Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 0:  Read.Me

Previous Topic/Section
0.4  Security Checklist
Previous Page
Pages in Current Topic/Section
1
Next Page
0.6  Resources
Next Topic/Section

0.5  Security Through Obscurity

Security through Obscurity can make a black hat feel that a resource “isn’t exciting enough” to explore, prompting them to move on to another target

The authors of this text are in the position of devil’s advocate as are the authors of Writing Secure Code24 by Michael Howard and David LeBlanc. Page 34 states “…it is trivially easy for an attacker to determine obscured information.” Other parts of this book show many examples of how such information can be found. The book The Art Of Deception25 by Kevin D. Mitnick (page 82) says: “Security through obscurity does not have any effect in blocking social engineering attacks.”

Showing that some security recommendations are a matter of opinion, co-author Helen chimes in here with a somewhat-dissenting view. While running an obscure OS won’t protect you from an attack that specifically targets your site (as Howard and LeBlanc point out, using an obscure platform might make it a bit more difficult, but not impossible), it does discourage those attackers who are looking for any old random site running a certain popular OS (like Linux) that is vulnerable to the latest “script kiddie” program. If you can eliminate the effectiveness of a large percentage of the random attacks without losing required functionality, it may be worth considering.

Appendix B, “The Ten Immutable Laws of Security”26, and Appendix C, “The Ten Immutable Laws of Security Administration”27, originally by Scott Culp of the Microsoft Security Response Center, make Howard and LeBlanc’s book a must-have on the reference shelf of every IT person.

A possible look at the year 2010 and the years leading up to it if we don't get our security act together is here28.

From a technical viewpoint we face an oxymoron. Under the single umbrella of security we have two opposing solutions. One is to filter out potentially bad stuff, such as closing ports or examining traffic for something bad. The other solution is to encrypt at some level of the OSI model, to help ensure that only authorized individuals can do anything on your network. The challenge lies in the fact that once you encrypt at a given layer of the OSI model, you can no longer filter traffic because it is encrypted!

Whoever came up with the phrase, “the devil is in the details” may well have been thinking of the challenges in security.
 __________________

24. Howard, Michael and David LeBlanc, Writing Secure Code, Microsoft Press, November, 2001, http://www.nerdbooks.com/item.html?id=0735615888

25. http://www.nerdbooks.com/item.php?id=0471237124

26. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10imlaws.asp

27. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10salaws.asp

28. http://www.computerworld.com/printthis/2003/0,4814,88646,00.html

Previous Topic/Section
0.4  Security Checklist
Previous Page
Pages in Current Topic/Section
1
Next Page
0.6  Resources
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.