Re: Re: Concepts: Security and Obscurity

[levinson_k () securityadmin info]

I couldn't agree more with the article.

The suggestion that obscurity is bad because it introduces brittleness or insecurity into an otherwise secure system 
only applies to certain circumstances.  The quoted passage mentioning Kerckhoff's Principle applies more to some 
security topics (like cryptography and the open source vs. closed source debate) and not at all to other topics.  
Changing the TCP port that an SSH or other server listens on does not in any way make that server more brittle or 
vulnerable.  (Unless maybe you argue that the server would be missed by corporate vulnerability assessment scanners 
that just scan standard ports and would otherwise discover it is missing patches.)  

Changing the listening TCP port can save you and your log files from lots of noise and script kiddie scans, making it 
easier to monitor your log files for intrusion and helping to protect you from future unpatched vulns.

The argument that obscurity is bad because it is not a reliable countermeasure is also bogus.  Few if any 
countermeasures are 100% reliable.  Countermeasures are almost always meant to manage and reduce risk, not eliminate 
it.  Antivirus, firewalls and SSL/TLS are not 100% reliable, and yet most of us continue to use and depend on them, and 
rightly so.

Another argument used against obscurity is that the time and effort spent to configure it outweighs the potential 
benefit.  That could be true in a few cases, but whether or not it is true would vary from situation to situation.  In 
most cases, configuring obscurity takes very little time or money.

One of the things that has historically made MS Windows such an attractive and easy target is its uniformity that makes 
such a large number of systems predictable and knowable in their configuration.

kind regards,
Karl Levinson
http://securityadmin.info