background image

Blog

The Security Through Obscurity Debate

certification

The security through obscurity debate: where do you land on it?

IT security is theoretical and practical, also described as high-level concepts (theoretical) and low-level details (practical). Theoretical concepts in cybersecurity are the fundamental principles that underpin strategic security planning and are used for designing security controls to protect an IT environment or whole organization. On the other hand, practical details are granular and include tasks like configuring firewalls, setting up intrusion detection systems (IDS), deploying antivirus software, implementing an application’s multi-factor authentication, conducting vulnerability assessments, and active penetration testing.

In this article, our ethical hackers review the theoretical concept of “security through obscurity”, weigh both sides of the argument for and against it to understand why it is often criticized, and review examples of where it fails and when it may be a practical approach. 

Firstly, What

Security through obscurity is a concept in IT security that refers to protecting a system or data by keeping its inner workings, design, or implementation details hidden or secret. In other words, it relies on the assumption that if potential attackers don't know how a system is designed or implemented, they will have a more challenging time finding and exploiting vulnerabilities.

Although it is essential to acknowledge that obscurity is a fundamental and critical component of IT security, the term “security through obscurity” is often used to describe the practice of relying solely on secrecy to protect a system and is criticized for being an ineffective or weak approach to cybersecurity. 

Common Arguments Against Security Through Obscurity

The expression "loose lips sink ships" is a wartime slogan that originated during World War II to encourage military personnel and civilians to avoid discussing sensitive or classified information that could potentially aid the enemy. If a defender’s strategy relies solely on secrecy, once the “cat is out of the bag” so to speak, security can be severely crippled. This is the primary argument against building security, which is dependent on information remaining confidential, and it is a powerful argument.

  • False Sense of Security: Relying solely on obscurity can lead to a false sense of security. Attackers can often reverse-engineer or discover hidden information through various means, such as analyzing system behavior, using debugging tools, or employing social engineering techniques

  • There is No Perfect Obscurity: Without additional layers of security, if the obscured details become known or leaked, the security of a system would be easily compromised. Unlike well-designed security measures that remain effective even if some details are known, obscurity tends to collapse completely once the secret is revealed. This fact has led to the creation of layered security controls such as multi-factor authentication to protect accounts even after passwords are stolen

  • Increased burden on IT security teams: Overzealous attempts to conceal all system details, as in security through obscurity, can overwhelm IT security teams, contributing to burnout and reduced effectiveness.

  • Stifles Collaboration and Improvement: By keeping system details secret, organizations might hinder collaboration, peer review, and improvement. In cybersecurity, transparency and open evaluation are crucial for identifying vulnerabilities and enhancing security.

An Example of a Well-Known Security Through Obscurity Failure

“Closed source” software’s source code is not publicly available. Some reasons for making software closed source are to prevent others from using the software without paying for a license and to protect the software’s potential vulnerabilities from being discovered and exploited. However, this approach to security through obscurity has been defeated time and time again.  The fact is that attackers can always inspect the software’s underlying code and look for weaknesses.

Here's how attackers discover vulnerabilities in closed-source software:

  1. Disassembly: Reverse engineers use tools to disassemble the compiled software into its lower-level instructions or machine code.

  2. Analysis: They study the disassembled code to understand how the program works, how data is processed, and how security mechanisms are implemented.

  3. Decompilation: Decompilation tools attempt to convert machine code back into a higher-level programming language, which might resemble the original source code.

  4. Vulnerability Discovery: Through analysis, reverse engineers may discover vulnerabilities, design flaws, or weaknesses in the software that were previously unknown.

  5. Exploit Development: If vulnerabilities are found, attackers can create exploits to take advantage of them, potentially compromising the security of the software and the systems it runs on.

The fact that all software code can be exposed by reverse engineering also means that (pirated or “cracked”) versions of the software. To the dedicated attacker, compiled software (closed source) is not a formidable barrier to analysis and modification. However, the legal restrictions against unauthorized reverse engineering can potentially discourage security researchers from vetting it.

Although not perfect, open-source software is considered to have security advantages since it invites security researchers to review the code without the burden of having to reverse engineer it or potential legal ramifications.

Arguments For Security Through Obscurity

Of course, there wouldn’t be a debate if there wasn’t a case for security through obscurity. Some arguments distinguish between good and bad obscurity, while, in some cases the only viable security measure is obscurity. For example, as information travels over insecure networks, obscuring it with encryption is the only available solution. By the same token, this significantly increases the importance of robust encryption algorithms, and the strongest encryption schemes are widely considered to be those that are publicly released and peer-reviewed.

  • Hiding can be an effective short-term strategy: In the case of Log4J or another zero-day vulnerability, obscurity may keep an exposed service off an attacker’s radar. Unpatched vulnerabilities that are simple to exploit, and have published proof-of-concept (POC) exploits are sure to incite attackers to scan the Internet for potential targets vigorously. In this case, hiding the version of your web server means that attackers cannot quickly identify your service as a worthwhile target

  • Increased Attack Complexity: Attackers come with various degrees of sophistication and technical capabilities. While security through obscurity may not stop the most dedicated advanced persistent threat (APT) attackers, there is nothing wrong with increasing the burden of delivering a successful attack 

  • Some systems are so critical they deserve every security trick in the book: Employing security through obscurity for the most critical assets can enhance protection by concealing critical components (such as with port knocking) to minimize the attack surface exposed to potential threats

Conclusion

Security through obscurity has long been a hotly debated topic in IT security. Exploring the theoretical cybersecurity concept of “security through obscurity”, it becomes clear that the debate is a worthwhile one and that taking a hardline position to one side or the other does not serve to increase security ultimately. Reality dictates that security depends heavily on obscurity, yet solely relying on obscurity has obvious weaknesses due to the nature of secrets and the increased burden of keeping them.

True security is achieved through the implementation of robust layered and proactive security measures that follow proven best practices, such as solid encryption and access controls, regular patching, vulnerability management, penetration testing, monitoring, and internal auditing efforts.

Ready to elevate your organization's security posture? Contact us today for your free, zero-obligation quote, or download our Buyer's Guide below.

Download our Free Buyer's Guide

Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial.

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.