Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: Concepts: Security and Obscurity

From: levinson_k () securityadmin info
Date: 5 Apr 2007 19:33:23 -0000
I disagree that security by obscurity is usually expensive, and that it is ineffective.  Changing a TCP port number, 
changing an application server banner, etc. takes a minute, and does not necessarily add any administrative cost.  Some 
obscurity countermeasures cost less than not using obscurity, such as not posting your sensitive internal network 
design documents to the Internet.  Firewalls and proxy servers regularly hide internal NAT IP address schema by 
default, no extra cost.  When an OS like Windows accidentally discloses this kind of information, it's considered a 
security vulnerability and gets fixed in a security patch.

However, quantitative risk assessment like this is specific to each environment, and neither of us can really make a 
blanket statement about obscurity being univerally bad or good that applies to all situations.

kind regards,

Karl Levinson
http://securityadmin.info


Security by Obscurity is an ineffective control. The gains are minimal
in economic terms. The cost however is more than the pure cash/money
costs. The additional losses to productivity and added difficultly in
maintaining secrecy does not provide the required level of gains to
offset the costs and thus creates a dead-weight loss in economic terms.
Previous By Date Next
Previous By Thread Next

Current thread: