How to Properly Implement Security by Obscurity
This is a writing sample from Scripted writer Betsy Stanton
*In the physical world, secrecy is an asset to security. In the never-sleeping online universe these same methods won't carry over too perfectly. * Despite the term security by obscurity's pejorative origin, it has a place in computer security. For the uninitiated, the term is a security strategy that emphasizes secrecy over protections. It was put to test in the real world in 2008, when the American Numismatic Society transported a collection of rare coins worth hundreds of millions of dollars by using ordinary moving trucks and movers unaware of the precious cargo. This particular transaction was successful because it didn't raise the suspicion of thieves. Some computer security experts say this concept can be applied to protecting vital data, but, due to fundamental vulnerability, it should never be the sole Publish approach for computer security.
Not Reliable
What can work well in a brief window of the physical world, however, is less safe in the never-sleeping online universe. If the safety of an application relies on its source code remaining unknown, that provides little protection.TechNet Magazine gives an example in which a vulnerable web server that could be attacked through Port 80 simply switches to Port 81. While this would stop some attacks, a knowledgeable intruder would simply run a port scanner until he or she finds a server using a non-standard port and would then have access to the server.
IT Security Should Follows this Historic Principle
Interestingly enough, the principles of 21st century computer security are based on a nineteenth century axiom created by cryptographer Auguste Kerckhoff. He stated that a system's security should lie wholly in its key, and that as long as the key remains unknown the system should remain secure. This principle centers on the expectation that enemies will acquire access to the full architecture of a system, and so safety lies in an explicit cryptographic key rather than in the hope of keeping the system's structure secret. Kerckhoff's principle, which directly contradicts "security through obscurity," still remains a best practice in today's information age. The Open Web Application Security Project gives a good example of Kerckhoff's principle at work: Linux source code is available through countless open doors, and yet when secured with proper keys it makes a robustly impenetrable operating system.
An Extra Layer of Protection
However, as TechNet Magazine points out, obscurity can be a useful tool when added to existing layers of high-quality encryption. For example, many security professionals advocate hiding the administrator account. This simple measure will slow down any hacker trying to log in as an administrator. While further digging can locate the administrator's numerical security identifier, at the very least the intruder has been slowed down. Perhaps the best conclusion is that, as one user commented on Information Security Stack Exchange, "Security ONLY through obscurity is terrible." Referring to the previous example, changing to a non-standard port in addition to using strong SSH password and key protection is probably an excellent idea. Photo Credit: Mr. Cacahuate via Flickr.
Written by:
