Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2014
07:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

How A Little Obscurity Can Bolster Security

Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?

One of the first maxims I remember learning when I began my formal information security (InfoSec) training was, "Security by obscurity is no security at all." If you haven’t heard this saying before, security by obscurity refers to relying on an aspect of secrecy to protect your systems, rather than on truly secure design. Most security professionals utter the phrase with derision.

A good example of a system that relies on security by obscurity? Those fake rocks that hide house keys. It’s doubtful the average burglar will realize you’ve hidden your key in plain sight. If one does stumble (perhaps literally) upon the imitation rock, your entire security system falls apart, and the robber has the key to your kingdom.

In the security world, our distaste for security by obscurity originates from an old cryptographer’s axiom called Kerckhoff’s principle, which proposes that a cryptosystem should remain secure even if the attacker knows exactly how the system works. (We're assuming the attacker doesn’t have the “key” to the system.) There’s no doubt this axiom holds true. The best security systems are ones that attackers fully understand, but still can’t break without the proper keys or credentials. For instance, bank robbers may totally understand how a vault door works, but they can’t open one without a disproportionate amount of time, tools, and effort -- or the actual combination to the vault. That’s why most of your defenses should rely on securely engineered systems, and not on obscurity.  

However, that doesn’t mean obscurity doesn’t hold some value. In fact, I believe, as an industry, we’ve given security by obscurity too bad of a name. Combined with proven security controls, obscurity offers valuable additional protection, creates a worthy layer to a defense-in-depth strategy and can pose significant speed bumps to an attack, causing hackers to move on to softer targets. It’s kind of like that popular joke about the bear chasing a group of people. You don’t have to run faster than the bear to survive, only faster than the slowest member. A little obscurity might just give you the boost you need to “outrun” your peers’ defenses.

So let’s talk concrete examples. Here are three practices many consider security by obscurity, but I think actually could supplement your defenses:

Changing a server’s default port
Internet and network services tend to run on common, default ports. For instance, SSH is port 22, Telnet is 23, RDP is 3389, and so on. However, there is nothing stopping you from changing these default ports. If you want your SSH server to listen on port 7624, it can. This simple change will make it harder to find by automated network scans. Sure… this is security by obscurity. Smart, persistent attackers targeting your network can still use full-range port scans and fingerprinting techniques to find your SSH server. However, a huge percentage of the malicious ports scans on the Internet are targeting common server ports. So this simple obfuscation can help.

Server header masquerading
Unfortunately, servers are a little too friendly, often totally identifying themselves in their reply headers. For instance, a Web server reply contains a Server: header, where it identifies what software and version it’s running. Here’s an example: 

Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g

That header is gold to an attacker, who now knows exactly what software your server runs, including any additional packages. If any of that software is unpatched, the attacker might have his way in. You can change this. Many servers have configuration options that allow you to share less information about the server version. There are also network security tools that totally masquerade these server headers. A security stickler will argue that if you keep your servers patched and hardened, it won’t matter if an attacker knows what software they run. I say, patch and harden your servers, but go ahead and masquerade their headers too, making them a bit harder to enumerate.

Use non-standard naming conventions
Operating systems and servers often have default users and groups. Why not rename them? Rename the default “administrator” username to “neo,” or whatever else floats your boat. A smart attacker may still be able to discover how you renamed all the default users and groups, but any attack tools or scripts that rely on default installs will fail to operate.

I could go on with worthwhile obscurity examples, but you get the point.

(Image: Flickr)
(Image: Flickr)

By itself, security through obscurity is not good. However, obscurity can bolster your defenses when added as a complementary layer to a true security control. Remember that fake rock ? It only offers the illusion of defense, since the burglar easily has access to your key if he finds your hidden rock. Now imagine that same fake rock, but with a combination lock. Though the lock is the only true security control, coupling the lock with the hidden rock presents a very strong security solution. While I may not want to live without my lock, I also don’t see why I should leave it in plain sight.

What do you think? Does obscurity have any place as a complementary layer of your security strategy, or is it a waste of time and effort? Let us know in the comments section. 

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
xennemans
50%
50%
xennemans,
User Rank: Apprentice
8/6/2014 | 11:58:58 AM
Agree completely
Access control security and capability-based security are orthogonal.

That means they are complementary, like the yin and the yang, the masculine and the feminine.

In the same way, you would protect your systems on your network each themselves, but you also make sure no one can reach them if you don't need them to be able to be reached. Those things are also orthogonal.

In IPv6, the idea seems to be that we don't need network encapsulation anymore (NAT) because some moron says "most attacks are coming from application vulnerabilities anyway". But protecting your systems (internally) is orthogonal to not letting outside attackers in without invitations (a firewall) - you can do both at the same time, independent of one another (that's what orthogonal means).

So these are two different directions or dimensions and you can travel both whenever you like, both at the same time, only one and not the other, etcetera.

You can bolster your credentials-that-are-bound-to-one-user based model and at the same time bolster your "you are in unknown territory friend, and I have the upper hand here" model.

