SoylentNews is people
SoylentNews
The principle of Defence in Depth ("DiD"), says OWASP (Open Web Application Security Project), is that "layered security mechanisms increase security of the system as a whole". That is, if one layer of protection is breached, there's still the opportunity for the attack to be fended off by one or more of the other layers. If anyone's ever drawn something that looks like an onion on the whiteboard – a load of concentric layers with your infrastructure in the middle – that's the concept we're looking at. It's actually a military term that's been adopted by security types in the IT industry who want to be tank commanders when they grow up.
On the face of it it's a pretty simple concept to understand. Rather than just having (say) anti-malware software on your desktop computers, why not also make your Web downloads go through a filter that has malware protection on it too? And yes, this helps. But to do it properly you have to step back a few strides and have an overview of your world: although it's going to cost me 50p in the buzzword swear box, I'm going to say "holistic view".
I secure my systems by naming things like Perl regular expressions. Attackers instantly go cross-eyed and fall over.
(Score: 3, Insightful) by JoeMerchant on Friday March 24 2017, @03:14AM (10 children)
Some say security by obscurity is no security at all.
I say, an FTP server configured on port 21 goes down about 1000 times faster than one configured on port 21345. Sure, it's better to use a secure protocol like ssh, but, similarly, a secure protocol on a non-standard port number gets even less exposure to hacking attempts.
Layer that with some proprietary stuff, and try to be smart about key management, salting your hashes, etc. and you're not likely to make the "10 most embarrassingly configured systems" list any time soon.
Mathematically calculate a 5 year secure PGP key and make that your only barrier to entry, some joker with a quantum computer can ruin your whole day long before you thought they could.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Friday March 24 2017, @05:29AM (8 children)
You might be right. But 1000 times 35 ms is still only 35 seconds. Port scans are automated, so you are only wasting your time and the time of everyone typing that port number into their ftp client.
(Score: 2) by maxwell demon on Friday March 24 2017, @08:08AM (7 children)
What about doing "reverse port knocking": If some IP address accesses unused ports, it gets blocked for a short time, that increases with each tried access to unused or currently blocked ports.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Wootery on Friday March 24 2017, @08:46AM (5 children)
Could be defeated by using a different source IP to check each port number.
(Score: 1) by khallow on Friday March 24 2017, @10:13AM (4 children)
(Score: 2) by TheRaven on Friday March 24 2017, @10:23AM
sudo mod me up
(Score: 2) by JoeMerchant on Friday March 24 2017, @01:46PM (2 children)
There are 10,000 script kiddie attacks flying around for every serious hack.
Serious hacks tend to be more targeted, deliberate, focused. Yes, you should be resistant to them, but ultimately - if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.
In security, you should be as good as you can without compromising usability (unacceptably). The major threat are the simple scripts that trawl for open ports, first: don't fall for that.
🌻🌻 [google.com]
(Score: 2) by PiMuNu on Friday March 24 2017, @02:20PM (1 child)
> if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.
I thought that was the point of having layered defences (or network zones, or whatever) - so only a very few privileged actors have access to your golden data e.g. customer account data and only by jumping through some hard-to-socially engineer hoop (like ssh keys). Proabably the sort of people who are vulnerable to phishing aren't the sort of people who need to make accesses to the customer db (e.g. non-technical support staff, management, etc).
(Score: 2) by JoeMerchant on Friday March 24 2017, @03:37PM
Very true, first consider the integrity of the user and the power of the key before putting them together... However, in this context, I think they're referring to "layered" as in onions, which means scanning attachments for viruses at multiple points in the stack, with multiple types of scanners, or requiring an SSH key and a username/password login, rather than multiple levels of privilege.
🌻🌻 [google.com]
(Score: 2) by bob_super on Friday March 24 2017, @05:06PM
Then some exec fails to connect using the default ports, gets blacklisted, grabs his phone to give you an earful, because he needs a cute door with a doormat and a key that fits His keychain, to get into your fortress, and he need it right now...
(Score: 3, Informative) by driverless on Friday March 24 2017, @11:14AM
Some say security by obscurity is no security at all.
Only security absolutists, who believe that security can only be either absolutely 100% theoretically perfect or totally useless. Unfortunately there are way too many people like this in the security industry, but then you don't have to listen to them. Security in obscurity (*in*, not *by*) is perfectly fine in a large number of cases, either as part of a defence-in-depth strategy or as your only security measure. For defence-in-depth, it cuts down on the number of attackers so you can focus on the ones that matter, not the endless hordes of script kiddies. For the only measure you use, consider how you set up a backup key to get into your house if you lock yourself out. You can use security in obscurity and hide it somewhere on your property where no burglar will even find it. Or you can use the "perfect" solution and put it into a key safe, something like this [screwfix.com]. Which can be opened in about ten seconds by anyone who knows how (any criminals worth their salt should), leaving no traces on the lock. In this case the security-in-obscurity solution is the secure one and the "perfect" solution is the insecure one.