Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: RE: Concepts: Security and Obscurity

RE: Concepts: Security and Obscurity

From: Craig Wright <Craig.Wright_at_bdo.com.au>
Date: Thu, 5 Apr 2007 10:14:48 +1000

What is forgotten is that there is an economic/financial cost to all
controls.

A control is only effective if the cost of the control provides more
utility than not having the control. Thus a control that provides some
security at a cost that is greater than another control is ineffective
overall.

Security by Obscurity is an ineffective control. The gains are minimal
in economic terms. The cost however is more than the pure cash/money
costs. The additional losses to productivity and added difficultly in
maintaining secrecy does not provide the required level of gains to
offset the costs and thus creates a dead-weight loss in economic terms.

Thus security by obscurity is no security as the costs in real economic
terms do not bring benefit.

It is of no use to spend $1,000,000 protecting a $1,000 asset. This is a
loss and thus it is not a decision that provides security as the loss
exists even before the system goes live.

Regards,
Craig

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator@bdo.com.au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
On Behalf Of Pranay Kanwar
Sent: Thursday, 5 April 2007 5:55 AM
To: security-basics_at_securityfocus.com
Subject: Re: Concepts: Security and Obscurity

Hi Daniel,

Nice write up,but you are missing the crux of the matter obscurity is
mostly about secrecy and according to kerchoff's princliple and Mr.
Bruce Schneier. secrecy or obscurity induces brittleness in the system.
I'll replay the kerchoff's principle here from the wikipedia

"Kerckhoffs' principle applies beyond codes and ciphers to security
systems in general: every secret creates a potential failure point.
Secrecy, in other words, is a prime cause of brittleness-and therefore
something likely to make a system prone to catastrophic collapse.
Conversely, openness provides ductility."

http://en.wikipedia.org/wiki/Kerchoffs_law

Regards

warl0ck // MSG
http://www.metaeye.org
Received on Apr 05 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]