Security by obscurity is not enough by itself. Therefore, they gained this ability in the evolutionary process. Obscurity reduces the likelihood of being killed. He can be in any car and it reduces the risk of an attack.Ĭamouflaged animals are using security by obscurity as well. But he’s not sitting on his own presidential car so that the attacker won’t target him easily. For example, the president goes from point A to point B with his 30 cars convoy. Security by obscurity is widely used in physical/real-life security.
Security through obscurity example code#
But if there is an issue that allows an attacker to read data from the database, but not the backend code (like SQL Injection), the gathered data won’t be helpful for the attacker. If the attacker can read your backend code, obviously he/she can decrypt your database. Likewise, when you read data, use a function like decryption_algorithm(data,key). Using Symmetric Encryption in the Database: When you write data to the database, use a function like encryption_algorithm(data,key). It might help just like the code obfuscation. Using random variable names for a web application: Instead of using clear variable names, you can switch them with random strings. If you obfuscate your code well, they will need to spend more time to find issues. Obfuscating codes: Of course, it’s common knowledge.
For example, the following ideas might be a good idea for some specific cases (not always) Of course, it’s possible to use the same methodology in other fields other than changing the defaults. You can reduce your risk just by changing the default port. If a vulnerability found in the Microsoft Remote Desktop Protocol, everybody will scan for the port 3389 globally.
Security through obscurity example software#
The same thing goes for software vulnerabilities as well. So, if you switch your port from 22 to 64323, you will eliminate some of them. When you do a port scan with nmap to find open ports on the target, are you specify a custom port range to scan all 65,535 ports? (with -p0-65535 parameter)- Utku Şen September 7, 2020Īs you can see here, lots of people tend to scan the default/most popular ports only. I need your answers for the question below. I'm trying to prove a point for my new article. What about the others? To find this out, I did a small survey on my Twitter to find out people’s port scan behaviors. Does it help? Firstly, we’ve eliminated the global brute forcers again since they scan only the common ports. What is the likelihood of being compromised? SSH runs in port 64323 and my credentials are utku:123456.A targeted attacker can guess the username as utku since it’s my name. However, we still have to deal with targeted attackers. Well, we have eliminated the global brute forcers since we are not using a common username. SSH runs in port 22 and my credentials are utku:123456.It’s almost 100% since the hackers are conducting brute force attacks to the services with common credentials globally. I have a server that runs the SSH with it’s default port 22 and my credentials are: root:123456.Let’s think about a couple of scenarios here: Because it has a low implementation cost and it usually works well. But it’s actually would be good to use it as an “additional” layer of defense. If the attacker passes it, there is nothing else to protect you. It’s a bad idea to use it as a single layer of defense. So let’s talk about security by obscurity. It’s also referred as “Swiss Cheese Model”Īccording to this model, you need to build your defense mechanisms in a layered model so that even the attackers pass the first one, they will get caught on the others. It’s actually very similar to a very common idea called “Defense in Depth”. So, if we can reduce the likelihood, we can reduce the overall risk. According to the OWASP, likelihood refers that:Īt the highest level, this is a rough measure of how likely this particular vulnerability is to be uncovered and exploited by an attacker According to the OWASP’s methodology, the risk of an issue is calculated with the formula below:Īccording to this formula, a Remote Code Execution issue poses more risk than a Cross Site Scripting one since the RCE causes more impact. One of the main goal of defensive security is reducing the risk for the target business. In this post, I will raise my objection against the idea of “Security by obscurity is bad”. And, most of the people are actually not thinking about exceptional cases.
However, I started to think that people are telling those because everyone is telling them. In the information security field, we have developed lots of thoughts that can’t be discussed (or rarely discussed):Īnd goes like this. 🔥 This article widely discussed at Hackernews and Reddit
0 kommentar(er)
