Security through obsurity frankly sucks. Sometimes you can't get around using it, so it's worth understanding what it is so you can avoid it whenever you can. Simply put, making something appear to be something else, or hiding an insecure service rather than securing it is poor security.
For example, having a file out on an unsecured network share called passwords.txt that contains, say, passwords is just stupid. That's less than no security; it's a tempting target for any prying eyes.
Renaming that file to csfr4pw.txt seems like it might deter casual onlookers, but anybody interested in your data can trivially grep or search through file contents and notice that it contains sensitive passwords. Likewise, other automated tools like nmap can help attackers easily determine what services are running where.
Find a better way to secure the data. Put it behind a protected share, encrypt it, or even just alter the contents to say "the passwords are stored in a tamper-evident envelope in a locked cabinet." Though technically part of "defense in depth," this is one tactic you should avoid if at all possible.
Posts
No comments:
Post a Comment