> Hiding information about my security - the door is locked
>and it's still painted the same color as the wall. I also choose
>not to advertise the fact that there is a robot-controlled chain
>gun on the other side of it which will fire 10,000 rounds per
>minute of depleted uranium 20mm shells through the first thing
>that comes through the door which does not hold up my credit
>card and shout "WHUMPUS". The only possible give-away that
>might let an attacker know the chain gun is there is the 60'
>thick 20' high dirt berm backstop between the house and the
>garage, which I have landscaped with petunias.
Sounds like a good system design to me even if hard to implement legally in
The 'real security' vs 'security by obscurity' discussion which has been
rumbling on for months seems to be founded on a basic misconception about
security and risk management.
There is no such thing as 'real security', only reduction of risk to a level
deemed acceptable. As risk is an ever changing environment, the counter
measures you implement today will not stand for ever. Also I cant think of
an effective counter measure which does not rely to some extent on 'secret'
Perhaps the current debate is based on an assumption by many that a
'firewall' (whatever that is - could be anything from a piece of cheap code
dumped into a volume software product to a very strong barrier which links
with a series of other counter measures) is something you buy and install
and then forget about security thereafter. Security/risk containment is a
war. 'Secret' information eventually becomes common knowledge. Professional
attackers will breach the secret first (usually), until eventually any beach
bum with network access can walk through your door (even with a chaingun).
The same will apply to a simple measure like a door lock.
Those people who have had to take information security seriously for years
employ a simple process. They know that anything made by man can be broken
by man, so they use specialists to attack the systems until they can get
through on the assumption that their task has been made slightly easier than
for an external attacker so that the internal attack team should get through
quicker than even the most determined attacker. Once there has been a break
through it doesnt mean that the system has to be replaced. If it takes
twelve months to break in and an army of Cray 2s, the sensitivity of the
information internally may no longer be of any real value. It may be that
you decide some information cannot be help in the main system until a
stronger countermeasure is available, but most data is still adequately
protected. Of course you cant do that unless you have a real risk policy
with all the key elements like authorised users, data sensitivity classes
Thats fine for large corporations and government agencies but it might not
help the poor guy who can only get $2K approved to provide 'real firewall
security' as a once and for all solution. Thats where evaluated products and
security criteria come into their own because if you look at requirement
instead of fashion, current criteria include specific types of testing at
specific levels and there will be some form of continuing product
mainenance. Therefore you can benefit from someone else's testing etc. OTOH
it still wont help the people who expect 'real permanent security' for $2K
but then again nothing will.
If you work through this approach, you could say 'real security' = false
security, and every counter measure is 'security by obscurity'.