Obscurity Isn't Security, but It Helps
Tuesday, April 03, 2018
If you've ever heard someone pooh-poohing "security by obscurity" (but wondered if he knew what he was talking about), Daniel Miessler has some food for thought over at his eponymous blog:
It had always truck me as strange to hear people disparage obscurity as a security measure, but I never gave it more thought than, "It certainly doesn't hurt, and I'm pretty sure it can help." (That said, I was not making the incorrect assumption, that obscurity can carry the whole load, though. Some people do.)Many of us are familiar with a concept known as Security by Obscurity. The term has negative connotations within the infosec community -- usually for the wrong reason. There's little debate about whether security by obscurity is bad; this is true because it means the secret being hidden is the key to the entire system's security.
Photo by Allef Vinicius on Unsplash
When added to a system that already has decent controls in place, however, obscurity not only doesn't hurt you but can be a strong addition to an overall security posture. [minor edits]
What Miessler does in the rest of his post is walk through is the nature of the benefit of obscurity and explain exactly how it helps. For the mathematically inclined, he even reduces this down to a product of conditional probabilities. But the math is easily translated into plain English: Obscurity reduces your odds of being attacked in the first place, but you should avail yourself of ways to reduce the effects of a successful attack, too.
-- CAV
4 comments:
Yes, Com-Sci students get the lesson drilled into them: "Do not trust in obscurity."
A good lesson.
But, too many take it to mean "Obscurity is bad" or "Obscurity is something naive people do"
IRL, security around important artifacts must always be multi-layered and a layer of obscurity can help against the Day-0 attack against a suddenly-vulnerable algorithm.
RT,
Good point. Sometimes, obscurity might be all you have against newly-discovered threats.
Gus
This reminds me of my thoughts on the gun control debate. The Democrats want to prevent dangerous situations by removing the tools which allow people to create such situations (and stripping us of multiple rights, treating us all as violent criminals, in the process). The Right focuses on dealing with dangerous situations should they arise. A rational view is to do both: prevent dangerous situations via a police presence focused on protecting the public and individual actions (not making one's self a target), but being prepared to deal with any bad situations should they arise.
The idea that any one tool is a be-all, end-all of security in any situation is naïve; the idea that a tool is not useful because naïve people use it is obviously fallacious.
Dinwar,
Your last sentence reminds me of the '60/70's and the "don't trust anyone over 30" mentality as a whole. Just because something is old or unfashionable doesn't make it even a good rule of thumb to toss it aside.
Gus
Post a Comment