 |
 You have no idea what I think we need more of? Congratulations, that’s exactly my point. If you haven’t already googled the phrase above let me help you: /əbˈskjʊə.rɪ.ti/ means “obscurity”. All I did was write it using the International Phonetic Alphabet. That wasn’t that hard to find out but it wasn’t my intention to prevent you from finding out the first word of this blog post. I merely tried to hide it from you a bit and make it harder (for most of the readers at least) to recognize the word at first sight. In our profession – I assume you are working in the IT security industry – it is a given that you stumble over the expression “Security through obscurity doesn’t work.” It’s one of those statements that is both catchy and seems to make obvious sense. As often is the case with such catchy and seemingly correct statements, it’s also not true. At least not entirely. Obscurity works many times and most of us use it in our non-work life on a constant basis to get some level of protection established. Yet many IT Security professional avoid it like the plague when it comes to their jobs. Real life example: You are going to the beach and then face the dilemma where to put your wallet and the keys. Do you put them out in the open because you don’t have a 300 pound safe with you so what’s the point hiding them? No, you probably opt for hiding them under your towel or you put them into your shoes. You push them all they way to the toes because crooks “check the heels, they move on” as Jerry Seinfeld once said. You many never have your keys stolen because the likelihood of that happening on that beach is low and/or many watchful eyes will make a potential thief to nervous to make an attempt rooting through your base camp. Leaving your keys out in the open however still feels wrong. Do you know what you do when you hide your keys in your shoe? You increase the opportunity cost for the attacker (the thief). He would need to inspect your camp while appearing innocent to any onlookers and he needs more time searching. Compare that to the cost of grabbing a key that is just lying there in plain view. Obscurity works in this scenario. It was cheap for the defender and relatively expensive – but not impossible – for the attacker to overcome. RSA Laboratories came up with RSA FlipIt which takes a game theoretical approach to IT security scenarios where attacker and defender compete over a resource. One of the conclusions of FlipIt is that the defender should arrange the game in a way that the visibility of the attacker is minimized. Obscurity is one way of achieving this. The alternative to obscurity is not always “use real security instead” but instead “do nothing”. The problem with “real security” often is that it costs money, time and effort to implement and maintain it. So if the alternative is “do nothing” it is absolutely worthwhile looking at obscurity to provide one layer of protection because let’s face it: Obscurity is often the cheapest option and it is better than nothing. If you are still not convinced let’s learn from the other side: Obscurity is often used by the attackers. Why does malware use files that have innocent looking names or hide processes from the task manager? Do they do that expecting that nobody will detect all this? No, they expect that a few won’t detect it, some detect it immediately and that others will spend more time and money before finally finding out what’s going on. The benefit to the attacker is more dwell time for the targets that don’t detect the malware fast enough. It’s not hard to do, not that hard to overcome but cheap enough that there is a payoff that makes it worthwhile. If it works for them it’ll work for us. Next time somebody tells you “Security through obscurity never works,” invite them to a day on the beach and look what they do with their keys. I bet they suddenly become obscurity practitioners. Oh, the picture above? That’s the melodic death metal band “Obscurity” from Germany. “Melodic death metal” – I frankly had no idea… Not quite my type of music but from all pictures that Google returns when searching for the term “obscurity” this is by far the best. Pictures source: Wikimedia The post /əbˈskjʊə.rɪ.ti/ – we need more of it. appeared first on Speaking of Security - The RSA Blog and Podcast. |
