Tuesday 30 October 2007

Security through Obscurity? Or Insecurity through Obscurity?

Brand Killer Robots reveal::
Mike the security consultant says that we must keep on top of those Microsoft update patches, else we're open to serious attack. He says that we need to purchase the latest firewall product, think about updating our internal security policies and perhaps undertaking a security awareness campaign for staff across the group. He says hacking is on the increase and that the best way to protect yourself is to start getting inside the minds of the computer hacker. That way we can more intelligently manage our security, because we know how they think, every step of the way. "You know.....it takes one to know one and all that!".

Mike also mentioned that we could deploy a honeypot as a way of learning about the way hackers think. This will help us to do what Mike is always saying "develop our systems to be obscure". It makes them much harder to attack then. See, we can really outhink the hackers, by learning the way they think. They think obscure, so we position our security posture to be obscure. It makes us much harder to attack that way.

OR DOES IT?

What Mike failed to say (or worst still never realised) was that obscurity is only of value to protecting against novice hackers or hackers without serious intent. Too those hackers who are experts in their craft or to those who are highly motivated to undermine your systems security, obscurity presents a joyous challenge. In fact the more obscure the security the greater the challenge and the more the hacker is attracted to crack your security.

From this point of view, Obscurity = Insecurity - not the other way around.

No comments: