Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
Do you obfuscate machine names?
For decades it has been best practice to NOT identify machines by their purpose. I once war dialed a major credit card organization (as a consultant for a big audit firm) and found many machines identified as "payment-gatewayX.domain.com". This easily identified good targets for an attack.
Now an open source researcher has highlighted this issue by using DNS records to discover and publish tens of thousands of machine names belonging to the .mil top level domain. Read Matthijs Koot's analysis here. http://blog.cyberwar.nl/2011/08/osint-on-military-cyberspace.html
My advice: Use non-descriptive machine names! Random numbers would be best.
Best Answer
- Recommended by:
- Richard Stiennon,
- Brielle Nikaido
My problem with that approach is that it unnecessarily complicates day to day interaction and operation of the equipment. Plus, if I'm attacking a network, looking at the names will be one thing, but scanning the ports will reveal who is really doing what, regardless of what the names say.
I can't imagine trying to manage an environment with randomly named system, particularly from an automation standpoint.
Now, if you allow your internal DNS namespace to be accessed from the outside, then you're going to get far more problems than you ever dreamed of. :)
- Recommended by:
- Craig Rosenberg
I would say, why not? Sure, it's security by obscurity, but why give anyone - a skilled hacker who has penetrated the network or a bored employee just browsing around - a leg up if you don't have to? The interaction with machine names is a relatively static/fixed process so I don't see why it would matter if host names are generic as long as the right people know how to access the right systems.
Good point Andrew. This reminds me of the old problem with part numbers we had in manufacturing plants. The debate was between sequential numbering and numbers with intelligence built in. In other words should you be able to tell what customer, vehicle, or left hand-right hand a part is by looking at the part number? I was at one plant that used workers' birthdays as part numbers! I was in favor of sequential numbering.
From the foot print analysis that I used to do during attack and penetration tests I still believe that you should not convey the purpose of a machine in its name. Attackers like to focus on the most valuable assets. Why bother scanning ports for vulns on un-interesting machines when payroll.megacorp.com is just sitting there?
I don't disagree, in general, but I think it has to be balanced from a practical side as well. Considering how prevalent SQL injection attacks are, many attackers are getting right into databases without having to know what the server name is. And I wouldn't want to suggest obfuscating database table names. :)
I agree that we shouldn't go out of the way to name servers in ways that will clearly outline high-risk targets *but* there are now too many automated ways to not have to worry about the server name, either.
No, I do not obfuscate machine names.
There is no evidence nor metric that demonstrates that such a tactic will mitigate risks.
Hard to say it more simply that Glen did. :) Doing so will not protect your network. Doing so will only make it more difficult for internal workers.
When you scan for ports and services running to perform a hack, there machine friendly name is irrelevent.
Very interesting development here. It is the old security versus usability argument coming out. The idea that hackers are looking for vulnerabilities, while still true, does not take in to account the current trend: attackers are looking for specific information.
An attacker today is looking for the keys to the kingdom. They prefer not to risk discovery by scanning all IP addresses for all 64,000+ ports. If they can quickly glean from public DNS and ARIN databases they can focus their efforts on a target more discretely. If a server is named secretseeds.rsa.com it identifies itself as a target. or CAC.disa.mil or ca.microsoft.com (certificate authority).
As always, properly applied technology can help out here. Random names for machines can easily be transposed into meaningful names by a management console to help the sysadmins. If you only have a few servers give them personalities. Instead of treasury.bofa.com use ladygaga.bofa.com etc.
I am going to go further here: machine names that could be targets of interest should only be applied to honeypots.
I do agree that system names have some importance to an attacker.
But I suggest that meaningful names (for various definitions of meaningful) have more ongoing importance to an organization in maintaining its business and providing valuable services. And these two perspectives have to be balanced. Every element of abstraction that I add to the management of my network, increases the complexity, and thus increases the risk. Automation in a network of randomly named servers is several orders of magnitude higher than
If I am outside a network attacking it, I'm not particularly interested in names. Not initially -- I'm more interested in the services. In most cases, I just need to know what the public website is, and then attempt a breach from there.
Once a single box has been compromised, it is easy enough to determine what the internal name servers are without scanning the whole network. If I've compromised a web server, then it is not hard to determine what the database server is. If I'm on the database server, I might not have to go anywhere else for valuable data.
It is possible to name servers in a way that is both consistent, yet not too revealing, without resorting to random or human-unreadable names. The degree to which the naming change will adversely impact the employees is much greater than the degree to which it will adversely impact an attacker, so incurring twice as much administrative pain for 15% more security is not necessarily the best equation for every business.
I especially agree that public facing names need to be handled with care, but again, randomness does not necessarily add enough value for the level of value that it offsets in other areas. If the primary attack vendors are public websites or publicly available services, then the obscurity of the names are not of as much value as on a closed network.
Just to put a nail in this discussion look at this Tweet from @mrkoot (who inspired this thread with his revelation of thousands of such machine names)
Infoleak-by-hostname: if not disinfo, "alarmnet7810irent2.whoi.edu" reveals that WHOI uses a Honeywell 7810iR-ENT alarm system.
Now come on. Revealing machine types, especially network attached alarm systems, is just wrong.
Love it Richard. My point exactly. Why give the bad guys a leg up if you don't have to.
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
Any "bad guy" worth his salt is going to focus his efforts on the highest payoff systems...the ones named "financials", "HR" and so on, especially if his time is limited.
For example, you have 2 hours or 2 days or whatever to find sensitive information on the network for ill-gotten gains (or for vulnerability assessment or audit purposes)....Someone says: 3, 2, 1, Go! Where would you focus your efforts? It'd be easy to obtain a metric from this.
The real issue here is not ports and services running but rather open network shares and missing patches on these more critical business systems. I see this all the time in my internal vulnerability assessments - open shares on HR servers named HR, missing (and exploitable) patches on bank core processing systems named CORE and so on - and without fail that's where the "money" ends up being.
Sure, insiders have nothing but time on their hands, so they may eventually get to every system if you don't have other basic controls in place. My overall point is why make it any easier if it's something so simple?