 |
|
|
|
|
 |
CertiGuide to Security+ 9 Chapter 0: Read.Me |
|
0.5 Security Through Obscurity
Security through Obscurity can make a black hat feel that a resource “isn’t exciting enough” to explore, prompting them to move on to another target
The authors of this text are in the position of devil’s advocate as are the authors of Writing Secure Code24 by Michael Howard and David LeBlanc. Page 34 states “…it is trivially easy for an attacker to determine obscured information.” Other parts of this book show many examples of how such information can be found. The book The Art Of Deception25 by Kevin D. Mitnick (page 82) says: “Security through obscurity does not have any effect in blocking social engineering attacks.”
Showing that some security recommendations are a matter of opinion, co-author Helen chimes in here with a somewhat-dissenting view. While running an obscure OS won’t protect you from an attack that specifically targets your site (as Howard and LeBlanc point out, using an obscure platform might make it a bit more difficult, but not impossible), it does discourage those attackers who are looking for any old random site running a certain popular OS (like Linux) that is vulnerable to the latest “script kiddie” program. If you can eliminate the effectiveness of a large percentage of the random attacks without losing required functionality, it may be worth considering.
Appendix B, “The Ten Immutable Laws of Security”26, and Appendix C, “The Ten Immutable Laws of Security Administration”27, originally by Scott Culp of the Microsoft Security Response Center, make Howard and LeBlanc’s book a must-have on the reference shelf of every IT person.
A possible look at the year 2010 and the years leading up to it if we don't get our security act together is here28.
From a technical viewpoint we face an oxymoron. Under the single umbrella of security we have two opposing solutions. One is to filter out potentially bad stuff, such as closing ports or examining traffic for something bad. The other solution is to encrypt at some level of the OSI model, to help ensure that only authorized individuals can do anything on your network. The challenge lies in the fact that once you encrypt at a given layer of the OSI model, you can no longer filter traffic because it is encrypted!
__________________
24. Howard, Michael and David LeBlanc, Writing Secure Code, Microsoft Press, November, 2001, http://www.nerdbooks.com/item.html?id=0735615888
25. http://www.nerdbooks.com/item.php?id=0471237124
26. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10imlaws.asp
27. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10salaws.asp
28. http://www.computerworld.com/printthis/2003/0,4814,88646,00.html
|
| |||||||||||||||||||
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.