November 20, 2010 at 11:53 am
Comments posted to this topic are about the item Security by Obscurity
November 22, 2010 at 2:11 am
This is one of those things that's fine to start off with, but if everyone started installing stuff in non-default locations then the virus writers would very quickly realise that and add code to do a proper lookup of where to find whatever they're looking for. I'm not a big fan of security by obscurity for the same reason--once the obscurity's gone so has the security!
November 22, 2010 at 5:05 am
The flip side is: DR and maintenance are a nightmare.
I've seen both sides and I'll take standardization any day.
November 22, 2010 at 7:08 am
'Security through obsurity' gets a bad rap, but it is helpful, at least in a world where there are a lot of targets. No car is break-in proof, but if you leave nothing of interest visible, the likelihood of a break-in is reduced. Or we might travel with a computer in a not-very-computer-looking bag.
By contrast, the visible presence of a lot of high tech locks might even suggest to a criminal that there is something of value to be targeted.
...
-- FORTRAN manual for Xerox Computers --
November 22, 2010 at 9:54 am
jay holovacs (11/22/2010)
By contrast, the visible presence of a lot of high tech locks might even suggest to a criminal that there is something of value to be targeted.
That can certainly reduce the number of break ins but especially with computers there are a number of people who go in just to see if they can. For physical security I completely agree with you. However, for computer security I think the absence of a log will attract more people than it will put off.
November 22, 2010 at 12:53 pm
This seems to shoot down 2 of my 3 mantras:
Design for performance,
Code with clarity,
Implement with precision !
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
November 23, 2010 at 5:01 am
Tony Savoie (11/22/2010)
The flip side is: DR and maintenance are a nightmare.I've seen both sides and I'll take standardization any day.
To be fair, changing from the default values doesn't mean the same thing as not having any standardisation. For instance, just because you change the SQL port used, doesn't mean you have to go using random ports across all of your servers. Pick one and use that on all of them, then in a DR or maintenance situation you already know what the details are... they're the standard within your organisation, rather than the whole industry.
I think a bit of well planned obscurity is definitely a good thing, just so long as it has been thought out, so within your organisation you have standards defined and worked to. Done properly it can either add another layer to your security, cutting out most of the low hanging fruit in terms of script kiddies etc, or at worst it does nothing to protect your systems, but no harm has been done and it hasn't really cost anything to implement.
We've been doing a number of things like this where I work for years now. Has it protected us, I don't know, has it caused us any problems, not at all.
November 24, 2010 at 11:48 am
I have been bitten numerous times by installers expecting default locations. Just a simple change can help improve security. Although it may be a subtle change or a tiny bit of obscurity, it is well worth the added measure of defense and control.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply