Tuesday, October 22, 2013

Security by Obscurity - A Basic Overview of the Key Under the Mat
::Bet you didn't see that one coming, did you?::

What is security by obscurity?  I'm going to attempt to take a rational approach and define both terms and then combine.  From www.dictionary.com:

-Security - freedom from danger, risk, etc.; safety
-Obscure - not clear or plain; ambiguous, vague, or uncertain

When we combine the two terms we basically get "a freedom from risk or danger through ambiguity and uncertainty".  Let's create an example:

As a homeowner you've decided that you would like an easy to access key to your front door in case of an emergency.  You don't want to just lay the key on your front step for all to see, because after all, that would be dangerous in today's society.  You decide to go to the hardware store and purchase a garden gnome statue.   You place the gnome on your front step, with the key securely hidden underneath. 

This is a great form of security, right?  Well, that depends on whether or not you want to try and prevent the intruder from getting into your house or just briefly slow them down for a second.  You're attempting to obscure the fact that you've placed a key to your home in your front yard for all to obtain.  When in reality, all actual intruders know to look under movable objects in the front yard for a spare key.  There are many real world instances of the practice of security by obscurity, but are they really that useful, or even necessary in today's security practices?  In fact here's a great site that sells the gnomes http://vallain.squidoo.com/key-hider.  Make sure to take a good look at these hiders, if you ever see one in someone's yard have a good laugh knowing that you could easily break into that house.  But do it quietly, otherwise you might look like a crazy person.

I once briefly consulted for a company as a systems analyst, and was asked to do a detailed write up of the system's architecture, flaws and weaknesses, created by the then employed administrator.  After meeting up with the administrator and having him give me the overview of the physical and logical server setup, I noticed one very apparent detail that this administrator relied on heavily...security by obscurity.  It seemed that no one had ever taught this admin the one important lesson about security by obscurity, it's only as good as an intruder is unskilled.  In other words, if the home invader is too inexperienced to check under the gnome statue on your front door step for the key you hid there for emergencies, then your security by obscurity will be just fine.  But for the other 75% of the potential intruders, it won't take very long for them to figure out where the key is.

Let's take a really quick step back, though, and look at the real goal of system security.  Security is never full proof, that's the one thing any real security specialist in any field will tell you.  Anyone that tells you otherwise is either lying or trying to sell you something.  The only purpose of any kind of security is to either slow an intruder down enough to catch them before the are able to do harm, or to discourage them from trying in the first place.  In this sense, security by obscurity does in fact have a place.  However, the one very important thing that needs to be noted about security by obscurity is that...

it never takes the place of actual security...EVER!

In the case of my previous example as a systems analyst, the admin thought that by creating a secondary subnet that sat between his network monitoring servers and the border firewall, no intruder would notice that these systems were sitting on the public facing side of the firewall.  This setup would never have stopped an intruder.  It may have slowed them down for a bit until they figured out what was going on and then they would have had free access to all system resources.  There were many other examples of this type of reasoning here, but needless to say, if an intruder is skilled enough to make it to first subnet, how long do you think it would take for them to figure out that it's just a decoy?  Not very long at all.

Basically, the point I'm trying to make here is that if employed correctly, efficiently and cost effectively, security by obscurity can add value to any system's security setup.  However, it will never take the place of actual security, nor should it.  Having a real firewall protecting your entire network, having a properly setup DMZ and internal network, properly configuring your AV and HIPS, correctly employing system hardening tools with baselines and properly training your staff to deal with social engineering scams are all examples of actual security techniques that will help to prevent loss of data and negative impact to business continuity.  No security is airtight, but the closer you can get it to being so the better it'll be at thwarting attacks.

2 comments:

  1. Cort,

    Great read - I have dealt with a numerous array of security 'layers' in my previous gigs and especially my current. Through network obscurity and proper 'processes' from the network engineering side, you can definitely slow down an intruder. However, if a server or network is compromised - usually the criminal has prior knowledge of the lay of the land, or rather, stolen hardware :) / information.

    I think the best bet to help thwart an attack/intruder -
    Attack: Make sure your DNS is abstracted in layers - User a median to help offload DNS/DDos attacks - something like Cloudflare rocks... Network attacks can also be stopped by proper engineering/architecture on the networking/colo side.
    Obviously applications need to be secure too and free of bugs that can have zero-day exploits and the likes of it...

    Intruders: I tend to take the route of 'abstract tasks' in your business/infrastructure, however or rather, whomever could kick ass at a lot of things, this person needs/rather is required to relinquish control of parts of the environment so that team members would have to 'work together' to conduct 'illegal' activities.

    There is also a myriad of change management operations that need to be conducted to keep passwords fresh and auths in line.


    Great article again Cort...I'll be adding to my blog more often... tliakos.com

    ReplyDelete
    Replies
    1. Hey Thomas, thanks for the comment. I like your point about divided responsibilities. This would have been especially useful in the environment I spoke about, however, such is the downfall of a startup that cannot afford a multi-tiered IT force I guess. But yes, I'm a firm believer in checks / balances and least permissions.

      Delete