Security Through Obscurity vs. Configuration Management
One of the bedrock principles of the information technology (IT) security fields for the past generation has been that strict hardware and software configuration management was the path to reducing security vulnerabilities. In light of some recent changes on the network intrusion front, I am beginning to question the value of this principle… or at least wonder if it high time that we revaluate its balance.
Configuration Management is the process by which you minimize the number of variants of hardware, operating system, and software that you have fielded simultaneously on your enterprise network. The ideal case would be to have only one desktop system, one server model, one operating system for each, and the exact same applications on all of them. The reality is that user requirements differ, the same operating systems and applications do not run on the same hardware, and modernization, refresh, and replacement always increase the variance found. A realistic finding is that all of the computers come from one hardware manufacturer, are of two to three generations, and are all running one companies’ OS differing only by version and server/client edition.
The problem is that today, the offense is getting much better, faster, and more effective at covering their tracks. If you have a homogenous network, then while you have minimized your total number of vulnerabilities by definition, you have also ensured that the exact same hardware and software weaknesses exist on every single machine. If the bad guys do get a foothold, they will quickly be able to gain the keys to the kingdom. If the threat is malware that is attempting to setup a botnet and co-op your network into conducting clandestine operations, then your configuration management security blanket is actually greasing the skids! You could be one good attack away from total shutdown.
So is there an alternative? The idea, that is as old as Internet Time, is a take-off of “security through obscurity”. The basic idea is that maybe by intentionally creating a mix of hardware, operating systems, patch states, and application versions you actually decrease your chances of one silver bullet taking the entire thing down. Would having a mix of Macs, PCs, Linux boxes with a corresponding operating system palette actually be more effective at maintaining capability through a dedicated attack?
Here is how Wikipedia introduces the idea of “security through obscurity”:
“Security through obscurity (sometimes called security by obscurity) is a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security…
A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities.”
For additional reading on this very interesting polarity management case, consider these links:
- Slashdot.org – Why Security-Through-Obscurity Won’t Work
- Wikipedia – Kerckhoffs’ principle
- Techrepublic.com – The value of accidental security through obscurity
- The Free Encyclopedia – security through obscurity
Obviously there are pros and cons to both approaches. Obviously there is some stabile point where the balance board between the two produces the optimal state of modern network security. The real question is whether it is time to actually question the paradigm of rigorous configuration management? Maybe we need to think in terms of configuration optimization vice minimization? I think that it is the time to think this through again.
Does your organization have any experience with this topic? Does anyone have any lessons learned or case studies on it? How about any anecdotes of success or failure? Please comment.
That is my Information Technology Thought of the Day for September 3, 2009.
image credit: City of Haverville
Related posts:
- What are Zero Day Attacks? Yesterday, I heard four different people use the term “Zero...
- News Commentary: CyberSecurity Faults Uncovered – AGAIN! Yesterday, the San Francisco Chronicle ran another in the...
- Single Sign-On The Information Technology (IT) Vocabulary Builder series aims to deliver...
- Book Recommendation – Cyber War: The Next Threat to National Security and What to Do about It by Richard A. Clarke I have a book recommendation for all Information Professionals, military...
- Cyber Security Statistics Finding good sources of computer security statistics is always a...
Related posts brought to you by Yet Another Related Posts Plugin.
No trackbacks yet.
IT Quote of the Week: Douglas Engelbart
about 1 month ago - No comments
Douglas Engelbart invented the computer mouse and was an early pioneer of the Information Technology profession. As such he is an excellent pick to be our IT Thought of the Day Quote of the Week Series feature.
I like Information Age quotations. I find some of them very inspirational and like to carry a new More >
News Commentary: Three Cheers for the Cell Phone
about 1 month ago - No comments
CNN has a really nice piece commemorating the creator of the cell phone, Mr. Martin Cooper. This story is the IT Thought of the Day News Commentary of the Week.
On Mondays I offer comments on some of the most interesting information technology stories that I have found on the web that week. Please More >
News Commentary: Lions and Tigers and CyberWar – Oh My!
about 2 months ago - No comments
You know that a topic has become du jour when The Economist puts out multiple stories about it in rapid succession. I greatly respect this venerable news magazine and appreciate that it is one of the last fronts on the attack on quality journalism. That being said, they can never pass up the opportunity to More >
More Enterprise Service Desk Humor: Funny Sign
about 2 months ago - No comments
You all know that I have a special place in my heart for Enterprise Service Desk (i.e. IT Help Desk) workers. Thankless job, long hours, boring work, and required smiles! I find that they tend to survive, very much like combat troops, by developing a very dry sense of humor!
I usually feature comedy on Saturdays. More >
iPhone Loving (Video)
about 2 months ago - No comments
In honor of next week’s iPhone 4 launch by Apple, I thought that I would comb through YouTube and see what sort of iPhone loving videos have been posted before. What I found did not disappoint in the least! As I suspected, people sure do love their iPhones – enough to make hundreds of videos More >
IT Quote of the Week: Carl Sagan
about 2 months ago - No comments
Geeks everywhere grew up watching and listening to Carl Sagan. He was a noted astronomer, physicsist, television host, and author. As such, he becomes the first satirist to join our other worthy additions to our IT Thought of the Day Quote of the Week Series
I like Information Age quotations. I find some of them very More >
Book Recommendation – Cyber War: The Next Threat to National Security and What to Do about It by Richard A. Clarke
about 2 months ago - No comments
I have a book recommendation for all Information Professionals, military buffs, and historians. It is ‘Cyber War: The Next Threat to National Security and What to Do about It’ by Richard A Clarke and Robert K. Knake. The book is about exactly what the title says. It is written at exactly the right technical More >
News Commentary: The Bit.ly Challenge
about 2 months ago - No comments
As an active twitterer, I can certainly appreciate the value of a URL shortener – that is a service that takes a thousand character web link and shrinks it down to 10 or so for Twitter. However, I also am concerned that it violates one of the fundamental value propositions of the world wide web More >
A funny IT Quote from Doug Larson
about 3 months ago - No comments
Something as penetrating in our society as Information Technology is certain to generate a lot of funny quotes. Doug Larson, celebrated columnist for the Green Bay Press-Gazette gave us some very funny ones!
I usually feature comedy on Saturdays. In the past, I have featured jokes, comics, cartoons, and news on the weekends. Sometimes I More >
IT Quote of the Week: Louis Gerstner
about 3 months ago - No comments
We are continuing our IBM theme this week. The obviously have had a number of smart people work there!
International Business Machines (IBM) was one of the first information technology companies in the world and definitely the first one to become a Fortune 100 company. Its CEOs, such as Louis Gerstner, therefore make for worthy additions More >
Loading ...
about 12 months ago
Amazing! Not clear for me, how offen you updating your http://www.itthoughtoftheday.com.
about 12 months ago
http://www.itthoughtoftheday.com – da best. Keep it going!
Tania
about 11 months ago
Thanks for reading. I appreciate it.
-Scott