In the context of security through obscurity it has always, to me, seemed to mean that your method and process of providing security is not well understood and it is this fact that is providing the majority of the security. I don't think that is what they mean by incomplete information. It also usually leads to lazy vendors creating the illusion of security out of a soon-to-be-had massive privacy lawsuit. Obscurity is a mildly nice icing that makes maintaining servers less problematic. Minimalist, properly protected system design with multiple layers of protection, iron-clad internal logging, and no routes to priviledge escalation (especially social) is the route to security.
But if your vendor or contractor starts talking about obscurity first, they don't have a clue what they're doing. ONLY THEN, should obscurity be layered on.
#OBSCURITY FTB CODE#
But when vendors use that form of the term obscurity, they're just masking the fact that they are selling you rubbish.Īny properly secured system should be able to proudly proclaim all of its pertinent information to the world, including source code to all available participants, and still be secure. It's technically a form of "obscurity" to think the hackers wouldn't notice that you left an FTP server up and running without realizing it, or that the default login was still viable. It is slightly less "obscure" to have your server up on an unresponsive IP address. On the one hand, it's "obscure" that a particular keyphrase known by trusted people will get you to a layer of network security. The problem is that Security by Obscurity is the defense of lazy vendors who should damn well know better.
0 kommentar(er)
