Security through Obscurity Is Old School

In today’s brave new transparent world, the smartest approach to security is the most forthright and honest.

6 Min Read
Person peering through keyhole
Getty Images

There are many things within information security that pundits have been claiming are dead–or should be killed by fire. Passwords are usually found at the center of such discussions. But this isn’t a post about passwords; it’s a post about honesty and trust. But let’s first take a look at the other side of the coin.

Security through Obscurity

From the beginning of time, security through obscurity has been a thing. It’s the misguided belief that as long as people don’t know about a weakness in a system, it won’t be exploited by bad people.

I think it’s about time that we lay “security through obscurity” to rest once and for all. Kill it with fire, nuke it from orbit, drive a stake through its heart, do whatever it takes.

To be clear, I don’t believe it’s the security industry that is largely pushing obscurity as a control, but rather it’s a decision that comes from the business and is sometimes enforced by external factors such as auditors.

What I mean by this is that security isn’t about preventing some bad event from happening.  Neither is it about ensuring bad people don’t attack you. It’s about minimizing the risk of these events–and that’s what needs to be understood and shared.

Where It Falls Apart

However, much of this good will fall apart, and companies will revert to obscurity, denial or barefaced lying in a feeble attempt to save face.

For example, a company may disallow passwords to be pasted into its web application. Time and time again we see an exchange on social media which goes a bit like this

Customer: You don’t let me paste my password, which is inconvenient and stops me from using a password manager and a strong password.

Company’s social media team: We prevented pasting for security. It’s good security to prevent pasting passwords.

Customer: No, it’s not

Company social media team: Yes, it is.

Customer: No, it’s not. And now I’m going to mobilize all my followers to say mean things about you.

Company social media team: You’re all wrong. It’s for your own safety.

And this descends into a massive brawl for all, and nothing gets resolved.

Now, maybe the company had good reason to block pasting passwords. Perhaps they were being targeted by a certain attack and this was the easiest way to block it. Simply saying it’s for security doesn’t cut it. Now imagine if the conversation went a bit like this,

Customer: You don’t let me paste my password, which is inconvenient and stops me from using a password manager and a strong password.

Company’s social media team: We feel your pain, and we apologize. But we keep getting attacked by x, and to prevent it we disabled pasting passwords. It’s not ideal, but we’re working toward y solution. 

​Yes, I realize you can never truly satisfy angry security people on Twitter, but this kind of honesty can go a long way.

Internally, the issues get even more complex when trying to adopt an open and honest approach. Soldier of Fortran shared a story on Twitter recounting how auditors were reviewing logs for some appliance that used a default account. Every time the account was used it wrote the username and password in the logs as an easy-to-identify log entry. Hundreds of entries a day. So how did they fix it?

They changed the password to ********. When the auditors reviewed it, they just assumed it was fixed because it looked masked now.

A pretty ingenious way to fix a problem, if the auditor was defined as your problem. From a security perspective, the vulnerability still exists.

I get it: When there are so many things to balance, it’s tempting to go down the path of least resistance—to implement a quick fix to get the monkey off your back and allow you to move on with real work.

A little white lie, or a bit of auditor deception, may work and is indeed needed occasionally, but the problem really begins once it becomes the norm. What started off as a casual comment can well escalate into a “Comical Ali”-style denial that breaches haven’t occurred, and any fraudulent activity is the fault of the customer.

A Brave New Transparent World

I was speaking to a CISO recently and asked their view about delivering bad news to their superiors. They responded by saying, “The board doesn’t mind bad news; they dislike surprises.”

And that is a sentiment that rings true for most.

So, what am I proposing here? Most of us can probably agree that security through obscurity never did provide the security it promised to begin with.

Does that mean you publish every detail about your systems for everyone to scrutinize? Of course not; that would be impractical.

What I suggest, in this brave new transparent world, is that companies take a risk-based decision on what their security is and own it. Be bold, be confident. No security setup will ever be foolproof, and, therefore, nothing will ever be good enough to pacify the naysayers. However, with the right level of transparency, trust can be gained.

One of the ways this manifests itself is to face any shame one may believe exists. If a criminal threatens to leak the customer list of a company, one should resist the urge to negotiate. Rather, you can take control of the situation by going public with the information, with clear steps as to what the company is planning to do next. This takes away power and control from the criminals.

Several years ago, many celebrity iCloud accounts were compromised, and personal photos were distributed. Actress Jennifer Lawrence gave the perfect example of taking control of the narrative by stating that the only people who should feel ashamed were the criminals and those sharing her photos.

When Timehop suffered its security breach, it did the opposite of what most companies did. It didn’t send a generic email saying it took security seriously. It published a full and transparent timeline of the incident–what was happening, how many records were breached, the whole nine yards. It serves as one of the prime examples of how companies should look to adopt disclosure practices in the future.

Because, the days of burying secrets are long gone.

In today’s day and age, being transparent is what will gain the trust of users, regardless of the severity of the incident. And trust will be the dominant currency that will keep companies afloat.

Javvad Malik is a London-based IT security professional. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research, providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like