Why Security Through Obscurity Is No Match for a Hacker
Originally published by New Context.
The first thing any organization needs to know about security through obscurity is that it's not a technique. With it, companies make a mistake that puts them at a disadvantage when faced with an attack on their network. It may make theoretical sense to some, but in practice, this policy of obfuscating system information does more to help hackers than hinder them.
System transparency is far more beneficial to organizations that want to protect their network and respond to threats proactively. It helps both developers and their customers understand the various components in their system and locate issues that could lead to vulnerabilities.
What is Security Through Obscurity?
Security through obscurity is the practice of “hiding” information, presumably to keep it out of the hands of bad actors. A straightforward explanation is when a company requires a person to have a specific URL—which isn’t published or linked from the site’s navigation—to get onto a site or portion of a webpage. The theory in this is that no one will accidentally guess a link, so as long as it's hidden and only given to certain people, it's safe.
That's exactly how the practice of "Zoom bombing" was born. At the pandemic's start, many schools had to move classes online and took advantage of meeting-specific links. They'd share those with students, under the belief that only they would be able to access the meeting. However, it wasn't long before bad actors took advantage of it. There was a rash of incidents where uninvited guests showed up to meetings, said inappropriate things, or shared objectionable content. Of course, this issue stemmed from the pandemic's rapid digital transformation, where individuals weren't entirely aware of the necessary precautions for the technology they used. At the same time, reliance on security through obscurity could be to blame. In the Zoom bombing cases, it created a false sense of security that led teachers and students to assume they were secure just because the link was private.
At an organizational level, security through obscurity is even riskier. Junior members of the IT department may hide the components that make up their system. They'll create paths that are difficult to follow and understand to keep bad actors from mapping their softwares and locating the vulnerabilities within. However, hackers are experts at breaking down the various software components of a system. Hiding information will do very little to dissuade them. What it will do is enable an undocumented vulnerability. People responding to threats won't know where to look to locate issues and resolve them. They'll have to waste valuable time mapping the system first.
Using Transparency to Drive Security
There are some situations where security through obscurity will work, but they are small, isolated segments that act as additional layers and not as the primary system protection strategy. Camouflaging user passwords within binary code or hiding the versions of a software used (but not the software itself) are two common examples of security through obscurity tricks. These only work in conjunction with other strategies; they're not the primary method of system protection, but instead avoid granting an attacker easy answers or insights. A determined actor could still gain that information, but they’ll have to work for it. There’s no reason to make their job easy!
Transparency is a far better method of managing security. It's so effective that the federal government recently issued an order requiring it. Under the Executive Order on Improving the Nation’s Cybersecurity, all government software vendors must create a machine and human-readable Software Bill of Materials (SBOM) to go with products. Organizations will have to publish all the smaller software packages that make up their overall system so users know what is in them. The idea is that with the SBOM, organizations can quickly respond to threats and share intelligence. When vulnerabilities arise, they stem from a specific component of software. With the SBOM, the organization may note that they have this piece of software and can take steps to mitigate issues.
Even organizations not impacted by the executive order mandating SBOMs should consider adopting their own. A detailed map of their system will put them ahead of threats by showing where vulnerabilities lie. This process can be automated by security teams who will use the SBOM to cross-check with other cyber threat intelligence tools and enhance safety.
Security through obscurity should never be a primary means of defense. It's entirely dependent on secrets—and once that secret is out, the entire plan falls apart. Transparency is the vital component that will help organizations proactively address issues and minimize their vulnerabilities.