Forwarded from: "Skroch, Michael" <mjskrocat_private> All, I appreciate the side discussion on obscurity as an issue in security. While I agree that unbounded reliance on obscurity is ignorant, one should also consider that obscurity is a vital component of a strategic or system view of security--it is valuable and useful. As such, I wanted to point out that unbounded belief that "obscurity is no form of security" ignores useful techniques. I also acknowledge that my point is somewhat off topic considering the specific topic at hand, but might be useful overall. Here are some examples: => Symmetric-key Cryptography uses a key that must be maintained as "obscure" or a secret in order for security to be maintained. => It makes sense to keep an identified particular flaw or vulnerability "obscure" until one issues a method to resolve the flaw. Computer incident response groups often use this technique. => In the paradigm of "deter-prevent-detect-react-recover" on a network one wishes to defend, one may implement an obscuring mechanism after detection (as a reaction). The purpose of this is to temporarily stop or slow down the adversary until one can further react or recover. A common thread here is that these methods of obscurity have diminishing value over time. In the first case, one should periodically change keys in a symmetric-key cryptographic system. In the second case, it is foolish to not issue a patch or solution in rapid order. In the third solution, one cannot use the obscuring mechanism all the time because either the adversary would know about it before the attack or a performance degradation may be a feature of the mechanism that is acceptable under attack, but not during other periods. Also, the obscuring mechanism can be analyzed over time, and the attack may only lend the defenders minutes, hours, or days. So I suggest that even with issues surrounding malicious code, obscurity has a place, but must be considered as a tool with diminishing value over time. How fast that value decays depends on the system context and other risks, such as those suggested by Mark and Tony. -- Michael J. Skroch (skraw) Manager, Information Operations Red Team & Assessments http://www.sandia.gov/iorta/ -----Original Message----- From: InfoSec News [mailto:isnat_private] Sent: Thursday, June 12, 2003 1:40 AM To: isnat_private Subject: Re: [ISN] This computer security column is banned in Canada Forwarded from: Mark Bernard <mbernardat_private> Nice Tony, You are absolutely correct!! Obscurity does not make a problem go away, if fact it does nothing to solve the problem. What it does do is increase the risk of the vulnerability becoming exploited. Obscurity is not a form of risk acceptance but rather a form of plain ignorance. Like most counter measures we need to understand the problem before solving it. The bad guys are writing malicious code so why don't the good guys learn how to do it to so that they can mitigate the likelihood of exploitation. When we do vulnerability assessments or security assurance reviews we write code, check standards, policies and back doors etc... Learning to write malicious code is just another tool for the old tool box. Best regards, Mark, CISM. ----- Original Message ----- From: "InfoSec News" <isnat_private> To: <isnat_private> Sent: Thursday, June 05, 2003 5:39 AM Subject: RE: [ISN] This computer security column is banned in Canada > Forwarded from: Tony | AVIEN / EWS <tonyat_private> > Cc: steveat_private, Robat_private > > There are articles and papers everywhere talking about why Security > Through Obscurity doesn't work as an effective security measure. It is > a bureaucratic dream that if only you pretend the problem doesn't > exist or hide its existence from the general population that the > problem will go away. > > Do the students have to develop new viruses to learn about viruses- > no. But, to quote Albert Einstein "You cannot solve the problem with > the same kind of thinking that has created the problem." > > I think that to develop the next generation of virus defense we need > people to get into the minds of the virus writers and think like them- > use their tools, work the way they work. Maybe by doing so they can > find the chinks in the armor before the bad guys and develop proactive > tools instead of the reactionary virus defense we currently have. > > Read the article I wrote on this controversial topic: > http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm > > > Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ > About.com Guide for Internet / Network Security > http://netsecurity.about.com > > Click here to sign up for the weekly Internet / Network Security > Newsletter: NetSecurity Newsletter - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 03:54:42 PDT