Security through Obscurity

Recently, I was giving a talk to a group and one of the attendees said,

If we use security by obscurity, it will slow down the attacker. Isn’t this a good thing?”

My response was that if you can detect the attacker during the slowed period, then it could be useful. However, I did not go into that further. I will in this blog posting.

Background

Security through obscurity

Let’s back up a little and make sure that we are all together on what I mean when I say, “security through obscurity”, also referred to as “security by obscurity”. This is when you are relying on keeping some part of your system, other than a cryptographic key, secret. I have seen people using non-standard ports for network services, using code obfuscation tools to make the program harder to follow, and otherwise trying to make the system hard to figure out through secrecy. The idea is that if you can keep the details of your system secret, you can prevent an attacker from figuring out the vulnerabilities (note: not if there are vulnerabilities—they exist in all real computer systems). If your system relies on the vulnerabilities being kept secret for its security, then you are practicing security through obscurity.

Open Security

As a contrast, consider the concept of “open security”, when you assume that the attacker knows everything about your system except cryptographic keys, and yet you expect it to remain secure. An example of this type of security is normally used for cryptographic protocols and algorithms. For example, I might use TLS 1.2 with AES-256, RSA-4096, and SHA-3 from a current on its patches respected implementation to protect my communication. Knowing the cryptographic algorithms and protocols will not give the attacker any benefit.

Slowing the attacker

Slowing the attacker can be a good thing. However, you need to be able to detect the attacker through some kind of effective intrusion detection. When I gave my talk, it appeared that none of the people had any kind of intrusion detection other than Google blocking their site as dangerous or if they noticed that something changed. When this is the case, if you slow the attacker, they will still get to their destination—control of your web site, app or computer. And, if they are skilled, you will never know they own you.

Defense in depth

Another case where security through obscurity can be useful is when the obscurity is not your only security measure, but simply a small part of it. The basic idea is that you are employing the secure design principle of “Defense in Depth”. In this case, when (not if) an attacker gets through your outer defense layer, you have another defense waiting for her. And, with your intrusion detection system, you know that the first layer has failed.

Summary

To wrap things up, security through obscurity is only useful as a security measure if you are (a) able to detect the attacker, and (b) you have another security measure waiting for when the attacker gets through the first layer.

Published by

Kenneth Ingham

Kenneth has been working with security since the early 1980s. He was a system administrator when the Morris Worm was released, and one of his work areas was helping secure the systems. Since then, Kenneth has studied network and computer security, and spent many, many hours looking at how software fails. With knowledge about failures, he can help you produce software that is less likely to suffer a security breach. Kenneth has a Ph.D. in Computer Science, and his research topic was on computer security. Kenneth has helped developers creating systems for financial services institutions, telecommunications companies, and embedded system and process control.

Leave a Reply

Your email address will not be published. Required fields are marked *