It’s possible to get some, but not all, security through obscurity.
Gene Spafford challenges the notion many security people have that there’s no security through obscurity. “Being deceptive can frustrate attackers, but it’s not a perfect defense all by itself,” said Spafford, Professor and Director Emeritus at Purdue University in our conversation at the 2017 RSA Conference in San Francisco.
Watch the full video interview with Gene Spafford here:
VIDEO: Gene Spafford Interviewed at RSA 2017
Spafford is a 30+ year veteran in security, and has worked with notable students Dan Farmer (COPS) and Gene Kim (Tripwire). He also helped found The Center for Education and Research in Information Assurance and Security (CERIAS), the world’s largest multi-disciplinary academic research center in security and privacy.
About 20 years ago, with his security team at Purdue, Spafford started what he terms “deception work.” He has recently revisited his effort working on endpoint deception techniques, such as deceptive memory to defeat anti-forensic measures, and deceptive patching to defeat reverse engineering of patches to find vulnerabilities. This is different than the network deception currently being produced by companies.
“They’re not necessarily decreasing the attacks,” admitted Spafford. “But they are putting up the workload of attackers and increasing some of the potential to identify that an attack is underway.”
Spafford is trying to rejigger everyone’s notion about this old maxim that an element of, not all, security can be had through obscurity. “You can get additional security through obscurity or through deception. But it shouldn’t be your primary form of security,” warns Spafford.
ABOUT GENE SPAFFORD
*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Videos. Read the original post at: https://threatmatrix.cylance.com/en_us/home/gene-spafford-no-security-through-obscurity.html