 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
[Please update subjects when a thread veers off to a distinctly different topic.] Derek Martin wrote: > Rich Pieri wrote: >> Security by obscurity is no security at all. > > This is a popular mantra of paid security professionals, but it is a > fallacy, and in fact is a tool that those very same people employ > every day (e.g. recommendations to run ssh servers on non-standard > ports, configure servers to respond with non-default banners, etc.). > The benefits of such measures often amount to foiling script kiddies > who may otherwise compromise your otherwise vulnerable system with > zero effort, but that itself can be a big win, since this is the > overwhelming majority of attack traffic that most sites see. We're getting a bit wrapped up in dogma. This isn't a black-and-white issue. If you take a broad enough definition of "obscurity" it could be taken to mean your knowledge of a password - it's obscure, you know it, and yet it's guessable, just like the oddball port your service is running on. It has already been mentioned that the reason why security through obscurity is generally considered bad, is because it is often used as an excuse for having lax real security. (For example, in the scenario above, the owners of the service running on a non-standard port should not be slow to install security updates to their service, thinking they are safe merely because they are using a non-standard port. Although statistically speaking, they are indeed safer than if they weren't using a non-standard port, as the vast majority of attack attempts are unsophisticated scripts. [Before you jump to dispute that, note I said *statistically* speaking.]) There's really no reason why a system administrator should reject an obscurity layer, if their security fundamentals are already good, as long as in their judgment the obscurity doesn't impact their users. (For example, picking a non-standard VPN port can have near zero impact, as VPN setup is a one-time thing, and you're already supplying the user with setup documentation covering numerous parameters. Or you're using a custom pre-configured client.) But the real value in obscurity measures is cutting down on noise, which doesn't directly impact security, but can indirectly help it by making real attacks far more visible, and avoid alarm fatigue. You're merely filtering out the nuisance. For example, if you can use a non-standard ssh port without impacting your users, and you log and monitor attack attempts against it (as you should), switching to a non-standard port will reduce those logged attacks to virtually zero. That's useful. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
