[{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/tags/blue-team/","section":"Tags","summary":"","title":"Blue Team","type":"tags"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/tags/cybersec/","section":"Tags","summary":"","title":"Cybersec","type":"tags"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/defensive/","section":"Categories","summary":"","title":"Defensive","type":"categories"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/tags/hardening/","section":"Tags","summary":"","title":"Hardening","type":"tags"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/tags/infrastructure/","section":"Tags","summary":"","title":"Infrastructure","type":"tags"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/tags/linux/","section":"Tags","summary":"","title":"Linux","type":"tags"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":" Introduction # One of the oldest arguments in cybersecurity is probably:\n“Security Through Obscurity is not real security.”\nAnd honestly, I understand why many security people dislike that phrase so much. Why just change port number from 80 to 8080 or 65080 does not have any useful like setting to not expose web server or CMS name and versions?\nBecause if a system is fundamentally vulnerable, simply hiding the version number or changing the default port will not magically save it from compromise. A determined attacker will eventually fingerprint the service anyway.\nBut after working with real systems for years, I also think many people oversimplify this discussion too much, even make it like a vulnerability that need to be solved, even its solution is really not practical and so risky.\nBecause in reality, attackers are lazy too.\nAnd reducing unnecessary information exposure absolutely can reduce attack surface, automated exploitation, noise from scanners, and opportunistic attacks — as long as we stay realistic and do not turn operational hardening into self-inflicted suffering.\nThat balance is the important part.\nWhy Version Disclosure Matters # A huge amount of modern offensive security work starts with fingerprinting.\nAttackers scan:\nserver banners framework headers CMS versions API responses SSH banners TLS fingerprints favicon hashes default error pages because the moment they identify a product and version, they immediately start correlating:\nCVEs exploit PoCs Metasploit modules public GitHub exploits Shodan results automated scanners Sometimes people underestimate how much attackers automate this process now.\nAn exposed version string like:\nApache/2.4.49 or:\nOpenSSH 7.2p2 Ubuntu basically becomes free reconnaissance data.\nThe attacker no longer needs to guess what stack exists underneath. The system starts introducing itself voluntarily.\nAnd unfortunately, many real-world attacks are not sophisticated APT magic at all. They are just internet-wide automation searching for known vulnerable versions that somebody forgot to patch.\nObscurity Is Not Useless. It Is Just Not Enough Alone. # This is where the discussion usually becomes emotionally weird online.\nSome people act like hiding versions is completely useless.\nOthers behave like changing SSH port from 22 to 2222 somehow transforms their server into Fort Knox.\nReality is somewhere in between.\nSecurity through obscurity should never be treated as the primary security control. But reducing unnecessary information disclosure is still reasonable hardening in many situations.\nEspecially against:\nautomated scanners internet background noise opportunistic attackers low-effort exploit spraying mass internet scanning bots The key word is:\nlayered defense.\nIf removing version disclosure costs almost nothing operationally, then honestly why expose it publicly?\nThe Dangerous Part Is When Hardening Becomes Operational Pain # This is where I started changing my perspective over time.\nI once experimented with aggressively hiding OpenSSL/OpenSSH version information from scans like Nmap. At first it sounded like a fun hardening exercise.\nThen reality arrived.\nTo fully suppress or alter certain version fingerprints properly, I ended up touching package source code, rebuilding packages through dpkg, recompiling components, and modifying behavior deeper than normal configuration intended.\nAnd honestly?\nIt quickly became operational hell.\nBecause the moment you start heavily modifying packaged software:\nupdates become painful patch management becomes dangerous maintenance becomes annoying future upgrades become unpredictable troubleshooting becomes harder package integrity assumptions break Suddenly a simple:\napt update \u0026amp;\u0026amp; apt upgrade starts feeling slightly terrifying because you are no longer running normal upstream packages consistently.\nAnd for what exactly?\nTo hide version strings from Nmap slightly better?\nAt some point the hardening effort itself becomes riskier than the original information disclosure problem.\nThat is the line many people forget to evaluate.\nPractical Hardening Usually Wins # This is why nowadays I prefer practical hardening over obsessive hardening.\nFor example, in OpenSSH on Debian systems, simply setting:\nDebianBanner no inside:\n/etc/ssh/sshd_config already removes unnecessary Debian version disclosure from SSH banners.\nThat is practical.\nLow operational risk. Easy maintenance. Still compatible with normal updates. Still supported behavior.\nAnd honestly, for most real-world environments, that level of reduction is already enough.\nAnd even if you dare to edit the OpenSSL package and recompile successfully, it will go back to default version exposed after \u0026ldquo;abnormal long long time apt upgrade\u0026rdquo; again as shown in the picture:\nThe same mindset applies elsewhere too.