Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
How A Little Obscurity Can Bolster Security
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
xennemans
xennemans,
 User Rank: Apprentice
8/6/2014 | 11:58:58 AM
Agree completely
Access control security and capability-based security are orthogonal.

That means they are complementary, like the yin and the yang, the masculine and the feminine.

In the same way, you would protect your systems on your network each themselves, but you also make sure no one can reach them if you don't need them to be able to be reached. Those things are also orthogonal.

In IPv6, the idea seems to be that we don't need network encapsulation anymore (NAT) because some moron says "most attacks are coming from application vulnerabilities anyway". But protecting your systems (internally) is orthogonal to not letting outside attackers in without invitations (a firewall) - you can do both at the same time, independent of one another (that's what orthogonal means).

So these are two different directions or dimensions and you can travel both whenever you like, both at the same time, only one and not the other, etcetera.

You can bolster your credentials-that-are-bound-to-one-user based model and at the same time bolster your "you are in unknown territory friend, and I have the upper hand here" model.

It is utterly foolish to suggest that a system needs to be secury only by way of its essential technical design.

A thief that knows a map of your palace will be a much harder threat than someone accidentally stumbling in.

Any thief knows this, so why don't the guards??

Technical open source systems are by definition vulnerable to mass exploits.

Obfuscated systems are, by definition, not.

At the same time, obfuscated systems are vulnerable to single-point attacks. Open source systems are not more vulnerable to those kinds of attacks, than to mass attacks.

Therefore you use both kinds of defense at the same time, and you use both of them to your maximum extent or capability.

 
CoreyNach
CoreyNach,
 User Rank: Apprentice
5/27/2014 | 5:59:28 PM
Re: Good examples but do they work?
I've used different server ports and server header masking a lot throughout the years. For one, I work for a company whose product does header masking... (our HTTP, SMTP, FTP, etc... proxies all strip and replace server headers to make it harder to identify the software behind them).... And I've changed ports on some of the server that I don't want public.. That said, I don't rely on port changing... usually if I really don't want public access to servers, I also control access in other ways too (require VPN, restrict to certain IPs only, etc...)
anon9675841497
anon9675841497,
 User Rank: Apprentice
5/24/2014 | 1:56:06 PM
Ports
Changing the default ssh port on my servers reduced the attempted logins by 90%.
gnummy
gnummy,
 User Rank: Apprentice
4/28/2014 | 6:03:54 PM
Re: Security v. Obscurity
Great Post, well worded.  Definitely a great idea to include this along with other measures, I have seen several examples of this working well e.g. a huge zero day outbreak affects a large number of organisations except for the guy who simply changed the default service port e.t.c.
theb0x
theb0x,
 User Rank: Ninja
4/22/2014 | 12:30:54 PM
Re: How A Little Obscurity Can Bolster Security
I have always liked the old saying "A locked door keeps an honest man out."

 

 
CNACHREINER981
CNACHREINER981,
 User Rank: Author
4/18/2014 | 5:25:38 PM
Re: Great Article
Perfect analogy, and exactly my point summed up fantastically!
Robert McDougal
Robert McDougal,
 User Rank: Ninja
4/18/2014 | 5:05:46 PM
Great Article
Great points Corey!

 

I don't see anything wrong with security by obscurity when used in conjunction with a secure system.  By making your systems appear to be smaller targets you are essentially eliminating any "cybercrime of opportunity". 

To make use of a simple analogy a secure system without obscurity is akin to a car with windows rolled up and system armed complete with your wallet on the front seat.  Any passing thief can see your wallet but they also have to deal with your car windows and alarm to get to their prize.  However, if they want the wallet they will try to break in.

Conversely, a secure system with obscurity is the exact same car armed and locked tight with the wallet hidden in the glove box.  The would be thief can see a car locked up tight that "may" contain a wallet but they don't know for sure.  Therefore most thieves will keep on walking looking for a better target to capitalize upon.

Lastly, a system which exclusively relies upon obscurity for security is a bad idea.  An analogy for this system is a car with the windows rolled down alarm off and wallet stored in the glove box.  If the opportunity to poke around is there someone will take advantage of it. 
przem
przem,
 User Rank: Apprentice
4/18/2014 | 12:29:38 PM
Re: We rely on Security through Obscurity
You are misunderstanding the phrase. 'obscurity' in this context refers to relying on secreting the details of the security mechanism. The big difference is that if you have a reason to suspect your security arrangements,  you can change the password, and restore full security. This is not the case for a 'security by obscurity' system: once broken it stays broken.
stephenq42
stephenq42,
 User Rank: Apprentice
4/17/2014 | 9:51:42 PM
We rely on Security through Obscurity
Everyone who has a user account on any system relies on security through obscurity.

 

Consider the user ID/password combination.  One component (the ID) may or may not be obscure, but the second (the password) better be.  I  have always been amused that the very security professionals who state that we must not disclose our passwords (keep them obscure) are the ones who also say "Security by obscurity is no security."
samenk
samenk,
 User Rank: Apprentice
4/17/2014 | 7:42:55 PM
Re: How A Little Obscurity Can Bolster Security
Great article here, Corey! Security by obscurity should only be used as a method to delay and/or discourage the attackers from compromising our security; nothing more. "Security by Obscurity is no security at all." I agree, however, I do think offers some level of security and should be utilized, but should never be fully relied upon. In most cases, security engineers would utilize obscure measures as first layer(s) of security; if the attacker does uncover the inconspicuous security measure, he is sure to meet a tougher one, such as encryption, or authentication.

 
Page 1 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file