Why Security Through Obscurity Is Bad (Alone)

Security through (by) obscurity is where we try to protect an asset by hiding it. Anyone who has ever played the game Capture the Flag knows that a motivated opponent will eventually find the flag. If there were no other deterrents in place, the opponent will scour the playing area and find the flag. If hiding an asset (the flag) doesn’t work for that simple game, it doesn’t work for information security.

However, Capture the Flag doesn’t just involve hiding the flag. In all variations of the game, all teams have attackers. Therefore, part of the deterrent is acting quicker than your opposition. In a lot of variants, each side also has defenders who have some ability to discourage or thwart attackers. Even if the particular variant doesn’t have the concept of defenders, a team can be sneaky. It can overload one side, trying to trick the opposing forces that the flag is hidden over on that side. Or some of the attackers could mock act in dismay when an opposing team heads into the wrong area of the playing area, leading that team to think they are close to the flag when they aren’t. In other words, there are always additional countermeasures.

The problem in information security with a strategy of security through obscurity alone is we are making the assumption that we are smarter than any adversary with plenty of time and opportunity on his or her hands. We don’t. Therefore, we need to have the other appropriate countermeasures (controls) in order to protect our assets. There’s nothing wrong with making an asset harder to find (obscuring it). However, that can’t be our only mechanism of protection.

2 Comments (+add yours?)

  1. ARLibertarian
    Jun 21, 2019 @ 11:58:42

    So, you’re saying I shouldn’t keep an email server that will be hosting sensitive documents in my closet in the basement?

    Reply

    • K. Brian Kelley
      Jun 21, 2019 @ 15:36:29

      That’s definitely Shadow IT. And while I know the reference you’re making is to a high profile government position, it stands for everyone, even if you think there’s no reason for an adversary to target you.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: