This is an editorial reprint from Aug 23, 2005
I wrote awhile back about security through chaos, and that piece provoked some interesting responses. While I’m not sure I’d recommend it for every company, in some places it makes sense. I saw this Info World article on Security by Obscurity and it reminded me of what I’d written.
The article talks about some basic things you can do to that don’t seem like much, but the suggestions obscure things and ensure that not much on your system is as it would be expected. One simple thing they talk about is not installing to the default locations. That doesn’t sound like it would help much as there are always ways to read the registry or use environmental variables to find installations.
However it does work. How many pieces of software, including some SQL Server Service Packs, expect things to be installed on c:? How often have you been bitten by a “bug” in some software because you’d renamed or moved something?
Computer software depends on patterns in many cases to work. And we all use patterns to shorten development time. We reuse code, we cut and past way too much, and we often forget to make simple checks for things being moved around.
The same goes for virus and worm writers. The people who develop the technology might not be fooled, but so many script kiddies that use kits of modify some piece of code aren’t as savvy and don’t necessarily make these checks. I know that the administrator account has a particular SID that you can scan for, but I’d be willing to bet that most people would write a worm looking for “administrator”. Just think how much less of a problem SQL Slammer would have been if most people had moved SQL Server to some non-default port.
Simple obfuscating changes aren’t the answer to security issues, but they provide another layer of protection.