It is utterly foolish to suggest that a system needs to be secury only by way of its essential technical design.

A thief that knows a map of your palace will be a much harder threat than someone accidentally stumbling in.

Any thief knows this, so why don't the guards??

Technical open source systems are by definition vulnerable to mass exploits.

Obfuscated systems are, by definition, not.

At the same time, obfuscated systems are vulnerable to single-point attacks. Open source systems are not more vulnerable to those kinds of attacks, than to mass attacks.

Therefore you use both kinds of defense at the same time, and you use both of them to your maximum extent or capability.

 
CoreyNach
50%
50%
CoreyNach,
User Rank: Apprentice
5/27/2014 | 5:59:28 PM
Re: Good examples but do they work?
I've used different server ports and server header masking a lot throughout the years. For one, I work for a company whose product does header masking... (our HTTP, SMTP, FTP, etc... proxies all strip and replace server headers to make it harder to identify the software behind them).... And I've changed ports on some of the server that I don't want public.. That said, I don't rely on port changing... usually if I really don't want public access to servers, I also control access in other ways too (require VPN, restrict to certain IPs only, etc...)
anon9675841497
50%
50%
anon9675841497,
User Rank: Apprentice
5/24/2014 | 1:56:06 PM
Ports
Changing the default ssh port on my servers reduced the attempted logins by 90%.
gnummy
50%
50%
gnummy,
User Rank: Apprentice
4/28/2014 | 6:03:54 PM
Re: Security v. Obscurity
Great Post, well worded.  Definitely a great idea to include this along with other measures, I have seen several examples of this working well e.g. a huge zero day outbreak affects a large number of organisations except for the guy who simply changed the default service port e.t.c.
theb0x
50%
50%
theb0x,
User Rank: Ninja
4/22/2014 | 12:30:54 PM
Re: How A Little Obscurity Can Bolster Security
I have always liked the old saying "A locked door keeps an honest man out."

 

 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
4/18/2014 | 5:25:38 PM
Re: Great Article
Perfect analogy, and exactly my point summed up fantastically!
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/18/2014 | 5:05:46 PM
Great Article
Great points Corey!

 

I don't see anything wrong with security by obscurity when used in conjunction with a secure system.  By making your systems appear to be smaller targets you are essentially eliminating any "cybercrime of opportunity". 

To make use of a simple analogy a secure system without obscurity is akin to a car with windows rolled up and system armed complete with your wallet on the front seat.  Any passing thief can see your wallet but they also have to deal with your car windows and alarm to get to their prize.  However, if they want the wallet they will try to break in.

Conversely, a secure system with obscurity is the exact same car armed and locked tight with the wallet hidden in the glove box.  The would be thief can see a car locked up tight that "may" contain a wallet but they don't know for sure.  Therefore most thieves will keep on walking looking for a better target to capitalize upon.

Lastly, a system which exclusively relies upon obscurity for security is a bad idea.  An analogy for this system is a car with the windows rolled down alarm off and wallet stored in the glove box.  If the opportunity to poke around is there someone will take advantage of it. 
przem
50%
50%
przem,
User Rank: Apprentice
4/18/2014 | 12:29:38 PM
Re: We rely on Security through Obscurity
You are misunderstanding the phrase. 'obscurity' in this context refers to relying on secreting the details of the security mechanism. The big difference is that if you have a reason to suspect your security arrangements,  you can change the password, and restore full security. This is not the case for a 'security by obscurity' system: once broken it stays broken.
stephenq42
0%
100%
stephenq42,
User Rank: Apprentice
4/17/2014 | 9:51:42 PM
We rely on Security through Obscurity
Everyone who has a user account on any system relies on security through obscurity.

 

Consider the user ID/password combination.  One component (the ID) may or may not be obscure, but the second (the password) better be.  I  have always been amused that the very security professionals who state that we must not disclose our passwords (keep them obscure) are the ones who also say "Security by obscurity is no security."
samenk
50%
50%
samenk,
User Rank: Apprentice
4/17/2014 | 7:42:55 PM
Re: How A Little Obscurity Can Bolster Security
Great article here, Corey! Security by obscurity should only be used as a method to delay and/or discourage the attackers from compromising our security; nothing more. "Security by Obscurity is no security at all." I agree, however, I do think offers some level of security and should be utilized, but should never be fully relied upon. In most cases, security engineers would utilize obscure measures as first layer(s) of security; if the attacker does uncover the inconspicuous security measure, he is sure to meet a tougher one, such as encryption, or authentication.

 
Page 1 / 3   >   >>
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4108
PUBLISHED: 2019-11-14
Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2.0.18 have unknown impact and attack vectors.
CVE-2018-12207
PUBLISHED: 2019-11-14
Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.
CVE-2019-0117
PUBLISHED: 2019-11-14
Insufficient access control in protected memory subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor Families with Intel(R) Processor Graphics may allow a ...
CVE-2019-0123
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting SGX, may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2019-0124
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting TXT, may allow a privileged user to potentially enable escalation of privilege via local access.