![]() ![]() The unfortunate truth is that they only have to win once to be able to breach your system. You must assume that an attacker has near unlimited time to breach your system, whereas you have only a limited opportunity to protect it. Often direct attacks against a system are not the route in for a hacker, indirect attacks may provide an easier route in because they have not been considered by the manufacturer.Ĭreating a beachhead within a network can be as effective as hacking a critical system, the dwell time of an attacker provides them with the opportunity to learn information and gain further footholds into the network. Maybe not, but it might be connected to a system that does, or it may provide a different opportunity for an attacker. Why would anyone hack this rail system, it does not perform a critical function? So again, you have lost control of the security measures in place. SECURITY OBSCURITY FULLThese documents included default passwords and full information about the security measures in place.Īlso, physical access to devices cannot be prevented in a transport environment (either through poor end-of-life procedures or access to the equipment while in service). We’ve seen cases in rail where documents have been leaked to third parties, where proprietary hardware has been sold on eBay and where highly sensitive documents have ended up on the Darkweb. If the security of a system relies on keeping the implementation or structure of it a secret, the entire system becomes vulnerable when the first person discovers how the security mechanism works - and there is always someone that is determined to discover these secrets. The truth is that you lost control of the information the moment that the system was developed. Who has access to that information? Will they work for the company forever? Is it stored in a digital format that is accessible to the rest of the organisation? Importantly this is a concept that has existed for over a century, it was identified by experts in the field as a fallacy, yet it continues to exist today in a modern digital environment But the information about my system is a closely guarded secret, it is impossible for someone to get that information… More commonly it is attributed to Kerckhoffs’s principle which in 1883 stated that “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them” The first known example of someone challenging this is in 1851 when a locksmith demonstrated that even the state-of-the-art locks could be picked. Whereas a bank would have several mechanisms to protect access to your savings through various layers of security, it is only safe in your garden as long as no one knows you put it there. Think of it like storing your life savings by burying it in your back garden under a big tree. Anyone looking around can find it, and access it. You are just putting a network or system out of easy reach. But obscurity does not actually secure anything. It is believed that using security by obscurity, system owners think they are going to minimize the risk of getting targeted by an attack. The only reason it is secure is because no one knows it exists. SECURITY OBSCURITY HOW TOHow could anyone figure out how to hack the system you’ve just developed? You were careful, you did some OS hardening, you used good development practices and scanned the code using a static analyser.Īnd that is how it starts… Security by obscurity is not a new conceptįirst let’s explain what security by obscurity is, quite simply it is the assumption that if you keep key details about the design of a system secret that it will stay secure. SECURITY OBSCURITY SOFTWAREIt sounds like a pretty compelling argument does it? You’ve just finished designing a system, it uses some proprietary software that has been developed in house and the designs are marked as confidential internally. Why security by obscurity does not work for rail cyber security “We’ll just keep it secret, they can’t hack what they don’t understand” ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |