Re: RE: Re: Re: Re: Concepts: Security and Obscurity

[levinson_k () securityadmin info]

> Obscurity does not work. 

It is impossible for you to make that assertion for all environments and situations.  "Obscurity" includes a lot of 
different things.  You cannot do a risk assessment in an ivory tower without knowledge of the specific environment, 
threats, etc.


> Here we get to the real point. Obscurity is not the factor that is
> increasing the security of the site. You have a confounding variable in
> this model. That is monitoring. 

Exactly.  It is pointless in the real world to try to say that obscurity never works, because methods of obscurity are 
often inexplicably tied to other benefits.  So maybe you're using a purely theoretical model that doesn't apply in the 
real world.


> To test the effectiveness of obscurity scientifically you have to remove
> or make account for the confounding variables. 

This kind of pure theoretical study would have no value in actual real world security.


> In a test that is determined scientifically and without bias,
> the results show that obscurity does not reduce risk and is thus not a
> benefit.

I'd love to see such a study.  It does not exist.  Obscurity often reduces certain risks (script kiddies, viruses, 
etc.), while doing nothing to increase other risks (some determined attackers).  This is what you call your win-win 
scenario.  


> When scanning a site managed by a profession 24x7 firms, with notice, I
> have rarely had them become aware of (maybe 1 in 10) the fact that the
> client is being tested. 

That's because their logs are full of junk.  Because they're not using obscurity.


> It is randomised and over time and uses event
> sequence mining to reconstruct the ruleset (i.e. maths). 

I would love to see you do such a low and slow scan of a site that uses a nonstandard TCP/IP port and something like 
port knocking.  It would take you forever to assess all 65,535 TCP and UDP ports, certainly longer than your typical 
penetration testing engagement.  Therefore, obscurity works.

You keep arguing against obscurity by cherry picking these extreme cases of a very determined and experienced attacker. 
 Yes, some attackers could bypass obscurity, and also antivirus, firewalls, etc.  No one ever claimed obscurity would 
prevent these things.  This does not make them useless at reducing risk.  In risk assessments, countermeasures are tied 
to specific threats they are meant to mitigate.  You are intentionally taking other irrelevant threats to try to claim 
zero effectiveness of obscurity.

You also assert that obscurity is always expensive, despite many examples to the contrary.  You are making "always" and 
"never" statements that are frequently impossible to support, certainly not by cherry picking certain extreme examples.


> I do however
> guess that gets ride of much of the "hacker" community of course these
> days as it requires that SAS, SPSS, R or some other statistical package
> is used and does not rely on a tool.

So then we are in agreement that obscurity is effective at reducing certain risks.  Thank you!


> The confusion here is that you are assuming that this is the only (or
> best) method to increase log visibility and that this will find the
> attacker.

I did not.  

But it may very well be a good method to use, as it costs little or nothing.  You cannot prove that this method is 
never a useful method.  But it is easy to prove that it might *sometimes* be a useful method.

kind regards,
Karl Levinson
http://securityadmin.info