[Openvas-discuss] Not scanning machines which don't respond to pings

Thomas Reinke lists at securityspace.com
Sun Aug 12 04:24:34 CEST 2012



On 11/08/12 05:51 AM, Michael Meyer wrote:

> Not allowing ping makes _no_ security gain. Denying ICMP is mainly
> only useful in the "Security By Obscurity" model. "Security By
> Obscurity", however, is completely useless.

This is simply not true.

It is well understood that to RELY on security by obscurity is
dangerous, and that it will not be sufficient to determine a determined,
resourceful, skilled attacker.

By the same token, it adds a layer of protection, however minimal,
that can reduce the overall risk profile.  This can have the effect
of anything from reducing the likelihood of certain types of
attacks succeeding (script kiddie scans of certain service types),
to buying anything from hours to days (or more) to patch vulnerable
systems that might be susceptible to zero day exploits.

If you look at only a black and white absolute (vulnerable or not), then
yes, security through obscurity does nothing to the binary evaluation of
the vulnerability status of a system.  But here's the catch - EVERY
system is by definition vulnerable to a network based attack, unless you
airgap it (unless you want to assert that a given system has achieved
perfection - I'll take a bet with you any day that we've not achieved
that anywhere yet).

At the end of the day, we are not worried about whether or not a system
is vulnerable - no airgap, no guarantee of security, so we can really
only look at reducing, as low as possible, for as reasonable a $ amount
as possible, the risk of experiencing a compromise, and to limit the
exposure should a compromise take place.  And for that, security by
obscurity approaches add a cheap, non-zero valued additional benefit.

Thomas




More information about the Openvas-discuss mailing list