What Is Security Through Obscurity?
In the world of software, security through obscurity (also called security by obscurity) is often derided as bad design. This is not without reason either; hiding security flaws does not mean they cease to exist.
That said, there is at least an argument that obscurity has a place in security engineering. Today we want to discuss the specifics of security through obscurity, what it is, and what it isn't, in the hopes of helping readers learn the specifics of this particular software topic.
The Basics of Security Through Obscurity
We begin by discussing the core concept upon which security through obscurity is based: an attacker cannot exploit a vulnerability they know nothing about. Hence the term "security through obscurity."
This may be a simple idea but it's also true. If an attacker, and the designer of their tools, is unaware of a vulnerability, it does not factor into their attack, no matter how glaring the flaw may seem to those who know about it.
There are significant problems with this line of thinking which we will discuss later but the principle is not totally without merit. We can (and will) argue that it is over-relied upon but it can play a small role in a broader security strategy.
The Benefits of Obscurity
A few benefits of obscurity when it comes to security include:
Hackers Begin With What They Know
Almost any attempt to hack a system, whether it is malicious or a white hat test, begins with the hacker using known exploits and familiar tools to test the boundaries of a system.
In a way, these early steps answer a simple but critical question: Can I get in with what I presently have?
If the answer is no, then a hacker may dig further. First, a hacker might research known exploits and relevant tools that can better infiltrate the system. In essence, they now ask Does the internet have what I need?
Only if that also fails would most hackers begin to seek out unique, undiscovered exploits. Even then, most malicious hackers do not dedicate that level of time and effort to a given hacking attempt.
Script Kiddies and Novices Make For Bad Pioneers
Another element in the favor of obscurity is the fact most hackers lack the technical know-how to investigate your code, even if they wanted to.
The bulk of malicious hack attempts come from two groups: script kiddies and hacking novices.
A "script kiddie" is a hacker who barely qualifies as such. This is an individual who downloads or buys pre-made software and tools created by experts. Then, with only a basic understanding of how these things work, they begin to try and identify easy targets, usually for either fun or profit.
A novice hacker is slightly more advanced, representing an individual who has a deeper understanding of how hacking works. However, newcomers like this usually lack the talent to discover new exploits unless they are very dedicated or the exploit is very easy to discover.
Generally, neither of these groups has the necessary skillset and tools to discover new exploits. This is good news because entry-level players like this make up the majority of most fields, hacking included.
Where Obscurity Fails
Despite the above, it must be emphasized that obscurity alone is not a valid form of defense. It can only be used to supplement a broader, deeper security strategy. The ways obscurity fails in defense include:
You Cannot Predict Expert Hackers
The realm of expert hackers is one of the more varied of modern subcultures. Expert hackers come in many forms and with a vast array of potential motivations.
Putting aside white hat hackers, who do not mean your system harm, hackers may attack your system for profit, political activism, malicious fun, curiosity, or to challenge themselves.
The more active your company is in politics and the more money you make, the bigger a target any software you use for hacking will be. However, even small companies cannot expect to avoid expert hacking attempts.
A small, obscure network is what many of these hackers seek. They may find it an interesting challenge to test your system and see where they can break it. Many will then post the exploit to forums or share it with friends.
One critical mistake some companies make is challenging hackers to crack a system or piece of software. Almost without fail, such challenges end in a matter of months, if not weeks, with a victory for one hacker group or another.
Obscurity Is Temporary
The single biggest problem with relying on obscurity for security is its temporary nature. What happens when a known but hidden exploit is revealed?
You can almost never cover that information up again if it reaches the public. Even if you could convince all major social media sites to erase related posts (which is itself almost impossible), not all hacker communities exist in spaces you can know about, let alone influence.
Additionally, consider the National Institute of Standards and Technology (NIST) Vulnerability Database, which collects a vast number of known vulnerabilities in the hopes of improving code and protecting users.
This is an official list of vulnerabilities on a government site. Not all secrets can be put back into the metaphorical box.
It is critical to, at best, think of obscurity as a temporary veil over a problem that you work to correct in the meantime. The more serious the vulnerability, the more resources that should be dedicated to the problem.
If you cannot afford the resources to fix a serious exploit, the software likely shouldn't be in use. You may even be legally liable if you know of a serious exploit, ignore it, and then customer or employee data is leaked or destroyed.
The Landscape Is Changing
There is a strange and startling trend in the world of programming these past few years. Instances of serious software vulnerabilities have been on the rise.
Worse, the majority of these vulnerabilities can be exploited without input from the intended user. Further, these vulnerabilities usually rate as easy to exploit on the CVSS (Common Vulnerability Scoring System), a common system used to rate how easy attacking a given piece of software might be.
Companies keep making the same mistakes, meaning hackers often can find exploits by trying a relatively small number of things when a new piece of software comes out.
Furthermore, "new" software does not mean the exploit you're trying to hide is itself new. If hackers see an old pattern they know they can exploit, they will. This is even more true if your chosen software uses something older or otherwise pre-established as a base (as most software does).
Complacency Is a Deadly Enemy
Few things can be as destructive to security as complacency. A false sense of security leads companies to ignore problems and is a known issue in the tech world.
Your company cannot escape the gaze of hackers. No security vulnerability is so hidden that a dedicated hacker cannot find it. People seek out vulnerabilities for fun and profit. Right or wrong, a company cannot afford to ignore it.
Any moderately large piece of software likely has exploits you don't know about. Ignoring those you have discovered is a bad practice. Security is a game of vigilance and, when necessary, evolution.
Fix issues as you learn about them and assume there is more you must aim to find. When a fix will take time, obscurity may mean you can continue using the software and trusting users to do the same. It depends on the vulnerability and what is at stake.
How Obscure Is Your Vulnerability?
The more difficult a vulnerability is to discover and exploit, the more security keeping it obscured even once you detect it can provide. The reason for this is somewhat self-explanatory; well-hidden exploits tend to be discovered much later than more obvious ones.
Many people find it difficult to know how obscure a given exploit may be. Once your team detects it, it can be difficult to "forget" it for the purposes of testing.
A programming team also is not the entirety of the hacker or security community. Even if members of the team can capably hack or secure networks, they have inside knowledge of your security other hackers do not begin with.
Meanwhile, the hacker community at large is much larger than your team but also less focused on your network and software specifically. This is why it can be a good idea to hire a penetration tester to see how difficult your system is to exploit.
One of the more common roles of penetration testers is to act as white hat hackers, using common hacker techniques to exploit vulnerabilities in software to do things unintended by the programmers.
They then tell the team they hired what they found and managed to do, so they can correct the problem. Our team's testing can discover a wide array of problems, which you can read more about here.
These kinds of tests can help see what an outside group of experts might be able to do when encountering your software. You can see both how obscure a particular exploit is and if you missed anything more obvious.
Locking the Doors
It is a good idea to think of obscurity as locking the windows of one's home. Yes, it helps prevent intrusion. That does not mean you should leave your doors unlocked.
Security technology is generally only as useful as its weakest elements. What this means for a given network or individual piece of software is going to vary.
Obscurity temporarily strengthens vulnerabilities, in so far as they can't yet be exploited, but a time has begun. Eventually, someone will find the weakness.
Even as you work to fix those weaknesses, you need to implement security measures elsewhere too. If software is going to do something important, it needs to be reliable.
Notably, this goes beyond protecting against data leaks and ransomware. For instance, medical technology is notorious for having vulnerabilities that could, in theory, be used to harm or even kill patients.
Enlist the Help of Security Experts
While "security through obscurity" is something of a popular buzzphrase, we believe it is overhyped. Hoping an attacker fails to find a vulnerability, even if it is well-hidden, is not a meaningful security strategy.
As we freely admit, obscurity is beneficial to security. The issue is that it isn't a security system; it's a tertiary element of a much bigger picture.
When building software and protecting networks, hire security experts with the relevant experience to help your company and any other users remain safe. These experts can help you judge when you've achieved real security.
In addition to penetration testing, our team also offers a host of products and services to help you stay protected if you're looking for a place to start. We can help protect you and your network against spam, viruses, and more.
Safety Can't Be Secondary
In short, security through obscurity can be a useful first line of defense. However, it should always be assumed someone may discover what is hidden and try to exploit it. Your company needs to prepare for that eventuality.
We won't focus too much more on our offerings here beyond noting your network needs modern security measures of some kind. If you'd like to learn more about how we might help, contact us today.