\nRemoving:\nframework version headers verbose error pages unnecessary banners default CMS metadata excessive server tokens is usually reasonable.\nBut rebuilding half your infrastructure from modified source code just to win against Nmap banner detection becomes much harder to justify operationally.\nAttackers Fingerprint More Than You Think Anyway # Another important reality is that modern attackers fingerprint systems using many signals simultaneously.\nEven if you hide:\nApache/2.4.x they may still infer technology through:\nTLS behavior response headers favicon hashes JavaScript files HTTP behavior cookie patterns API responses default routes CDN behavior WAF fingerprints Completely hiding infrastructure identity is often much harder than people initially expect.\nThat does not mean hardening is pointless.\nIt simply means:\nobscurity reduces information leakage, but should never replace actual patching, segmentation, monitoring, and secure architecture.\nSecurity Is Always About Tradeoffs # This is something many newer security people slowly learn with experience.\nThe “most hardened” configuration is not always the best configuration.\nSometimes the best security decision is the one that:\nreduces meaningful risk remains maintainable survives patch cycles does not destroy operations does not confuse future administrators Security engineering is not only about making attackers suffer.\nIt is also about not accidentally making defenders suffer more than attackers.\nAnd honestly, many infrastructure disasters begin when systems become so overengineered that nobody wants to touch them anymore.\nFinal Thoughts # I still believe reducing unnecessary information disclosure is good practice.\nExposing exact framework versions, CMS versions, SSH banners, or verbose server fingerprints publicly rarely provides meaningful benefit to defenders. Meanwhile attackers happily consume that information for reconnaissance and automated targeting.\nBut I also think security people should be careful not to turn hardening into operational self-harm.\nIf hiding a banner takes one clean configuration line, great.\nIf hiding a version requires rebuilding packages manually every update cycle while risking infrastructure stability, maybe it is time to ask whether the tradeoff still makes sense.\nBecause in real-world security, practicality matters too.\nAnd sometimes the strongest hardening decision is knowing where to stop.\n#Sarah59 #ThaiCySec\n","date":"10 May 2026","externalUrl":null,"permalink":"/posts/obscurityssh/","section":"Posts","summary":"How far should we go hiding versions, frameworks, and platform details from attackers before security hardening becomes operational pain?","title":"Security by Obscurity, by hiding ports, framework or platform name and versions at which extended? Practical or Operational Hell?","type":"posts"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/tags/ssh/","section":"Tags","summary":"","title":"SSH","type":"tags"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/","section":"ThaiCySec - Cybersecurity Blog","summary":"","title":"ThaiCySec - Cybersecurity Blog","type":"page"},{"content":"ThaiCySec is a cybersecurity knowledge-sharing platform for Thai people by Sarah Saran Hansakul focused on offensive security, detection engineering, cloud security, AI security, and practical blue/red team methodologies.\nThe platform shares practical security knowledge, research insights, and real-world defensive and offensive perspectives for security professionals, students, and organizations.\n","date":"7 May 2026","externalUrl":null,"permalink":"/about/","section":"ThaiCySec - Cybersecurity Blog","summary":"","title":"About","type":"page"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/tags/ai-security/","section":"Tags","summary":"","title":"AI Security","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/categories/basics/","section":"Categories","summary":"","title":"Basics","type":"categories"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/tags/basics/","section":"Tags","summary":"","title":"Basics","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/tags/career/","section":"Tags","summary":"","title":"Career","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/tags/networking/","section":"Tags","summary":"","title":"Networking","type":"tags"},{"content":"Every few years to everyday now, cybersecurity changes personality again and again. Already exhausted?\nOne year everybody suddenly becomes malware analysts. Then cloud engineers. Then threat hunters. Then AI security experts after prompting ChatGPT five times and adding “GenAI Security Specialist” into LinkedIn before even understanding why DNS breaking can destroy half the office.\nThe buzzwords change fast. The logos become shinier. Vendors keep inventing dramatic names for things that are honestly just old concepts wearing expensive new jackets.\nBut underneath all of that chaos, the foundations barely move.\nComputers still need to communicate. Systems still need trust. Humans still click things they absolutely should not click. Attackers still look for weak points, and defenders still need to understand what is actually happening underneath the dashboards instead of praying the SIEM magically explains everything itself.\nThat is why people with strong fundamentals usually adapt frighteningly fast when new technology appears. Once you truly understand the basics, most “new” technology starts feeling less like magic and more like the same old problems wearing prettier makeup.\nOne thing I noticed after years in cybersecurity is that this industry is addicted to hype. Every few years there is always a new “learn this immediately or become obsolete” topic. Right now it is AI. Before that it was Zero Trust, XDR, blockchain security, cloud everything, threat hunting, Kubernetes, and whatever vendors needed to put into conference slides that year.