Keeping an organization’s systems secure is the primary objective of its security team. Security teams implement various measures to achieve this objective and ensure a strong defense against incoming attacks. These measures include applying patches, disabling unnecessary services, and finetuning firewall rules, among others. From the attackers’ perspective, they attempt to gather information about target systems for better planning and executing their attacks.
Based on this common understanding of attacker psychology, “security through obscurity” is an existing belief in the information security industry. The proponents of this belief consider that if the attackers are not aware of security measures employed in a target system, security is better. This belief has been around for decades, and there are arguments on both the sides of the spectrum: whether security through obscurity is good or not.
LIFARS is an industry leader that develops proactive strategies and tactics against evolving cybersecurity threats. Our services such as comprehensive gap assessment, red-teaming, penetration testing, threat hunting and vulnerability assessment reveal a company’s vulnerabilities. Our vCISOs will ensure your optimal cybersecurity strategy and adequate posture.
Definition of security through obscurity (STO)
STO, security through obscurity, or security by obscurity, is a well-known approach for securing a system or an application. It relies on hiding crucial security information from the stakeholders and users. This approach enforces secrecy as the primary security measure. In plain words, STO focuses on keeping a system secure by strictly limiting the disclosure of information about the system’s internal mechanisms.
STO is popular among bureaucratic agencies, whether they are governmental, industrial, or security. It gives a sense of pseudo-security for IT systems. The core idea of this approach is to run IT systems on a well-defined need-to-know basis. If an individual does not know how to impact the security of a target system, they do not pose a danger to the system. Without a doubt, this approach sounds good in theory. However, with increased sharing of knowledge, the popularity of open systems, better understanding of programming languages, and the availability of average computing power with individuals, its effectiveness has declined over the years.
Some of the common examples of STO techniques include:
- Security teams assume that the attackers do not read the code. So, they hide user passwords within binary code modules or mix them with script comments or code files.
- For decreasing the number of brute force attacks on standard ports, security teams prefer using a different daemon port. However, as soon as an attacker finds the new port, this measure becomes useless. A comprehensive solution is to limit the number of requests from an IP address within a defined period and use two-factor authentication. Configuring firewall rules for allowlisting/blocklisting is also a viable solution.
- Another practice is to hide the version number of software. For instance, one can hide version number for Apache servers. However, there are many effective methods to carry out a banner grabbing attack.
- We have often come across application folders starting with characters such as _, ^, #, etc. For example, replacing a folder called admin with _admin or ^admin. As soon as the attacker knows about this unique character, they can access restricted areas in the absence of additional security measures.
Common myths related to security through obscurity
It is a false notion that since ostriches put their heads in the sand, they are not visible. Similarly, coders and programmers think that if they restrict access to their code, attackers will not be able to exploit vulnerabilities. Over the years, there have been multiple incidents that show that restricted access further simplified the exploitation of vulnerabilities.
The emperor has no clothes
Modern-day development processes involve designers, developers, debuggers, integrators, testers, security analysts, and end-users. This variety of users will have access to proprietary code, and they may be aware of limitations and constraints. If all of them believe that a system or an application is secure, we arrive at a situation when the emperor has no clothes.
I have got a secret
Transmission of files is a straightforward action these days. Organizations cannot make excuses for poor security practices in 2020 and beyond. There has to be an understanding that security incidents due to lax practices results in financial & reputational losses, along with regulatory proceedings.
The shell game
This translates to hiding an object from view to prevent identification of issues present. So often, the level of secrecy does not provide an understanding as to the extent of rigor followed in testing. At the same time, launching a code open-source is not a solution. Risk assessment, secure software development practices, and good security culture are crucial.
If your organization solely relies on security through obscurity techniques to protect its IT infrastructure, it is most certainly a bad idea. As soon as an attacker gets access to the secret, the security posture falls. However, when used in tandem with other security mechanisms, it can be useful for overall security operations. One cannot deny that STO is an effective way to realize the power of hiding. And when used alongside security measures such as two-factor authentication, IP-based restrictions, and firewall rules, it may give fruitful outcomes. However, organizations must not believe that hiding information is always a good practice. It mostly varies from one system to another. If STO techniques help in minimizing security risks to your organization, then why not?
Mercuri, R.T. and Neumann, P.G. (2003). Security by obscurity. Communications of the ACM, 46(11), p.160