Benefits of Security Through Obscurity

Security through obscurity is an often overlooked strategy to help secure an organization from cyber threats. Security through obscurity is a security principle that leverages the secrecy of design, configuration, and implementation as a means to protect things of value.

While security through obscurity has many benefits, it should be noted that by itself, it is not enough to adequately secure anything. This is because if the obscured details of design, configuration, and implementation are leaked or otherwise discovered, the organization instantly becomes vulnerable.

To visualize this, consider a sniper in camouflage moving through hostile territory. If he was spotted by his adversary without a weapon to defend himself, he'd be in serious trouble. To be truly effective, security through obscurity should be used in conjunction with a mature security program to enhance existing prevention, deception, detection, and response capabilities. With that said, let's look at some of the key benefits of this strategy:

Increased Attack Complexity

When specific details of a system, application, network, or facility are hidden (e.g., proprietary algorithms, configurations, or protocols), attackers face increased challenges in gathering the information required to carry out a successful attack.

Delay of Exploitation

Obscurity can slow down attackers, giving defenders more time to identify and respond to threats before vulnerabilities are exploited. For defenders, time is always of the essence. The quicker you can put out a fire, the less harm it can do.

Reduced Exposure

It is best when the details of a system, application, network, or facility are not publicly accessible. This is because opportunistic attackers will likely overlook the target entirely and focus instead on more well-known or exposed targets.

Protection From Low-Level Attacks

Script kiddies or attackers using automated tools may be thwarted if the tools are designed with assumptions that don't align with obscure configurations. This may seem like a trivial point, but many big breaches began from mass, automated exploitation of a common vulnerability.

Defense In Depth

As part of a broader security strategy, obscurity adds unpredictability and complexity, complementing other measures like firewalls, intrusion detection systems, and access controls. A defense-in-depth strategy has been proven to be the most effective approach. This is because it slows down attackers, offers redundancy in security controls in the event one control fails, and offers many opportunities to detect and stop an attacker before they reach the organization's crown jewels.

Conclusion

On its own, security through obscurity can provide benefits. But it is dangerous and not recommended to rely on it by itself. Used in conjunction with a well-crafted security program consisting of prevention, deception, detection, and response capabilities can enhance an organization's cyber risk management strategy by imposing cost on all potential attackers.