What is Security Through Obscurity and Why is it Bad?

Written by: | Posted on: | Category:

By using security through obscurity as a means of securing a network, some people think that they are minimising the risk of attack. Others disagree, claiming that developers are enhancing their network’s risk of attack. After all, once an attacker can access the network, they can access everything. In this article we discuss whether or not security through obscurity is inherently bad, or if it has a place amongst other security procedures.

So, what is security through obscurity, and why is it bad? Security through obscurity (STO) is a process that developers use to secure their network by enforcing secrecy as the main security method. If developers use STO as their sole security method, however, everything on the network is at risk if an attacker can access their network.

Read on to learn more about security through obscurity, and if it can ever be a good security method.

What is Security Through Obscurity?

Security through obscurity (STO) is a security method used by some software developers and systems engineers to secure their network, system, or app by using secrecy as their main and, sometimes, sole tactic.

The method is primarily based on hiding important information that could make the system vulnerable, and enforcing secrecy. In theory, the system is secure as long as these secrets don’t get out.

Some believe that STO is a great security tactic, whilst others believe that it should never be used as a sole tactic. If the secrets of the system were to get out, the entire system would be at risk.

Why is Security Through Obscurity Bad?

Security through obscurity can be a good security tactic when used in conjunction with other methods, but when used as the sole method of securing a system, developers risk losing the system to an attack should secrets be revealed. In other words, if an attacker finds the key, or is given the secrets of the system, the system is compromised.

There is a heavy reliance on trust within the team and others that have access to such system secrets to ensure that security through obscurity works. Without such trust, there is no security.

However, developers know their system better than anyone else, and must consider the following; what is the likelihood that their system will be attacked, and what would the impact of that attack be. From here, they can better determine whether or not security through obscurity as a sole method of security is bad, and if they should implement other security measures that would both minimise the risk of attack and reduce its impact. Is There a Good Way to Use Security Through Obscurity? Many industry experts consider security through obscurity to add a beneficial additional layer of security to an existing security system. The key is that STO isn’t the sole security system.

Using STO as an additional security measure can help to reduce the chances of attack, and shouldn’t be underestimated. However, developers need to first consider whether or not it is worth spending the time on implementing this method – is it likely to either reduce the risk of attack, or minimise the impact of an attack? Examples of Security Through Obscurity Examples of security through obscurity can be seen throughout the online world every day, although it is usually an additional layer of security to a broader security system. Examples of security through obscurity include:

Hiding user passwords inside binary code, or mixed with script code and comments Replacing logical usernames and passwords with randomly generated alphanumeric phrases Changing the name of application folders Using a different daemon port, such as port 22 on SSH Hiding software versions Obfuscation – Making javascript or other code difficult to read, and therefore hack

Alternatives to Security Through Obscurity

Security through obscurity isn’t inherently bad, and can be beneficial when used alongside other security measures. Some of these measures include:

Implementing various policies

•Acceptable Use Policy

•Access Control Policy

•Change Management Policy

•Information Security Policy

•Incident Response Policy

•Remote Access Policy

•Email/Communication Policy

•Disaster Recovery Policy

Implementing 2 Factor Authentication and educating staff on the use of strong passwords, as well as insisting on regular password changes Installing and maintaining suitable anti-virus and malware protection Implement processes that restrict and monitor access to sensitive information Strengthen WiFi encryption Install and monitor firewall performance Encrypt files Secure personal devices Ask for help from a trusted service such as 777 Networks

IT Security Services at 777 Networks

777 Networks provide managed IT security services, ensuring that your company stays safe in an ever-changing online environment. Our team uses the latest tools, technologies, and procedures to help provide you with an effective security strategy.

Learn more about our IT security services online today, or get in touch with your specific requirements to see how we can help.

Contact Us to Discover More
Please note all form fields are required