[Discuss] DNS question about DNSENUM.PL

Rich Pieri richard.pieri at gmail.com
Wed Mar 27 14:13:24 EDT 2013


--On Wednesday, March 27, 2013 12:13 PM -0500 Derek Martin 
<invalid at pizzashack.org> wrote:

> On Wed, Mar 27, 2013 at 10:12:28AM -0400, Rich Pieri wrote:
>> Security by obscurity is no security at all.
>
> This is a popular mantra of paid security professionals, but it is a
> fallacy, and in fact is a tool that those very same people employ
> every day (e.g. recommendations to run ssh servers on non-standard
> ports, configure servers to respond with non-default banners, etc.).

I cannot speak to these so-called security professionals. I've never been 
one, nor have I ever employed one or been employed by one. I'm a systems 
administrator, which means everything that a security professional is 
supposed to do is a subset of my complete responsibilities.

Obfuscation won't slow a skilled attacker for more than the second or so it 
takes for NMAP to find the listeners on his target node. No, the real way 
you keep him out is the same way you keep a script kiddie out. You take 
security seriously, you generate a threat profile for your systems, and you 
put passive and active defenses in place to identify and shut down 
anomalous activities.

Non-standard ports and banners just confuse users when things don't work 
the way that they expect. From my experience, anyone who suggest doing such 
things may be "professional" in the sense that they are being paid to do a 
job, but are utterly unprofessional in the technical sense of doing a good 
one.

But if you don't like that phrase then how about this one

Obfuscation is security theater.

-- 
Rich P.



More information about the Discuss mailing list