![]() Even the United States National Institute of Standards and Technology (NIST) does not recommend using a closed source to secure software. Open source code is regularly used and widely available. Once discovered, there is no more protection. Also, once the key is discovered, the system is open and vulnerable to attack if STO is the only method for protecting it. For these reasons, STO is often criticized as an ineffective method, especially when used as the primary or only form of security. The IT environment is becoming increasingly complex, and more users need access, which increases the number of people “in the know.” More and more users have advanced knowledge of how systems work, which can make it easy for them to guess the information that was withheld. Good STO involves keeping the keys to your system less visible while ensuring that they are properly protected at the same time. Writing your password on a piece of paper and hiding it underneath your computer keyboard.Using a closed source system that only specific people have knowledge on how it works.Deploying decoy cars around the asset you are trying to protect, with only key players knowing which car the asset is contained within.The door is locked, but the key is hidden under the doormat.These are real-life examples of security through obscurity: They will have a tougher time exploiting vulnerabilities of something that they cannot see in the first place. Security by obfuscation serves to make reconnaissance from bad actors and unauthorized users harder. STO as the only method for protecting your assets is a bad idea, but when used in conjunction with other security measures, it can be a useful tool. For example, camouflage is a helpful security measure, but if you can see through it, it is no longer effective unless there is additional protection underneath the camouflaged layer.< Good obscurity compared to bad obscurity When used as part of a system’s architecture and as an independent layer, security through obscurity can be an effective security measure. ![]() In technique, security by obscurity is an insecure concept when used in isolation. ![]() In this case, once the enemy has this key, they have access to everything. ![]() Security by obscurity is in essence an insecure concept in that it means that the hidden secret, or unknown entity, is the key to unlocking the entire system. On the opposite side, Kerckhoff’s Principle from the end of the 19 th century holds that the cryptographic system should be secure as long as the key is kept secret, even if everything else about the system is well-known. STO has been a traditional aspect of cryptography with government agencies, such as the NSA (National Security Agency), employing cryptographers whose work was kept secret. While there was much outrage, the argument was made that people working to break in already know how and exposing flaws in the design will not actually make them more vulnerable to attack. It involved the concept of publishing how to successfully pick a state-of-the-art lock at the time. The concept of security through obscurity has a long-standing history, with early opponents dating back to the 1850s. If there is a leak, the entire system can be compromised. In theory, this works, but the margin of human error is wide. If no one outside of the core group is aware of them, or the vulnerabilities, the system can remain secure. Inner mechanisms and workings of a system are kept on a “need to know” basis. Security through obscurity seeks to keep a system secure by keeping knowledge of it secret. On its own, it is an ineffective security measure. STO is a controversial topic in the IT world. It is commonly held that security through obscurity is only effective if used as one layer of security and not as the entire security system. The flip side is that once that vulnerability is exposed, it is no longer secure. If an attacker does not know what the weaknesses are, they cannot exploit them. The concept of security through obscurity (STO) relies on the idea that a system can remain secure if the vulnerabilities are secret or hidden.
0 Comments
Leave a Reply. |