RE: [ISN] This computer security column is banned in Canada

From: InfoSec News (isnat_private)
Date: Fri Jun 13 2003 - 01:33:31 PDT

  • Next message: InfoSec News: "[ISN] New Breed of Trojan Raises Security Concerns"

    Forwarded from: "Skroch, Michael" <mjskrocat_private>
    
    All,
    
    I appreciate the side discussion on obscurity as an issue in security.
    While I agree that unbounded reliance on obscurity is ignorant, one
    should also consider that obscurity is a vital component of a
    strategic or system view of security--it is valuable and useful.  As
    such, I wanted to point out that unbounded belief that "obscurity is
    no form of security" ignores useful techniques.  I also acknowledge
    that my point is somewhat off topic considering the specific topic at
    hand, but might be useful overall.
    
    Here are some examples:
    
    => Symmetric-key Cryptography uses a key that must be maintained as
    "obscure" or a secret in order for security to be maintained.
    
    => It makes sense to keep an identified particular flaw or
    vulnerability "obscure" until one issues a method to resolve the flaw.  
    Computer incident response groups often use this technique.
    
    => In the paradigm of "deter-prevent-detect-react-recover" on a
    network one wishes to defend, one may implement an obscuring mechanism
    after detection (as a reaction). The purpose of this is to temporarily
    stop or slow down the adversary until one can further react or
    recover.
    
    A common thread here is that these methods of obscurity have
    diminishing value over time.  In the first case, one should
    periodically change keys in a symmetric-key cryptographic system.  In
    the second case, it is foolish to not issue a patch or solution in
    rapid order.  In the third solution, one cannot use the obscuring
    mechanism all the time because either the adversary would know about
    it before the attack or a performance degradation may be a feature of
    the mechanism that is acceptable under attack, but not during other
    periods.  Also, the obscuring mechanism can be analyzed over time, and
    the attack may only lend the defenders minutes, hours, or days.
    
    So I suggest that even with issues surrounding malicious code,
    obscurity has a place, but must be considered as a tool with
    diminishing value over time. How fast that value decays depends on the
    system context and other risks, such as those suggested by Mark and
    Tony.
    
    --
    Michael J. Skroch (skraw)
    Manager, Information Operations Red Team & Assessments
    http://www.sandia.gov/iorta/
    
    
    -----Original Message-----
    From: InfoSec News [mailto:isnat_private]
    Sent: Thursday, June 12, 2003 1:40 AM
    To: isnat_private
    Subject: Re: [ISN] This computer security column is banned in Canada
    
    
    Forwarded from: Mark Bernard <mbernardat_private>
    
    Nice Tony,
    
    You are absolutely correct!!
    
    Obscurity does not make a problem go away, if fact it does nothing to
    solve the problem. What it does do is increase the risk of the
    vulnerability becoming exploited. Obscurity is not a form of risk
    acceptance but rather a form of plain ignorance.
    
    Like most counter measures we need to understand the problem before
    solving it. The bad guys are writing malicious code so why don't the
    good guys learn how to do it to so that they can mitigate the
    likelihood of exploitation.
    
    When we do vulnerability assessments or security assurance reviews we
    write code, check standards, policies and back doors etc... Learning
    to write malicious code is just another tool for the old tool box.
    
    
    Best regards,
    Mark, CISM.
    
    
    ----- Original Message ----- 
    From: "InfoSec News" <isnat_private>
    To: <isnat_private>
    Sent: Thursday, June 05, 2003 5:39 AM
    Subject: RE: [ISN] This computer security column is banned in Canada
    
    
    > Forwarded from: Tony | AVIEN / EWS <tonyat_private>
    > Cc: steveat_private, Robat_private
    >
    > There are articles and papers everywhere talking about why Security
    > Through Obscurity doesn't work as an effective security measure. It is
    > a bureaucratic dream that if only you pretend the problem doesn't
    > exist or hide its existence from the general population that the
    > problem will go away.
    >
    > Do the students have to develop new viruses to learn about viruses-
    > no. But, to quote Albert Einstein "You cannot solve the problem with
    > the same kind of thinking that has created the problem."
    >
    > I think that to develop the next generation of virus defense we need
    > people to get into the minds of the virus writers and think like them-
    > use their tools, work the way they work. Maybe by doing so they can
    > find the chinks in the armor before the bad guys and develop proactive
    > tools instead of the reactionary virus defense we currently have.
    >
    > Read the article I wrote on this controversial topic:
    > http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm
    >
    >
    > Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+
    > About.com Guide for Internet / Network Security
    > http://netsecurity.about.com
    >
    > Click here to sign up for the weekly Internet / Network Security
    > Newsletter: NetSecurity Newsletter
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 03:54:42 PDT