security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com
When security through obscurity makes sense
SECURITY.ITWORLD.COM --- 11/14/2006

Brent Huston

I know, I know… For years, you have been hearing how security through obscurity [1] doesn’t work. Pundits, myself included, auditors, security consultants and everyone else who has been through infosec 101 consistently hammer home the point that security through obscurity is a dangerous practice. But, with some of the recent things that have emerged, and some of the changes in play today, I can honestly tell you that it just might be useful to your organization. 

On this topic
Get practical tips, IT news, how-tos, and the best in tech humor.
Disaster Recovery Simplified - iSCSI and VMware Site Recovery Manager Deliver Results
Data Protection and Disaster Recovery with iSCSI and VMware
Five Security Mistakes to Avoid
Death to PST - Hidden Cost of Email Mismanagement
Osterman Report: The Advantages of a Hosted Messaging Security Solution
Top 10 Ways to Protect Against Web Threats
Apple dismisses Safari download issue
IE attack code released after 'treasure hunt'
DNS trouble knocks National Security Agency off Internet
EU raises privacy issue for Google Street View
Rent-a-botnet makes cyber crime a breeze

There is, of course, a caveat to using security through obscurity and to discovering its value. That is very easy. Security through obscurity is ONLY valuable if it is a part of your overall security posture. That is, it is a component of your defense-in-depth strategy. Rely on security through obscurity alone as a defense at your own peril. That does not mean, however, that it is a useless tool, as many pundits would have you believe.

There are primarily two ways in which organizations can use security through obscurity as a useful component in their security posture today. The first one is the most obvious. Using security through obscurity for example to use unpredictable system names, account names and other information makes the job of an attacker much more difficult in many ways. If your organization uses random system names for example, it becomes much harder for an attacker to target the workstations of key staff members, even if that attacker has access to AD and such. In fact, without access to a database of hosts to users or a list of items, attackers are usually forced to scan or perform NETBios probes to each machine to identify logged on users. This is an excellent example where security through obscurity helps the security team, in this case forcing the attacker to perform noisy scanning and likely raising the chance of detection by the organization’s defensive tools and processes.

The second way you can effectively use security through obscurity is as a threat source risk calculator. How can you do that? Well, statistically speaking, over the last several years, probes and attacks from the Internet have become increasingly isolated. As such, they have begun to establish and exhibit normal patterns of behavior. That is, for example, web scans and worms tend to probe ports 80 and 443, while worms against ssh attack on port 22. Many of our clients are moving their non-business essential ports and services to alternate locations. The pundits would tell you that this security through obscurity does not provide increased security for the organization, and they would be right. But they fail to see that it provides, not increased security, but increased intelligence. If you move your ports to different locations, and you see attacks, you have a bit of intelligence on your side. You should know right away that the probes you are seeing are not from the common worms, bots and auto-rooters spreading randomly through the Net. You would understand that this is likely a broader scoped attack and depending on the actions that follow it or how unique it appears, you might suddenly realize that this is a dedicated human attacker focused on your organization!

Such intelligence is useful because it is easily sorted from the noise when the majority of common automated probes and assaults are removed from the picture. In addition, just about any organization wants to treat a dedicated human attack focused on their business differently than a random worm scanning for known holes. This approach, and the use of security through obscurity just might provide you with the insight that someone has focused on you as a target. Knowing that fact can make a huge difference!

So, is security through obscurity useless, as some would have us believe? Perhaps not. These are just a few examples, and I am sure there are many, many more out there. Who knows, maybe we ought to go back and look at some the other “laws of information security” and make sure they still make sense in the modern world. I will leave that exercise to you. Let me know what you come up with.

[1] http://en.wikipedia.org/wiki/Security_through_obscurity

 

 Brent Huston is CEO and Security Evangelist of MicroSolved, Inc., an information security company, based in Columbus, OH. Brent and his staff have performed system and network security-consulting services for Fortune 500 companies, international telecomm firms and major financial institutions. His professional experience exceeds fifteen years in the information security field. To date, he has performed hundreds of vulnerability assessments and penetration tests against target organizations such as banks, credit unions, financial companies, e-commerce sites, critical infrastructure, federal/state/local governments and military/national security installations. He is well versed in the use and implementation of all major security tools, standards and systems and has developed the primary assessment methodologies in use at MicroSolved and the US Department of Energy. He has published numerous white papers on security-related topics, and is the co-author and technical editor of the book "Hack Proofing Your E-Commerce Site" from Syngress Publishing. Write him at mailto: bhuston@microsolved.com.
Advertisements
Sponsored links
Top 5 Reasons to Combine App Performance and Security
KODAK i1400 Series Scanners stand up to the challenge
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Locate Hidden Software on business PCs with this free tool
Home  Newsletters SECURITY.ITWORLD.COM
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.