Official Photo Credit to The CW Television Network
According to various radio DJ’s – Yesterday was National Face Your Fears day. Given that it also happens to be National Cyber Security Awareness Month, I got to thinking – what about cyber security actually terrifies me to this day? The answer that I was presented with is equally shocking to me as it is interesting: the ambiguity of secrecy and security. Specifically speaking, a slight shiver runs down my spine whenever I hear the phrase, security through obscurity.
Here is an interesting question: How do you hide in the digital world? Just as the fight or flight response is a natural, instinctual reaction to danger, the concept of hiding is nothing new to base human nature. We hide ourselves for our own safety and security, we hide things that are valuable to us and to others, and the nefarious among us hide various things for still darker purposes.
The rise of the cyber age has changed all of that – tracking is available via Internet traffic monitoring, GPS, or even cameras and microphones, just to name a few of the more popular avenues. It is unnerving to think that even if we want to protect what needs protecting – it’s seemingly impossible to do. That’s what got me thinking – maybe the old ways could be the best ways. There may be some value in the idea of security through obscurity – just not in the way that you might think.
Alfred Charles Hobbs – Security Through Obscurity
I love the idea of lock picking. I find the process, and even the concept itself, to be entirely intriguing. I’ve written articles referencing the relationship between lock picking and perfect security before, but never in this particular light. You see, Alfred Charles Hobbs, one of the most influential locksmiths in history, noted a very keen observation with regards to the criminal intellect, “Rogues are very keen in their profession, and know already much more than we can teach them.”
He was reacting to the idea that making vulnerabilities known will make security (in his case, locks) more vulnerable in the long run. The man had a point, however. Although the concept of security through obscurity has a certain charm, it relies on the assumption that the unknown will remain as it is – unknown. The problem with modern security is that this seldom becomes the case.
Between the rising trend of hackers going after increasingly large databases, to companies like Google (or Alphabet, as we must now refer to them) rewarding individuals for finding and reporting bugs in digital software or websites, more and more vulnerabilities are seeing the light of day that were once ignored through the guise of security through obscurity. There is a reason that corporations such as Microsoft and Apple are constantly publishing software patches, hotfixes, and updates – vulnerabilities need to be addressed as they are observed. Leaving a vulnerability to sit untouched in the hopes that it will remain unknown is a disservice to the digital community as a whole – hackers are much like the rogues of old: well-equipped and versed to find and exploit any vulnerability that is left unchecked.
Don’t believe me? Go ahead and Google the phrase, Zero-day vulnerabilities (pay special attention to FireEye’s report).
Don’t worry I’ll wait.
Nothing Stays Hidden For Long – We Are Not Good at Covering Our Tracks
Instead of hoping to increase security by hiding the weaknesses and hoping for the best, why not simply increase your own security to keep away the prying eyes of those who would attack you or your private information? So much emphasis is placed on the actual security around a database, or the strength of a password – much less is said about the activities and security of the individual.
For example, websites like Facebook and Google will often work in tandem with others to allow for a streamlined way to login and share with friends and other individuals. What often falls by the wayside is the ease with which potential attackers can use this information as well! This introduces a severe vulnerability to any security system – security through obscurity goes out the window regardless.
Some naysayers use a similar example to downplay the security and effectiveness of solutions such as Single Sign-on – they point out the weaknesses in having a single point of access. The difference between setups like using Facebook to login to several locations and true Single Sign-on is the added security behind the scenes. There is no need for security through obscurity with true single sign-on because the process itself allows for stronger layers of authentication to be added – all without impeding usability and access.
This brings me to the point I’m hoping to make: playing hide and seek with an attacker is never a winning situation – a typical user is not very good at covering his or her tracks. Instead, build your security on a foundation of stronger practices – unique, complex passwords at the front door, Two-factor or contextual authentication to verify the authenticity of that information, and more secure browsing habits. Instituting these behaviors will drastically improve security, all without the inevitable fire sale that results from hoping that the type of person who makes their living by finding weaknesses won’t find yours.
The modern cyber era does not play well with security through obscurity, or any other version of cat and mouse. You’re better off adding more traps to your mousetrap than hoping the mouse won’t see the threat and avoid it completely.
One of the fears that I had to face during National Face Your Fears Day was the idea that I would find an attacker who could outsmart me. By realizing that I wasn’t the smartest person alive, and that I didn’t have to try and build a better mousetrap in order to remain secure online, I was able to conquer that fear and better my online behavior. Security through obscurity seems like a fantastic idea on the surface – but there will always be somebody who can turn your digital life into a very easy game of ‘I, spy,’ and you should have a plan for if and when that happens. Don’t rely on an outdated concept of security through obscurity – shine the light in the darkness, and bring your security into the new cyber age.
Have your own thoughts on Security Through Obscurity? Let me know in the comments below!