Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How A Little Obscurity Can Bolster Security
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
samenk
samenk,
User Rank: Apprentice
4/17/2014 | 7:39:10 PM
Re: slows down an attack -- so it helps
Great article here, Corey! Security by obscurity should only be used as a method to delay and/or discourage the attackers from compromising our security; nothing more. "Security by Obscurity is no security at all." I agree, however, I do think offers some level of security and should be utilized, but should never be fully relied upon. In most cases, security engineers would utilize obscure measures as first layer(s) of security; if the attacker does uncover the inconspicuous security measure, he is sure to meet a tougher one, such as encryption, or authentication.
mwalker871
mwalker871,
User Rank: Guru
4/17/2014 | 3:18:48 PM
Re: Security v. Obscurity
Sure, don't give anything away.
Don't pick names easy to guess or commonly used. Passwords are just the final threshold.

However, if your domain can be enumerated, the ship has sailed.

Which is more important?
CNACHREINER981
CNACHREINER981,
User Rank: Author
4/17/2014 | 1:44:48 PM
Re: Security v. Obscurity
I can see that point. So many have relied ONLY on security by obscurity (which IS bad) for protection that it is probably good to hammer that idea out of a Infosec neophyte's head... However, I still think the more exprienced infosec folk, who realize that their primary defense needs to be true secure design, can add some obscurity to the mix too... ^_^
David F. Carr
David F. Carr,
User Rank: Strategist
4/17/2014 | 1:39:22 PM
Re: Custom platforms another example of security by obscurity
One site I converted to WordPress previously ran on a CMS of sorts that you could edit by going to www.mydomain.com/data/ - no password required, pure security by obscurity. So compared with that, WordPress was certainly a huge improvement.
mwalker871
mwalker871,
User Rank: Guru
4/17/2014 | 1:28:27 PM
Security v. Obscurity
Better to deride obscurity than end up back where we started: Obscurity is Security
CNACHREINER981
CNACHREINER981,
User Rank: Author
4/17/2014 | 1:27:16 PM
Re: slows down an attack -- so it helps
Yep... we agree. The best security is securely designed systems, but there is no point in making those systems easy to find. ^_^

 

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
4/17/2014 | 1:25:49 PM
Re: Custom platforms another example of security by obscurity
I absolutely agree... However, to be devils advocate to this point (and my own article), I think this will only be the case if you have security conscious and trained folks creating the custom systems. Since they are blackboxes, custom systems are more difficult for an attacker to enumerate. However, the arguement against them is sometimes the folks creating custom systems aren't necessarily the best secure coders or designers. Because of its popularity and past issues, Wordpress has had to spend time and money learning about secure design... Another example is when non-cryptologists try to roll their own encryption. It usually ends in disaster..

However, it's kind of like the hidden rock WITH the combination lock example. If you have folks who are experts at secure design, and you use them to create a custom system, you have the benefit of both layers. The secure design limits the true vulnerabilities in the system, and the fact that it's custom adds that extra layer that makes it hard (and thus less ROI for the attacker) to figure out!

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
4/17/2014 | 1:19:48 PM
Re: Know your risks first
That is an excellent point! When relying on someone elses' systems (the cloud) obscurity is NOT good. We need transparency in what tactics and strategies our external partners are using to protect out data...

But in that sense, the external partner becomes an extension of ourselves. I wouldn't argue we obscure things from trusted parties, only from truly untrusted attackers.

Thanks for you thoughts!

Corey
kobrien82
kobrien82,
User Rank: Apprentice
4/17/2014 | 12:55:03 PM
Know your risks first
Interesting article, Corey. Something to consider here is that there is a distinction between obscurity, where you rely upon the use of an unknown or custom system to trip up a tracker, and a defensive posture where you don't emit system details without cause.

However, it's also worth looking at what risks you're protecting against. If you're describing a strategy for protecting your servers, it makes total sense to not expose your Apache patch level; if you're looking at an infosec program for your data stored in a public cloud platform (say, Google Apps) from leak, obscurity isn't nearly as sensible a strategy. In general terms, outsider threat is defended against via (amongst other things) an approach of least information exposure; insider risk is mitigated by clarity and classification that helps avoid unintentional breach or leak. 
David F. Carr
David F. Carr,
User Rank: Strategist
4/17/2014 | 10:49:36 AM
Custom platforms another example of security by obscurity
There's also some security benefit from using a custom platform, such as a homegrown content management system instead of WordPress. WordPress has the advantage of being tested constantly by those trying to break it (maliciously or not), so security flaws tend to be found and patched -- which is good as long as you can keep up with the patches. Even then, hackers know that the login url is likely to be www.somedomain.com/wp-admin/ so they can throw brute force attacks against that and other known addresses like the one for sending trackbacks. A custom system may have more latent flaws, but they won't be as widely known as with a popular open source software platform.
<<   <   Page 2 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-4282
PUBLISHED: 2022-12-05
A vulnerability was found in SpringBootCMS and classified as critical. Affected by this issue is some unknown functionality of the component Template Management. The manipulation leads to injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VD...
CVE-2022-4281
PUBLISHED: 2022-12-05
A vulnerability has been found in Facepay 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /face-recognition-php/facepay-master/camera.php. The manipulation of the argument userId leads to authorization bypass. The attack can be launched remotely...
CVE-2022-41807
PUBLISHED: 2022-12-05
Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASK...
CVE-2022-41830
PUBLISHED: 2022-12-05
Stored cross-site scripting vulnerability in Kyocera Document Solutions MFPs and printers allows a remote authenticated attacker with an administrative privilege to inject arbitrary script. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKa...
CVE-2022-42496
PUBLISHED: 2022-12-05
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.