As a cyber security professional, I deal with multiple layers and concepts of security on a daily basis. Of all the different security topics out there, security through obscurity seems to generate the most disagreement between various professionals. Like most controversies, there are two sides. One side claims security through obscurity is a perfectly valid method of protecting a system while the other side claims it’s useless and creates a false sense of security. So which side is right?
Let’s start with the basics…
What is Security Through Obscurity?
One of the reasons why there seems to be some disagreement to the validity of security through obscurity may have to do the an inconsistencies of the definition itself. Take a look at the definition pulled from Wikipedia below:
Now compare that with the definition from Techopedia:
Security through obscurity (STO) is a process of implementing security within a system by enforcing secrecy and confidentiality of the system’s internal design architecture. Security through obscurity aims to secure a system by deliberately hiding or concealing its security flaws.Techopedia – What is Security Through Obscurity (STO)?
While both of these definitions are similar, there is one key difference: Wikipedia states that security by obscurity is reliance on secrecy as the main method of protecting a system while Techopedia makes no such claim.
Security Through Obscurity Examples
To illustrate the concept of security by obscurity a little better, let’s take a look at a couple common examples.
Example #1: Platform Information
Pull up developer mode on this website and you’ll probably be able to figure out that it’s running on Apache (soon to be Cloudflare, but at the time of this writing, it’s Apache). The server type is written directly into the response headers. This is pretty standard information. But what if you were a hacker who specialized in hacking Apache websites? Well, you’d probably scrape the Internet for websites with Apache in the response headers and then create your target list of sites to attack from there. If a site didn’t have Apache in the response header (or the response header was completely missing), you’d probably skip over it.
A cyber security practitioner might opt to strip the server header from the website entirely so that a hacker’s automated tools can’t easily determine the platform, effectively ‘hiding’ this information from the malicious actor.
Example #2: Cloaking Usernames
If you run a WordPress website, you may have noticed that the author slug for any user is the username by default. There’s only one problem with that: once a hacker knows a username, they just need to figure out the password that goes with that username in order to gain access to the account. Assuming you don’t have 2-factor authentication already configured, the hacker has half of what they need easily available.
A site owner could install a WordPress plugin that turns each user slug into a randomized set of characters to make it more difficult for a hacker to determine an author’s username. This in turn, makes it more difficult to brute force attack the site.
“Security Through Obscurity is Not Security”
Those who rally against the idea of security by obscurity hold dear that it’s not a security technique at all. But when you really dig down, almost everyone who says this really means, “Security through obscurity alone is not security”.
Take passwords for example. If obscurity had no value, why do we use complex passwords? Obviously, there’s a benefit in creating a complicated password that’s an obscure combination of characters. But a strong password won’t always protect you, which is why we have things like 2-factor authentication, smart cards, and biometrics.
Security by Obscurity as a Valid Part of a Cyber Security Plan
Hiding the fact that your website runs on WordPress for example might provide a small benefit, but you also need to protect your installation – don’t use out of date versions, and use protection tools such as web application firewalls.
Ultimately, security through obscurity is widely used and it can carry a significant value when applied as part of a larger cyber security plan. That being said, it’s not the answer to locking down a system on it’s own.