\nThe funny part is that many people rush so hard toward advanced topics that they completely skip understanding the systems underneath. Some want to become malware developers, exploit developers, AI security researchers, or cloud pentesters before understanding networking, authentication, operating systems, permissions, or even how packets move through a network.\nThen reality arrives very quickly.\nThe moment something behaves unexpectedly, many suddenly have no idea how to troubleshoot anything without copying commands from Reddit or Stack Overflow.\nThe uncomfortable truth is that fundamentals are not sexy. Nobody posts Instagram stories saying they spent the entire weekend studying DNS replication and Kerberos tickets.\nOne funny thing is that people always say fundamentals are “boring” until they realize many top-tier security people still have ridiculously strong Computer Science foundations underneath.\nAnd honestly, if you want to see how “unsexy” fundamentals supposedly are, go look at Harvard CS50 that my friends keep sending around every few years whenever somebody asks where to start learning properly.\nCS50 somehow survives every era too. Networking, memory, algorithms, systems, problem solving — the concepts keep following you everywhere no matter whether you end up in cloud security, malware analysis, AI security, or offensive operations.\n🎓 Harvard CS50 on edX ▶️ CS50 Introduction Video Meanwhile DNS silently carries half the modern internet on its back while people continue pretending it is “basic knowledge” until it breaks production at 2AM.\nAnd honestly, networking alone is probably one of the highest ROI skills in cybersecurity. Almost everything eventually becomes networking somehow. Cloud security becomes networking plus identity. Malware analysis eventually touches networking. Web security is networking. Detection engineering depends heavily on understanding traffic and system behavior.\nEven AI systems increasingly rely on APIs, external tools, plugins, remote models, and distributed communication everywhere.\nOnce you understand how systems actually communicate, troubleshooting changes completely. You stop randomly clicking things hoping the issue disappears and start tracing the logic underneath the problem instead.\nThat mindset alone separates people who understand systems from people who only understand products.\nEven old concepts people love calling “boring” somehow continue surviving every technology era. The CIA triad is a perfect example. Confidentiality, Integrity, and Availability sound ancient because everybody learns them early and then immediately forgets them while chasing hype.\nBut somehow almost every modern attack still damages one of those three things anyway.\nRansomware destroys availability. Credential theft destroys confidentiality. Supply chain attacks destroy integrity. AI prompt injection? Congratulations, now we are damaging confidentiality and trust boundaries again with fancier vocabulary.\nThe technology evolves, but the core problems stubbornly refuse to die.\nThis is also why I think AI is making strong fundamentals more important instead of less important. AI can generate scripts, detections, code, attack chains, reports, and configurations frighteningly fast.\nBut if the person using it does not understand the underlying systems properly, they may not even realize the output is wrong, insecure, hallucinated, or architecturally cursed beyond repair.\nAI accelerates people. Unfortunately that includes accelerating bad decisions too.\nThe people benefiting the most from AI right now are usually not the people blindly copy-pasting prompts all day. It is the people who already understand systems deeply enough to validate the output intelligently and recognize when the AI is confidently hallucinating nonsense.\nOne thing I genuinely admire about strong cybersecurity people is that they stay curious about systems themselves, not just products.\nThey keep asking annoying but important questions.\nWhy does this trust that?\nWhat assumptions exist here?\nWhat happens if this fails?\nWhere is the actual boundary?\nWhere does the data really flow?\nThat curiosity builds adaptability, and adaptability matters much more than memorizing temporary tools because this industry changes constantly.\nProducts die. Vendors rebrand everything every three years. Fancy dashboards come and go. But people who understand systems deeply usually survive the transitions much better than people who only memorized workflows.\nCybersecurity will continue changing outfits forever. AI will evolve. Cloud platforms will evolve. Attack chains will evolve. Vendors will continue inventing increasingly dramatic product names that sound like Marvel movie titles.\nBut somehow the fundamentals keep surviving every era anyway.\nNetworking still matters. Authentication still breaks companies every single day. Trust boundaries still decide whether an incident becomes a disaster. System understanding still matters no matter how smart AI becomes.\nThe people investing time into those foundations may sometimes feel slower at the beginning compared to people speedrunning hype cycles online.\nBut years later, they are usually the ones adapting the fastest when the industry changes again.\nAnd trust me, this industry always changes again.\n#Sarah59\n#ThaiCySec\n","date":"7 May 2026","externalUrl":null,"permalink":"/posts/cyberbasic/","section":"Posts","summary":"Why strong IT and cybersecurity fundamentals still matter more than hype, even in the AI era.","title":"The Cybersecurity Fundamentals That Survive Every Era, Even AI","type":"posts"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]