The theme of debunking security myths continues with Roger Grimes bringing us a case for Security by Obscurity. He sites moving services to a non-well-known port as an effective example of security by obscurity:

For instance, two of my honeypots run Microsoft SQL server. Microsoft SQL servers typically run on ports 1433 UDP and 1434 TCP. The MS-SQL honeypot that runs on those ports gets scanned and attacked dozens to thousands of times a day. The other honeypot runs on a high non-default port (say, 30143 TCP) with a blank sa password, but it never gets attacked. Or, I should say, almost never — in the 22 months that it has been up, it has been scanned once on the correct port, and even that hacker or bot didn’t attack it.

I know, I know you are thinking, “Any InfoSec 101 book says to never rely on Security by Obscurity.” This certainly true if you if you try to try to publish a secret crypto algorithm or you hope no body finds the flaws in the world’s most popular operating system.

The key here is examining what the real threat is you are trying to mitigate. Since the vast majority of threats against a SQL server are going to be from self-propagating malware, and they only check the default ports, then changing the ports is very effective.

Obscurity, like any thing else that makes it more difficult to attack you, does have a vital part of any defense-in-depth plan. The key is to recognize when obscurity adds to your security and when it takes away. But that’s why they pay you, right?

Blasting away security myths [infoworld]

Post a Comment...