Security by Obscurity – Which definition is right? And does it work?
on June 1st, 2006 at 5:41 pmI just read this article by Mike Fratto, Editor at large at Dark Reading.
When I started reading it, I was reminded of an article by Roger Grimes at InfoWorld (I originally read the article through a link at Martin McKeay’s blog).
What I am seeing here are two differing definitions of security by obscurity. One the one hand, Mike Fratto is saying that it is defined as, basically, keeping specific information about your security measures and infrastructure away from everyone. He asserts that security by obscurity hampers the open discussion of effective security tactics, thus hurting the security community because it does not get the good info out to everyone. So if you walk into a security conference, and you start discussing security measures with some peers, then you hold back and don’t tell them what brand of IPS you use, or if you have an IDS in place, then you are hurting the security community as a whole due because you are holding back info that could potentially help another security professional secure his / her network.
On the other hand, Roger Grimes defines security by obscurity as the small but effective steps of changing SSL ports to 444 instead of 443, or blocking all email attachments, or … you get the point. Basically, get out of the way of automated attacks and scanning by lazy (actually, probably smart) hackers, and you avoid 99% of hackers. Time is money after all, so why would a hacker go after you when there are plenty of other default config systems out there?
Mike Fratto and Roger Grimes, on the face of the debate, seem to disagree. Each one is taking opposing positions on security by obscurity. But they are actually arguing two different points, using two different definitions for the same term.
So which definition is true? Actually, they are both true. Mr. Fratto is correct that many (if not most) security professionals are not going to tell someone they met at a security conference what IPS they are using, or if they are using host-based intrusion detection, or if they are running log analysis / security event management. Mr. Grimes is correct in saying that it is wise to change up default configs to keep script kiddies off your network (that makes sense). In totality, security by obscurity means keeping information out of the wrong hands.
So, does security by obscurity actually work? Here is where I disagree with Mr. Fratto. Mr. Grimes points out that it is a valid and tested form of security by using with real examples. He tells us in his article that he has two honeypots, one that is at defaults, and one that has the port changed. He does NOT tell us what the port number is, even though it is a honeypot, because that would nullify the effectiveness of his argument by giving the hackers the information they need. So let’s try to use the reductio ad absurdum technique here. If you apply Mr. Fratto’s argument to Mr. Grimes argument, then you would not just tell someone you have changed the default SSL port of your web server (which is dumb enough). You would actually tell them what port to which you changed it. It just doesn’t make sense!
In the same vein, I do not want to tell someone that I am using Brand X IPS, Brand Y IDS, Brand Z SEM, and on and on and on. Why would I do that? Do I know this person? Is this person going to go post the info on their blog, possibly trying to obscure who they talked to but accidentally revealing it later in the post (or another post or on their link list of blogger buddies)? I just don’t want to give out that info to anyone I don’t know and trust. It is too dangerous.
And the argument that I don’t have faith in my security techniques if I don’t hand out the info is misleading at best. Many firewalls detect scans and drop the traffic by seeing that traffic is not making an actual full connection. So the port is essentially invisible (or stealthed). There are definitely ways around that, but many of those ways are detectable by logging, etc. So if a typical, cursory scan doesn’t pick up anything, the hacker may go on to another target. Why would I help him out by telling him that my firewall can stealth the ports and that he should keep looking?
Overall, security by obscurity is a good thing. Too much info about my network, in the hands of anyone, malicious or not, is not a good thing. There is just too much info and too many vendors and consultants out there to help secure your network to make it worth it to start telling everyone what type of security I have in place. If you can’t afford them, then read reviews and articles in security magazines and websites. These resources can give all the info you need without telling everyone what security measures I have on my network. And if you really need some help, ask some friends. If you haven’t just joined the security community last week, then you probably have friends who trust you and will give you the info you need. There are ways without asking some dude you just met at the bar what he uses to secure his network.
Listen to a podcast of this post here.
Vet
