Forwarded from: security curmudgeon <jerichoat_private> Cc: tonyat_private : Forwarded from: Tony | AVIEN / EWS <tonyat_private> : Cc: steveat_private, Robat_private : : There are articles and papers everywhere talking about why Security : Through Obscurity doesn't work as an effective security measure. It is : a bureaucratic dream that if only you pretend the problem doesn't : exist or hide its existence from the general population that the : problem will go away. I don't know where to begin. "Security through obscurity doesn't work" yadda yadda. This has been parroted by a majority of the security industry for a long time. For those who have only been working in the security field for the past two or three years, this is especially true. It seems they read a paper or some CISSP instructor told them and they believed it. Not only believed it, but began preaching it with a fervor typically found in bible schools or cults. If any of these "security experts" would stop to talk about obscurity over a few beers at the next conference, eyes might open a bit more. More on obscurity in a bit. Your second sentence .. I simply can't tell if this is two seperate thoughts put together in the same paragraph, or if you have made the most simple of mistakes when talking about the "security through obscurity" concept. Obscurity isn't pretending the problem doesn't exist. It isn't hiding the existence of a problem typically, just making that problem more difficult to find or reach. In a nutshell, this is no different than putting vulnerable systems behind a strong external layer of security really, where firewalls and IDS guard unpatched Windows NT boxes that haven't seen their first security patch. While the legions of certified security experts tout these policies and concepts, companies are losing out big. Relying on obscurity as the primary means of protection is a bad idea, no one will argue that. But for those taking it one step farther and saying it offers *no* security or "isn't effective", simply don't understand security or obscurity. If you break it down by the cost to implement, it's a much better value than some of the commercial products or security consultants you pay for. It certainly can have a place and is one layer of security a company should consider, in conjunction with other forms of security. : Do the students have to develop new viruses to learn about viruses- : no. But, to quote Albert Einstein "You cannot solve the problem with : the same kind of thinking that has created the problem." To quote Denzel Washington in _Training Day_: "This shit is chess, not checkers". : Read the article I wrote on this controversial topic: : http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm Bland article, but it did lead me to: http://netsecurity.about.com/cs/generalsecurity/a/aa060103.htm Security Through Obscurity: What You Don't Know CAN Hurt You This two page article barely nicked the surface of security, obscurity or anything related and instead seems to weakly tackle the full disclosure argument more than anything. After hinting about it a little, the article finally concludes: Ignorance is not bliss. Security through obscurity doesnt work. It only means that the bad guys know things that you dont and will exploit your ignorance to the fullest every opportunity they get. If we look at the basic definition of obscurity: http://dictionary.reference.com/search?q=obscurity 2a: The quality or condition of being unknown 2b: One that is unknown. 3a: The quality or condition of being imperfectly known or difficult to understand 3b: An instance of being imperfectly known or difficult to understand. Your point is that obscurity is a scenario where you don't know something about your network and the attacker does. This is fundamentally wrong, even if you use the "security through obscurity" maxim like most security experts preach. Obscurity is not ignorance, it is making something more difficult to find or more unknown to the attacker. It doesn't necessarily equate to ignoring your own problems or vulnerabilities. Loyal ISN readers should add dictionary.com to their arsenal along with netsecurity.about.com I think. Now, let's apply this to the most basic of scenarios in a network environment and see if your assertion holds true. Let's take a machine running a web server as an example, since it is a favorite place for attackers to start. Instead of running Apache or IIS or Lotus, let's run something different, that most people haven't run into, and call it BradleyHTTP. In this software, we don't identify the version of software we run, we return 301 instead of 404 and redirect them to the front page, etc. These changes sound like they meet the criteria of making the server "imperfectly known or difficult to understand" since it isn't giving clear answers to many requests (namely 404 in this example) that others do. As such, it is using obscurity as one of many layers of security. Our attacker visits and runs their scanning software. They find BradleyHTTP instead of Apache or IIS which they prefer because they have an arsenal of attacks for those servers. They use Nikto or Whisker to scan out vulnerable CGIs or pages with exposed information, and get all false positives. Now what? What is the attacker going to do at this point? If s/he is intent on defacing web pages for personal amusement, s/he will move on to the next IP address because yours represents too much time to figure out. You have just thwarted an attacker by utilizing obscurity. If they are intent on defacing that site, they have to wade through a thousand false positives to find something vulnerable. Each time they try something, BradleyHTTP is logging it, while BradleyIDS is logging and warning, and maybe BradleyFW is cutting the route from their computer to yours. It forces that attacker to spend more time on your machine and help establish their intent (which is quite important in many cases). If they recode their scanner to deal with the 301, or if they have to look for a new point of attack, then the simple layer of obscurity was well worth the little time it took you to implement. Another simple example is moving HTTPD off port 80 to some random unassigned port. Security experts will be quick to cry "this isn't security! security through obscurity is no security at all!". When they are done foaming at the mouth and forcing their sales information down your throat, consider it. A bulk of attackers looking to deface web pages do what? They run a scanner that checks a few siple conditions. First, is port 80 answering? Second, is it HTTP like? Third, is Vulnerable CGI 1.3 present? Fourth, can it be exploited? The attackers use these scripts and sweep entire class B networks at a time. They don't care who you are, the name of your company, or anything else. You are nothing but an IP address to them until they find you vulnerable, then they *might* care. So in this example, by moving HTTPD off port 80 to anything else did what? Protected you from one of thousands of the mass scanner/defacers out there. What elite certified security mechanism did you use to thwart the attack? Obscurity. : Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ Jericho, Security Curmudgeon - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 03:39:39 PDT