Security Through Obscurity vs. Configuration Management
One of the bedrock principles of the information technology (IT) security fields for the past generation has been that strict hardware and software configuration management was the path to reducing security vulnerabilities. In light of some recent changes on the network intrusion front, I am beginning to question the value of this principle… or at least wonder if it high time that we revaluate its balance.
Configuration Management is the process by which you minimize the number of variants of hardware, operating system, and software that you have fielded simultaneously on your enterprise network. The ideal case would be to have only one desktop system, one server model, one operating system for each, and the exact same applications on all of them. The reality is that user requirements differ, the same operating systems and applications do not run on the same hardware, and modernization, refresh, and replacement always increase the variance found. A realistic finding is that all of the computers come from one hardware manufacturer, are of two to three generations, and are all running one companies’ OS differing only by version and server/client edition.
The problem is that today, the offense is getting much better, faster, and more effective at covering their tracks. If you have a homogenous network, then while you have minimized your total number of vulnerabilities by definition, you have also ensured that the exact same hardware and software weaknesses exist on every single machine. If the bad guys do get a foothold, they will quickly be able to gain the keys to the kingdom. If the threat is malware that is attempting to setup a botnet and co-op your network into conducting clandestine operations, then your configuration management security blanket is actually greasing the skids! You could be one good attack away from total shutdown.
So is there an alternative? The idea, that is as old as Internet Time, is a take-off of “security through obscurity”. The basic idea is that maybe by intentionally creating a mix of hardware, operating systems, patch states, and application versions you actually decrease your chances of one silver bullet taking the entire thing down. Would having a mix of Macs, PCs, Linux boxes with a corresponding operating system palette actually be more effective at maintaining capability through a dedicated attack?
Here is how Wikipedia introduces the idea of “security through obscurity”:
“Security through obscurity (sometimes called security by obscurity) is a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security…
A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities.”
For additional reading on this very interesting polarity management case, consider these links:
- Slashdot.org – Why Security-Through-Obscurity Won’t Work
- Wikipedia – Kerckhoffs’ principle
- Techrepublic.com – The value of accidental security through obscurity
- The Free Encyclopedia – security through obscurity
Obviously there are pros and cons to both approaches. Obviously there is some stabile point where the balance board between the two produces the optimal state of modern network security. The real question is whether it is time to actually question the paradigm of rigorous configuration management? Maybe we need to think in terms of configuration optimization vice minimization? I think that it is the time to think this through again.
Does your organization have any experience with this topic? Does anyone have any lessons learned or case studies on it? How about any anecdotes of success or failure? Please comment.
That is my Information Technology Thought of the Day for September 3, 2009.
image credit: City of Haverville
Related posts:
- Seven Best Practices Of Network Configuration Management? Do you have integrity in the moment of decision when...
- Information Technology Vocabulary Builder: Blended Threat The Information Technology (IT) Vocabulary Builder series aims to deliver...
- News Commentary: CyberSecurity Faults Uncovered – AGAIN! Yesterday, the San Francisco Chronicle ran another in the...
- Single Sign-On The Information Technology (IT) Vocabulary Builder series aims to deliver...
- Information Technology Management: “To Serve and Protect” Information Technology (IT) Management (ITM) is a polarity requiring balance...
Related posts brought to you by Yet Another Related Posts Plugin.
No trackbacks yet.
Apple iPad – Feature Wishing
about 9 hours ago - No comments
I have been writing quite a few articles about the Apple iPad in the past month. To sum up what I have said here:
I believe the Apple iPad is a game changing technology innovation.
I believe that it will wildly succeed on the order of the Apple iPhone.
I am lusting for one for myself.
I do, however, More >
News Commentary: Cyber Crooks
about 2 days ago - No comments
This morning, CNN.com featured a very thought provoking front page story on Cyber Crime. What I especially liked was the discussion of return on investment and whether having the police try to catch them was even worth the effort. I highlight it as a good thought piece for a Monday morning commute.
Here is the More >
Sex(.com) on Sale
about 3 days ago - 2 comments
On Sundays I offer comments on some of the most interesting information technology stories that I have found on the web that week. Please feel free to join in the discussion or suggest other stories.
Today’s tale is all about how the virtual world of the Internet continues to become more and more similar to More >
IT Joke Of The Week: Programmer Humor
about 4 days ago - 2 comments
I like a good joke as much as the next person. I especially like humorous jokes tied to technology and the Information Age. It is hard to find good IT jokes, but I try. Saturdays, I try very hard to honor the weekend by making my posts have a humorous bent.
This week’s joke More >
Rickover and Information Technology
about 5 days ago - No comments
I like Information Age quotations. I find some of them very inspirational and like to carry a new one around about every week. I thought that i could share mine with you from time to time.
Here is my quote of the day:
“Unless you can point your finger at the man who is responsible when More >
Ignite Baltimore #5 Tonight!
about 6 days ago - No comments
Tonight is the fifth Ignite Baltimore Event . It will be held at the Walters Art Gallery in downtown Baltimore. Unfortunately, it is already sold out, though many walk-ins get spaces if ticket holders do not show up in time, but you can read about it here . I highly recommend this event if are More >
Poll: What Do Information Technology Professionals Wear To Work?
about 1 week ago - No comments
Today, our Information Thought of the Day (ITTOD) is a poll subject.
I find that most Information Technology (IT) organizations are either very formal or completely informal in their dress attire. I, also, find that most corporations that are IT based tend to be internally consistent, meaning that they generally have about the same dress code. More >
Characteristics of a Good Young Information Technology Professional
about 1 week ago - No comments
Last week, I wrote a post about what High School Classes would enrich young people thinking of pursuing careers in the Information Technology fields. Today, I follow that up.
There are certain characteristics in young people, that I believe, adults can be on the look-out for to indicate that they might have an aptitude for More >
IT Quote of the Day: Albert Einstein
about 1 week ago - No comments
I like Information Age quotations. I find some of them very inspirational and like to carry a new one around about every week. I thought that i could share mine with you from time to time.
Here is my quote of the day:
“A man should look for what is, and not for what he thinks More >
News Commentary: One Webcam Per Child
about 1 week ago - No comments
On Sundays I offer comments on some of the most interesting information technology stories that I have found on the web that week. Please feel free to join in the discussion or suggest other stories.
Well I think that we can all agree that using webcams on school provided computers to spy on students without More >
Loading ...
about 6 months ago
Amazing! Not clear for me, how offen you updating your http://www.itthoughtoftheday.com.
about 6 months ago
http://www.itthoughtoftheday.com – da best. Keep it going!
Tania
about 5 months ago
Thanks for reading. I appreciate it.
-Scott