0.5 Security Through Obscurity
Security through Obscurity can make a black hat feel that a resource isnt exciting enough to explore, prompting them to move on to another target
The authors of this text are in the position of devils advocate as are the authors of Writing Secure Code24 by Michael Howard and David LeBlanc. Page 34 states it is trivially easy for an attacker to determine obscured information. Other parts of this book show many examples of how such information can be found. The book The Art Of Deception25 by Kevin D. Mitnick (page 82) says: Security through obscurity does not have any effect in blocking social engineering attacks.
Showing that some security recommendations are a matter of opinion, co-author Helen chimes in here with a somewhat-dissenting view. While running an obscure OS wont protect you from an attack that specifically targets your site (as Howard and LeBlanc point out, using an obscure platform might make it a bit more difficult, but not impossible), it does discourage those attackers who are looking for any old random site running a certain popular OS (like Linux) that is vulnerable to the latest script kiddie program. If you can eliminate the effectiveness of a large percentage of the random attacks without losing required functionality, it may be worth considering.
Appendix B, The Ten Immutable Laws of Security26, and Appendix C, The Ten Immutable Laws of Security Administration27, originally by Scott Culp of the Microsoft Security Response Center, make Howard and LeBlancs book a must-have on the reference shelf of every IT person.
A possible look at the year 2010 and the years leading up to it if we don't get our security act together is here28.
From a technical viewpoint we face an oxymoron. Under the single umbrella of security we have two opposing solutions. One is to filter out potentially bad stuff, such as closing ports or examining traffic for something bad. The other solution is to encrypt at some level of the OSI model, to help ensure that only authorized individuals can do anything on your network. The challenge lies in the fact that once you encrypt at a given layer of the OSI model, you can no longer filter traffic because it is encrypted!
24. Howard, Michael and David LeBlanc, Writing Secure Code, Microsoft Press, November, 2001, http://www.nerdbooks.com/item.html?id=0735615888
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.