Security through Obscurity
- The idea of “you ain’t gonna know me” may not be reliable.
- According to the Google dictionary, obscurity is “the state of being unknown, inconspicuous, or unimportant.”
- Security through obscurity or Security by obscurity means protecting our assets on the reliance of making our assets or safeguards invisible, unknown, unaware, less attractive, in secret, or lack of importance or value.
- Security by design and open security is the opposite concept of security through obscurity.
- Kerckhoffs’s principle states “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
- Shannon’s maxim articulates Kerckhoffs’s principle by assuming “the enemy knows the system” and “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.”
We all agree it is not sufficient to enforce security solely through obscurity. Security experts advise that obscurity should never be the ONLY security mechanism. In some cases, security through obscurity can be implemented as part of the defense-in-depth or layered defense strategy.
In recent years, security through obscurity has gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception.
- NIST’s cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.
- The research firm Forrester recommends the usage of environment concealment to protect messages against Advanced Persistent Threats.
The Onion Model
The Onion Model above depicts the layered defense or defense-in-depth strategy. It implements a variety of categories of safeguards or security controls in serial and integrates people, process, and technology (PPT) or personnel, operations, and technology (POT) capabilities across the organization to enforce security.