OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] Questioning the wisdom of using DNS SRV records for TAXII 2.0 Discovery


On 30.10.2015 21:02:52, Terry MacDonald wrote:
> 
>    ·         Security through Obscurity is not a security control
> 

True, but let's not conflate security through obscurity with good
opsec:

  * If I hash all my system passwords using ROT13, that's security
    through obscurity.

  * If I don't publicly advertise the location of the server holding
    the password hashes, that's operational security.

  * If I keep a spare key hidden in a fake rock by my front door,
    that's security through obscurity.

  * If I don't publicly advertise where I live or do a Foursquare
    check-in while traveling on business, that's operational security.

Now it may well be that in the case of using DNS SRV records to
support TAXII Discovery on the public internet, the benefits outweigh
the risks. My intent was not to kill the proposal but rather to
highlight an implicit risk and debate the question.

-- 
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"Every old idea will be proposed again with a different name and a
different presentation, regardless of whether it works." --RFC 1925

Attachment: signature.asc
Description: PGP signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]