unheard of (i.e. the concept of attacking a
civilian population)

"It's like saying don't wear camouflage because it can't stop a bullet."
No this is a different concept. It is not obscurity in the manner being
proposed. It is a manner of reducing detection. The concepts are not the
same if you take the time to think about it in more detail.

"You are either secure or not secure", I hate to think how much you must
spend on security. The bank must be about ready to go into receivership.
There are no absolutes. The law of diminishing returns means that the
more you spend on security the less of an advantage is gained.

There is always a risk. Security has no absolutes. There is only chance
and probability. Security is about reducing the chance of a success. As
an example. I could type a random password and get into a system. This
may be unlikely and improbable, but it is possible.

As for "If you are vulnerable you are vulnerable regardless of what
impact." I think that you need to spend a little time think this
through. There is no such thing as perfect security. There is always a
level of vulnerability. The issue is the time and cost to exploit the
vulnerability and often there are simpler and easier ways (i.e. I could
pay a bank teller for their access - but does the cost justify the
expense is the question)

Craig




Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: jay.tomas () infosecguru com [mailto:jay.tomas () infosecguru com] 
Sent: Thursday, 12 April 2007 5:10 AM
To: Craig Wright; krymson () gmail com; security-basics () securityfocus com
Subject: RE: Concepts: Security and Obscurity

You make a lot of assumptions about how people interpret security
through obscurity what it means and what costs are associated with it. I
think it gets mentioned every time I post that no one layer will protect
you, but a combination of them will better defend you. The idea is to
slow the attacker, identify you are under attack and then remediate the
exposure. No defense will protect you indefinitely. Also just because
people don't implement a concept correctly doesn't mean the underlying
premises are not valid.

To your points on cost it evident that you do not nor have you ever
participated in the military, law enforcement or other profession that
could endanger your life. You can monetarily define how much a server
costs, but you can't put a price on human life. If a credit car
processor's has data loss leading to identity theft they have to pay
folks Credit Monitoring for a year. If government , military or law
enforcement shirk then people die.

It's like saying don't wear camouflage because it can't stop a bullet.

 I have served in the military and know what its like to defend, protect
life. I currently work for a bank, so I also know about cost benefit
analysis . I just disagree with such a strong biased outcry against
particular security  approaches. "All" solutions should be evaluated
based on environment, and particular implementation
variables/requirements. 

There is a difference between risk and security. Risk can be calculated
by on variety of models incorporating cost, loss exposure. Security is
more absolute. You are either secure or not secure. Same goes for Threat
vs. Vulnerability. Threats may or may not exist or have the capability
to cause exposure. If you are vulnerable you are vulnerable regardless
of what impact.

Jay

----- Original Message -----
From: Craig Wright [mailto:Craig.Wright () bdo com au]
To: krymson () gmail com,security-basics () securityfocus com
Sent: Wed, 11 Apr 2007 08:50:45 +1000
Subject: RE: Concepts: Security and Obscurity

Hello, 
I have at no point claimed absolute security measures or cost
structures. Excuse me, but your idea that economics and finance has
nothing to do with security is pure head in the sand ignorance. Security
is a cost function - pure and simple. 

Would suggest that you think about the real costs and gains in
obscurity. This is both short and long term. You may be thinking of just
your role now and no more. This is a view that ignores the total
economic costs. It also ignores the requirements of a control function. 

Obscurity is not a control that may be meaningfully measured and
maintained. The effectiveness is reliant on an unknown quantity.

Please demonstrate your hypothetical controls. Stating your hypothesis
in an intestable way does nothing to further the argument.

Now the issue with security through obscurity is that people take the
initial value of the control to be the entire value of the control over
time using a discrete risk model. However, this type of risk function is
clearly a poisson model. There is research on this (other than my own) -
[1], [2], [3], [4]. I could quote several hundred references on the
scientific evaluation of risk models. The Cost function for obscurity is
exponential and the protection/ risk model is poisson.

Now what does an exponential cost with a poisson gain give us? It means
that there may be some preliminary gains - but at an uncertainty that
gives a wide prediction interval at any reasonable level of confidence.

Next, the exponential model grows faster than the poisson models
decreases. This means in time the cost of the control will exceed the
benefit. The requirement is that the obscurity based control needs to be
updated to remain effective and thus requires added input and thus cost.

Risk is quantitatively calculable using hazard and survival functions.
Even taking for the maximum likely benefit, obscurity is not cost
effective.

Craig

References

[1] J. Herrin (1), B. J. Dempsey III " WEB-Enabled Medical Databases: a
Threat to Security?" 
Methods of Information in Medicine 2000 39 4: 298-302.
Zeitschriften  -  Methods of Information in Medicine  -  Archive  -
Issue 4/5 2000

[2]Manish Karir John S. Baras "LES: Layered Encryption Security"
Center for Satellite and Hybrid Communication Networks
Department of Electrical and Computer Engineering & Institute for
Systems Engineering 
University of Maryland, College Park, MD 20742, USA

[3] Michael K. Bond "Understanding Security APIs" University of
Cambridge
Computer Laboratory Jan 2004

[4]Giovanni. Vigna, "Recent Advances in Intrusion Detection: third
international workshop", RAID 2000, Toulouse 

[5] Lennart Erixon " Even the bad times are good: a behavioural theory
of transformation pressure " Cambridge Journal of Economics,
doi:10.1093/cje/bel035

And a little further related reading for the techniques:

Bertoin, J. Levy Processes 

Bunday, B. D. An Introduction to Queueing Theory 

Freund, R. J. and Wilson, W. J. Statistical Methods 

Hall, P. The Bootstrap Estimate and Edgeworth Expansion 

Hills, J. (ed.) New Inequalities: the Changing Distribution of Income
and Wealth in the United Kingdom 

Hughes, B. D. Random Walks and Random Environments: vol. 2, Random
Environments 

Kelly, F. P., Zachary, S. and Ziedins, I. (eds) Stochastic Networks:
Theory and Applications 

Kleinbaum, D. G. Survival Analysis-a Self-learning Text , p. 375

Robertson, B. and Vignaux, G. A. Interpreting Evidence: Evaluating
Forensic Science in the Courtroom 

Schervish, M. J. Theory of Statistics 

Sen, P. K. and Singer, J. M. Large Sample Methods in Statistics, an
Introduction with Applications 

Zaman, A. Statistical Foundations for Econometric Techniques 




Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
PO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains.  If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system. 

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls.  You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls.  It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects.  BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached.  A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of krymson () gmail com
Sent: Wednesday, 11 April 2007 12:53 AM
To: security-basics () securityfocus com
Subject: RE: Concepts: Security and Obscurity

I really think you just like hearing yourself talk. And while you spout
some common axims and economics 101 terms, they don't mean much to this
topic. Your whole fourth paragraph, while we can agree with what you
said, has nothing to do with the topic.

You assume that there are absolute security solutions instead of the
incremental security that can be experienced by pairing up some forms of
obscurity. I'll throw in my own axims that "security is not a
state/product but rather a process/layering" and "there is no silver
bullet to security."

You also assume that gains are minimal with all obscurity, and that they
have added difficulty and lost productivity. That is not necessarily
true.

If I have two forms of obscurity that both cost the same but together
the total cost is less than the asset and thus worthwhile, I can't use
them? I have to look for something that costs less than both those
obscurities that secure the asset perfectly?



<- snip ->
What is forgotten is that there is an economic/financial cost to all
controls.

A control is only effective if the cost of the control provides more
utility than not having the control. Thus a control that provides some
security at a cost that is greater than another control is ineffective
overall.

Security by Obscurity is an ineffective control. The gains are minimal
in economic terms. The cost however is more than the pure cash/money
costs. The additional losses to productivity and added difficultly in
maintaining secrecy does not provide the required level of gains to
offset the costs and thus creates a dead-weight loss in economic terms.

Thus security by obscurity is no security as the costs in real economic
terms do not bring benefit.

It is of no use to spend $1,000,000 protecting a $1,000 asset. This is a
loss and thus it is not a decision that provides security as the loss
exists even before the system goes live.