RE: Concepts: Security and Obscurity

["Ken Kousky" <kkousky () ip3inc com>]

I think most of the strong feelings on this issue are rooted in attitudes
developed in reaction to many of our current federal policies that involve
classification of absurd amounts of information that are vital for
meaningful public policy debate. 

Remember you can protect confidentiality ala Bell-Lapadula with no writes
down or you can protect data integrity with no reads down. 

We've got policy made on unvetted and undisclosed data all under the
pretence of protecting the confidentiality of sources. It's this debate that
has made the arguments against obscurity for security purposes a religion
amongst many security professional. Many would say security by obscurity
allowed too much policy information to be hidden from public scrutiny.

I think the same holds for most organizations internal policies. Your
systems and policies need public vetting.


KWK

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of krymson () gmail com
Sent: Thursday, April 05, 2007 9:35 AM
To: security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity


I think too many people knee-jerk and say, "security through obscurity is
bad!" to lots of things. They've heard the phrase spoken by other experts so
that must be the answer. But is a password really much more than obscurity
itself? I think Dave is correct. Security through obscurity ALONE is bad.
But it certainly can reduce risk in security measures...  When experts
typically use this phrase, they, sadly, leave unspoken that "alone" part at
the end even though that is really what they mean.

One problem I have with people who dismiss security measures is the
assumptions they imply. By saying a security measure is useless and
therefore not needed (no matter if it does offer some level of security that
is above zero and below perfect), such people are implying that only a
perfect security measure will satisfy their needs. And I think it should be
an accepted assumption that there is no perfect security measure (silver
bullet). Lots of those people just argue for the sake of arguing without
really examining their own unspoken assumptions...

Another dangerous assumption deals with threats. What sorts of threats are
your arguments geared towards defending against? Some people are gearing all
of their security measures towards the dedicated, driven, uber-hacker.
Others realize there are many other less-skilled opportunistic insiders and
drive-bys that also pose a threat. Gear yourself towards just one, and you
might find yourself surprised by the other (or spending so much of your
org's money that you run yourself into a very deep hole...).


I'm a decent fan of port knocking. It is not fool-proof and you can
misconfigure it, but I really like the added layer of obscurity. You need a
specific sequence to open up the service to you. Just like you need a
password to open up a service to you. You can still sniff or brute it, but
you don't necessarily know something is there to brute and you might not
realize what you're seeing when sniffing a port knock...