Security through Obscurity Is Old School

the username and password in the logs as an easy-to-identify log entry. Hundreds of entries a day. So how did they fix it?

They changed the password to ********. When the auditors reviewed it, they just assumed it was fixed because it looked masked now.

A pretty ingenious way to fix a problem, if the auditor was defined as your problem. From a security perspective, the vulnerability still exists.

I get it: When there are so many things to balance, it’s tempting to go down the path of least resistance—to implement a quick fix to get the monkey off your back and allow you to move on with real work.

A little white lie, or a bit of auditor deception, may work and is indeed needed occasionally, but the problem really begins once it becomes the norm. What started off as a casual comment can well escalate into a “Comical Ali”-style denial that breaches haven’t occurred, and any fraudulent activity is the fault of the customer.

A Brave New Transparent World

I was speaking to a CISO recently and asked their view about delivering bad news to their superiors. They responded by saying, “The board doesn’t mind bad news; they dislike surprises.”

And that is a sentiment that rings true for most.

So, what am I proposing here? Most of us can probably agree that security through obscurity never did provide the security it promised to begin with.

Does that mean you publish every detail about your systems for everyone to scrutinize? Of course not; that would be impractical.

What I suggest, in this brave new transparent world, is that companies take a risk-based decision on what their security is and own it. Be bold, be confident. No security setup will ever be foolproof, and, therefore, nothing will ever be good enough to pacify the naysayers. However, with the right level of transparency, trust can be gained.

One of the ways this manifests itself is to face any shame one may believe exists. If a criminal threatens to leak the customer list of a company, one should resist the urge to negotiate. Rather, you can take control of the situation by going public with the information, with clear steps as to what the company is planning to do next. This takes away power and control from the criminals.

Several years ago, many celebrity iCloud accounts were compromised, and personal photos were distributed. Actress Jennifer Lawrence gave the perfect example of taking control of the narrative by stating that the only people who should feel ashamed were the criminals and those sharing her photos.

When Timehop suffered its security breach, it did the opposite of what most companies did. It didn’t send a generic email saying it took security seriously. It published a full and transparent timeline of the incident–what was happening, how many records were breached, the whole nine yards. It serves as one of the prime examples of how companies should look to adopt disclosure practices in the future.

Because, the days of burying secrets are long gone.

In today’s day and age, being transparent is what will gain the trust of users, regardless of the severity of the incident. And trust will be the dominant currency that will keep companies afloat.

Javvad Malik is a London-based IT security professional. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research, providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.

This guest blog is part of a Channel Futures sponsorship.