Understanding the 'Security Through Obscurity' Theory

The theory and thought behind the practice

Dog Hiding Under Blankets

Crystal Cartier Photography / Getty Images

If the front door to your house is covered by shrubs and trees, does that mean you don't have to lock it? That is sort of the basis of security by obscurity. Essentially, security by obscurity relies on the fact that a given vulnerability is hidden or secret as a security measure. Of course, if anyone or anything accidentally discovers the vulnerability, no real protection exists to prevent exploitation.

There are those in the cybersecurity field and government organizations who would prefer to keep the tricks and tips of the hackers and crackers secret. They feel that to share the knowledge is the equivalent of encouraging new malicious hackers and crackers to try out the techniques for illegal and unethical purposes. They believe that by keeping the tricks and techniques out of the public domain that they are protecting the world at large.

We are more inclined to agree with the side that believes full disclosure of the tricks and techniques offers the best possibility of being able to protect against them or nullify them altogether. To assume that security by obscurity offers protection is to assume that no other person in the world can discover the same flaws or vulnerabilities. That seems like a fool's assumption.

The fact that you may not know how to operate a gun will not stop an unethical or immoral person who does know how to use a gun from harming you. Similarly, not knowing how hacker techniques work will not protect you from an unethical or immoral person who does know the tricks and techniques from hacking into your computer system or causing other malicious harm to your network or computer.

Ethics vs. Knowledge

What separates the thieves from the detectives and the hackers from the security administrators is ethics, not knowledge. You must know your enemy in order to prepare a proper defense. The whitehat hackers of the world have the same knowledge as the blackhat hackers of the world — they simply choose to use their knowledge for ethical purposes rather than malicious or illegal activities.

Some of the whitehat hackers have gone on to start businesses as security consultants or form companies dedicated to helping other companies protect themselves from the blackhat hackers of the world. Rather than applying their knowledge for illegal activity that may or may not make a quick buck, but most certainly will land them in jail, they choose to apply their knowledge to do what they love to do while making a lot of money doing it — legally.

Some of these people also do what they can to share the tips, tricks, and techniques used by the hackers and crackers with the rest of the world to teach them how to defend themselves as well. George Kurtz and Stuart McClure founded the security company Foundstone (later purchased by McAfee). These two information security veterans along with Joel Scambray, an IT security consultant to Fortune 50 companies, authored the best-selling computer security book Hacking Exposed, just released in its 6th edition and origin of the very successful Hacking Exposed series.

The 6th edition of Hacking Exposed was recently released. Hacking Exposed also spawned a very successful series of other Hacking Exposed titles: Hacking Exposed — Wireless, Hacking Exposed — Linux, Hacking Exposed — Computer Forensics, and more. There are also similar books from other authors such as Hack Attacks Revealed by John Chirillo and Counter Hack Reloaded by Ed Skoudis.

Hacking Exposed is considered by many to be the best book on the subject. These three gentlemen, with contributions from many other information security experts (most of whom also work for Foundstone), have compiled a comprehensive guide to the methods, tricks, and technology used by hackers to break into your network or computer.

In the foreword to the book Patrick Heim, Vice President of Enterprise Security for McKesson Corporation, writes;

“Now that the black art of hacking has been demonized, I would argue that it is essential for individuals placed in charge of designing, building and maintaining information infrastructure to be fully aware of the true threats that their systems will need to repel.”

When you see a doctor, you expect them to properly diagnose your symptoms and determine the real problem before giving advice or prescribing medications. In order to do so, the doctor needs to be fully aware of the various threats your body might encounter and what the effective countermeasures are for those specific threats.

Just like a detective must think like a thief to catch a thief and a doctor must know how viruses and diseases work and behave to diagnose and counteract them, we expect an information security expert to be an expert in using the tricks, tools, and techniques they are being asked to defend against. Only with this knowledge can we honestly expect someone to be able to adequately defend against hackers and to detect when and how an intrusion occurred if, in fact, your network is compromised.

Ignorance is not bliss. Security through obscurity doesn’t work. It only means that the bad guys know things that you don’t and will exploit your ignorance to the fullest every opportunity they get.