Cyberattacks and data breaches are constantly in the news, and hackers’ methods grow more sophisticated daily. So, it’s no surprise that many organizations are looking for outside-the-box ideas for network security. This search leads some to the “security through obscurity” methodology. In this blog post, we’ll explain this phrase, discuss security through obscurity's pros and cons, and then explain why this approach is nowhere near enough.
Security through obscurity is a controversial principle that equates “secrecy” with “security.” Organizations relying on security through obscurity believe that hiding information and resources will prevent malicious actors from attacking. Although their applications and systems may have security vulnerabilities, they believe they can prevent cybercriminals from finding out about them and thus avert an attack.
For example, many people store their spare housekey under the doormat or inside a container camouflaged as a rock. This is a huge security vulnerability – anyone could use that spare key to break into the house – but these homeowners believe that the key is well-hidden enough that burglars won’t be able to find it. They rely on security through obscurity to prevent a break-in because it’s easier and less expensive than calling a locksmith each time they lock themselves out.
Organizations that use security through obscurity take the same gamble in exchange for cost savings and convenience. Rather than implementing firewalls, access controls, and other robust security measures, they simply obscure information about their systems and hope malicious actors never find their vulnerabilities.
There aren’t many advantages to using security through obscurity because it’s essentially the absence of a security strategy. Let’s discuss security through obscurity's pros and cons to illustrate why that is.
Obscurity itself is not a bad idea. For example, if you have an internal resource that’s only accessed by on-site employees, it’s best practice to create a non-obvious URL and only share it with authorized users. This reduces the likelihood of hackers finding and breaching that resource. However, obscurity isn’t enough; it should be layered with other defenses.
Many advocates for security through obscurity argue that it’s better than no security. That is technically true, but those shouldn’t be your only two options. Security is mandatory if your organization uses any data systems, applications, or web services to conduct business. And, as mentioned above, security through obscurity isn’t really security.
In the security through obscurity methodology, you hide details about the design of your system or application. The idea is that hackers won’t be able to find vulnerabilities if they don’t know what OS you are using, the model of the hardware it’s running on, what language your application was programmed in, etc. However, this logic is flawed for a few reasons, including:
It’s impossible to keep every detail about your network, systems, and applications secret forever. If you rely on security through obscurity, you’re essentially risking your entire business in hopes that nobody will find and exploit your vulnerabilities. This goes against current best practices like Zero Trust, in which you assume a breach has already occurred and take continuous action to mitigate it. That’s why obscurity can never be a replacement for an actual security strategy.
Obscurity alone is not enough to protect your organization, but it can be layered with security policies and controls to create a more robust security strategy. The practice of applying a multi-layered approach to security is known as Defense in Depth.
Imagine a medieval castle. To breach the castle, attackers first need to get through an external wall with archers firing arrows from the parapets. Once inside that wall, they need to cross a deep moat filled with ice-cold water. If they make it that far, they still need to get through the castle's iron doors and stone walls. Even if the invaders can get through one or two of those security features, the next layer of defense may turn them back.
Defense in Depth works the same way. You layer unique and redundant security measures, including firewalls, multi-factor authentication, user and entity behavior analytics (UEBA), and frequent OS patches. If one of these measures fails, there’s another one standing directly behind it to continue pushing the attackers back. For example, even if a hacker finds a “hidden” resource, they won’t be able to access it because they can’t confirm their identity with MFA. And even if they do bypass MFA, their unusual activity will trigger UEBA to lock the account before they can jump to other systems.
Defense in Depth is the only scenario where obscurity can be used for effective security. Simply obfuscating your systems and applications isn’t enough to keep bad actors at bay. Protecting your hidden resources with several layers of security policies and mechanisms can create a comprehensive security strategy to defend your business from cyber threats.