Everything safe, or what? Philosophy Lesson: Security through Obscurity
In our column "Everything secure, or what?" we regularly discuss individual components of a successful IT security architecture. Today, we want to get a little philosophical and discuss an IT security philosophy that, despite being widely refuted, continues to be mentioned in conversations, especially with IT security laypeople. We are talking about "Security through Obscurity", or STO. We'll discuss why the path of this philosophy often provides only apparent security in this blog post.
A safe hiding place for protection?
Security through obscurity means hiding security-relevant information from possible attackers. An analogous example of this approach would be a house hidden in the forest without a door lock. Once someone finds it, it is defenseless. In the digital world, this means keeping security vulnerabilities and tools, algorithms and processes used for protection secret. It could also be a password hidden in binary code. Only a select group of administrators, developers and other key people know about the details of IT security in the organization.
Hidden information can include passwords, folder structures, ports or software versions. But just like the house with the hidden key in the front yard, a close look by the attackers or a lucky accidental find could bring down the entire security infrastructure, insofar as one relies entirely on security through obscurity.
The problems with Security through Obscurity
Keeping an encryption algorithm secret but not the keys contradicts Kerckhoff's principle, which states that for secure cryptography, the keys and not the algorithms must be secret. If an algorithm is used often enough, so-called "reverse engineering" is a simple exercise for skilled cryptography experts. In this way, any encryption can be broken and the gateway to the crown jewels of the organization is open.
Another problem of keeping important security details secret is the ignorance of one's own employees, who may not have the necessary knowledge to defend against an attack in an emergency. Knowledge of the software used, its versions and patch status is essential not only for attackers, but also for defenders. Knowledge is power, and an admin without a view of his own IT landscape is only worth half as much.
Be proud of secure encryption
Instead of relying on your algorithms not being identified by hackers, you should rely on secure algorithms that cannot be broken - at least not without a few decades of computing time. An open approach to all security mechanisms gives administrator:s a good overview of their own IT security landscape and a sense of self-confidence based on their use of secure products, services and mechanisms. The proven (and generally rated as better) alternative to security through obscurity is clearly a strategy of maximum transparency in IT security. From the high castle tower, the fortress "IT" can be defended with a good overview against the attackers acting from the shadows.
Author: Tobias Philipsen