[Discuss] DNS question about DNSENUM.PL
Derek Martin
invalid at pizzashack.org
Wed Mar 27 13:13:46 EDT 2013
On Wed, Mar 27, 2013 at 10:12:28AM -0400, Rich Pieri wrote:
> Security by obscurity is no security at all.
This is a popular mantra of paid security professionals, but it is a
fallacy, and in fact is a tool that those very same people employ
every day (e.g. recommendations to run ssh servers on non-standard
ports, configure servers to respond with non-default banners, etc.).
The benefits of such measures often amount to foiling script kiddies
who may otherwise compromise your otherwise vulnerable system with
zero effort, but that itself can be a big win, since this is the
overwhelming majority of attack traffic that most sites see.
It's virtually impossible to completely harden your network against a
very knowledgable and determined attacker. So, PART of the point of
securing your systems (passive measures) is to slow them down, to give
you a chance to notice their activites, so you can react and do
something about it (active measures). Security through obscurity IS a
useful tool to that end.
It just needs to be understood that it is not sufficient, and it is
one of the least effective methods... you need security in depth, and
obscurity is a VERY SMALL part of that, but it is indeed a part. The
REAL gains you get from it are small, but they're often trivial to
implement, so they're cost-effective. In the end, security is about
trading costs... just like buying insurance.
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail due to spam prevention. Sorry for the inconvenience.
More information about the Discuss
mailing list