Kromey’s Adventures

Just a nerd with aspirations to delusions of grandeur

Security Through Obscurity - Over-demonized?

20 Aug 2009

Anyone who has spent any real time dealing with computer systems’ security has heard the phrase, “Security through obscurity is no security at all.” While I won’t make false claims that I’m an expert in the field of computer security, today I will apply common-sense and some basic best practices and explain when this axiom is, in fact, false.

Security through obscurity is the practice of simply hiding sensitive data. It can be likened to those handy magnetic key holders that some people stick underneath their cars: Sure, the average punk looking for some cheap thrills might not find it, but any car thief who’s been around will get it right away, and now they have your car.

That’s the common view, anyway. The problem is that that’s not the only way security through obscurity can be applied. Let’s revisit that car again, only this time instead of hiding the key we’re going to hide the lock. Now, not only do we continue to foil the average street punk, but the seasoned car thief only finds the lock and still needs to overcome it to gain entry to your car; even a former Boy Scout with the knowledge to pick locks is now foiled, simply because he can’t find the lock to pick it. This, my friends, is a proper application of security through obscurity: It is one additional layer in your security infrastructure, not merely the only one.

And in fact, this is used to great effect in the world of computer security: Firewalls offer “stealth mode” to hide your computers from hackers; organizations using SSH oftentimes offer it on a non-standard port to hide the service from script kiddies; and a myriad computer systems will hide options that are not available to the current user.

Nothing I”m saying here is earth-shatteringly brilliant or new. For years, obscuring things has been a successful piece of security solutions. The problem is when people begin to lose focus, and begin to forget the sound reasoning behind the axioms they follow and just blindly follow them to the letter.

If you are tasked with the defense of any computer-based system, do think of our car and consider hiding the lock. Simply ignoring this option because someone once parroted this axiom means that you’re not thinking through all of your options, and that is the first sign that you may be on the path to failure in the defense of your system.