I'd like to follow up on your post because you raise a lot of good points. In particular, we have a problem in infosec whereby "security" is implicitly equated to "security with cryptographic guarantees".
I understand that "cryptographically secure" is the gold standard for infosec, but this misses a certain reality on the ground. Often times, your system doesn't need to be Fort Knox: it just needs to be a more difficult target than the other guy's system.
I think this is where obfuscation comes in. With regards to well-known vulnerabilities, clearly cryptographic-grade solutions are required, but the best defense against zero-day attacks is to make your system hard to probe for odd behaviors. Why waste time doing statistical analyses on a system in the hopes of extracting a faint signal when another system literally responds to a port scan?
I think the camouflage analogy in the article is a good one. Hardening your asset is necessary, but hiding it is even better.
In my former military days, we were always told that "concealment is better than cover". It's hard to pull a flanking maneuver on a target you can't locate, but trivial to do so against a target you simply can't hit. I wouldn't go as far as to claim that the same is true in infosec, but it stands to reason that there's a place for concealment.
I think camouflage and decoys are useful analogies.
I run ssh on non-standard ports. Not because I think it makes me any more secure, but because it allows me to either ignore all the automated scans/connections to port 22 altogether, or to proactively blackhole any ip address who attempts to connect to a decoy port 22...
It doesn't mean I don't continue to need to do all the things I need to keep ssh secure as well - keep my sshd updated, disable password auth, shut down root connections, etc...
>I think camouflage and decoys are useful analogies.
Indeed I've found that most military analogies work quite well for infosec!
>Not because I think it makes me any more secure, but because it allows me to either ignore all the automated scans/connections to port 22 altogether, or to proactively blackhole any ip address who attempts to connect to a decoy port 22...
This is another excellent point. Not only are we fuzzing the signal with respect to automated attacks, we're also improving the signal-to-noise ratio in our own security analyses.
>I cringe every time someone says "it will never happen" or "it is too hard to exploit".
I think you misunderstand me. I'm not saying "it's too hard to exploit"; I'm saying "this helps me keep a low-profile and makes me a less appealing target". It's primarily a social-engineering hack in the sense that for all but the most targeted attacks, attackers chose easy targets.
By analogy, I'm suggesting you not walk alone in a shady alley at night.
>But will you still detect the problems on your security make-up if you mostly rely on the fact that the vulnerability is not seen?
This is a valid and interesting question, imho. I would reply with the following questions, in trying to determine whether the cost of obfuscation outweighs it's benefits:
1. do you really have the means to continuously audit your attack surface?
2. what is to prevent you from rolling back your obfuscation mechanisms for a periodic audit?
3. can you configure things such that your obfuscation layer only points to external traffic (thus allowing for continuous auditing via some private port)?
4. more to your point: you seem to be implying that you'll never have a configuration error on your system. Isn't it true that obfuscation can potentially guard against the occasional glitch?
There is a definite trade-off involved in obfuscation, but unless you're one of those (admirable!) people who use the best cryptography to privately discuss the best cryptography, I think the judicious use of "camouflage" generally improves security.
>Often times, your system doesn't need to be Fort Knox: it just needs to be a more difficult target than the other guy's system.
This is, of course, until someone actually wants to hack you.
>but the best defense against zero-day attacks is to make your system hard to probe for odd behaviors
This really isn't in line with the previous statement I quoted, rather unlikely that you'll get targeted with zero-day attacks unless someone is actually trying to hack you.
In contrast, I think they're getting progressively more and more useful in light of an increasingly larger and more automatedly hostile world network.
I imagine in the 1970s there weren't a whole lot of hacks that began with "scan the entirety of ARPANET to find a few vulnerable machines, then apply vulnerability."
>I imagine in the 1970s there weren't a whole lot of hacks that began with "scan the entirety of ARPANET to find a few vulnerable machines, then apply vulnerability."
My point was that the economics that justified 80s worms didn't exist in the 70s and earlier. There simply weren't enough systems networked to make an automated attack preferable over a bespoke, single-system approach.
And extrapolate that change into the future with more and more machines of standardized config being connected to the internet... and automated attack and use becomes more and more attractive. Which means prevention of automated attack should become more useful.
I understand that "cryptographically secure" is the gold standard for infosec, but this misses a certain reality on the ground. Often times, your system doesn't need to be Fort Knox: it just needs to be a more difficult target than the other guy's system.
I think this is where obfuscation comes in. With regards to well-known vulnerabilities, clearly cryptographic-grade solutions are required, but the best defense against zero-day attacks is to make your system hard to probe for odd behaviors. Why waste time doing statistical analyses on a system in the hopes of extracting a faint signal when another system literally responds to a port scan?
I think the camouflage analogy in the article is a good one. Hardening your asset is necessary, but hiding it is even better.
In my former military days, we were always told that "concealment is better than cover". It's hard to pull a flanking maneuver on a target you can't locate, but trivial to do so against a target you simply can't hit. I wouldn't go as far as to claim that the same is true in infosec, but it stands to reason that there's a place for concealment.