Re: Re: Re: Concepts: Security and Obscurity

[lordl3ane () gmail com]

I agree with all of the comments that a determination of what controls to put in place need to result from a relevant 
assessment of the risk to that organization.  That organization could be as simple as a small-town janitorial supply 
company or as complex and juicy as a national military or government agency.  The first reaction for many people will 
be that the janitorial supply company needs nearly no security controls while the government needs all it can afford.  
What if the janitorial supply company were the target of a larger company with links to organized crime who wanted the 
state and municipal customers?  What if the government/military were a small island-nation with a total national 
population of 50,000?  

I also think that along the way we’ve begun to use more and more “security industry” jargon, but some of the 
definitions have bled together.  We use privacy synonymously with confidentiality with obscurity.  My understanding is 
that we’re having a discussion about topics while using “quotes” and “catch phrases” about others.  

Privacy is what I want to keep, it is a state of being secured against people I don’t want to know what I have/know/am 
doing, etc.  Confidentiality describes the security methodology I use to ensure my Privacy.  Obscurity is one of the 
controls I can implement on the road to building my Confidentiality solution, to protect my privacy.

Obscurity is just that, obscure.  It’s “hiding” rather than actually proactively keeping people out.  It’s taking a 
sign off a door, removing your registration information from your Internet domain, even disabling the headers on your 
TCP/IP services.  None of these things actively stops someone from gaining access; just makes it slightly harder.  The 
attackers must try a few doors before they find the one with the network gear, or call the company and say there’s 
something wrong with the website – can they talk with the webmaster to let them know, or bang away at each port with 
multiple services until something answers correctly.  

Port-knocking, is not an obscurity-type control, it’s a form of authentication.  Changing the port number a service 
listens on would probably be classified as obscurity.  Using SSL or a tunnel VPN is encryption and authentication.  
Obscurity would be sending an e-Mail in-the-clear and just not telling anyone when you were sending it.

When we define things this way, then we can clearly see why “obscurity” doesn’t add much benefit against targeted 
attacks.  If someone is looking for e-Mail, they’ll probably intercept everything and sift through it for what they 
need.  They’ll try every door to see which one is the communications closet.  They’ll even use port scanners and bang 
away trying multiple services on each port; while they order take-away pizza and chat in IRC.

Cheers!

Eric