Security Through Obscurity (STO) is a controversial topic within the infosec community. It is commonly based on the premise that the secrecy of specific details or functions of a system can ensure Security. As such, many cybersecurity professionals frown on the idea of implementing Security through obscurity because it is a "Bad" practice. Basing their conclusion on the premise previously mentioned, they aren't wrong; however, that's just half the picture. Let's explore this concept in its entirety to expose the good, the bad, and the ugly.
What Exactly is Security Through Obscurity (STO)?
Simply put, Security Through Obscurity is based primarily on hiding vital information and enforcing secrecy as the primary security technique. Generally, when implementing STO, it is assumed that, as long as attackers lack information about the system's internal design, they will not get at its vulnerabilities. While the assumption is not entirely inaccurate, there are a few things you should take into consideration.
Security Through Obscurity: The Good
Used along with other security mechanisms, such as TCP Wrappers, proper firewalling, IP-based restrictions, 2FA, Security Through Obscurity can be a very efficient way to reduce the chances of an attack. How? Well, for starters, it slows one of the most critical phases of the hacking methodology - Reconnaissance.
Reconnaissance or recon for short is a phase of the hacking methodology where the attacker sets out to learn as much information about the target system in an attempt to launch an effective attack.
Having implemented STO would have slowed this process down, potentially deterring non APTs from following through with an attack. Information such as banner information, default configuration settings, and default system reactions are hidden or altered when using STO to throw attackers off.
For example, removing banner information, such as the webserver version number (e.g., nginx 1.6.1) or the version number and name of the software running on the webserver (e.g., WordPress 5.6). Another example would be to change default ports for services such as SSH for example. SSH is known to run on port 22, but what if you change that operation port to 65822? Again, bear in mind that these tactics might only slow the recon and the exploitation phase, so beware of the bad and the ugly.
Coupled with your intrusion detection and prevention system (IDS), Using STO techniques could allow for early detections of ongoing attacks. How? Suppose an attacker seeks to forgo the recon phase because of the lack of information available and decides to execute a Hail Mary Attack, well. In that case, the attacker loses his stealth, and you'll know an attack is ongoing.
Security Through Obscurity: The Bad
STO is only useful when used as an additional layer of defensive. Solely relying on STO to protect your assets is a bad idea. STO will not be effective against blind attacks or APTs.
Let me repeat it for the people in the back. Solely relying on Security through Obscurity as a Security mechanism is a BAD idea.
Security Through Obscurity: The Ugly
Some professionals would argue that using STO as your only layer of defense puts you at HIGH risk because essentially, you have zero protection, and in today's climate, that's not bad; that's ugly.
When cybersecurity professionals talk about STO, the real concern is that Security is implemented solely through obscurity - a state where the only protection mechanism involved is hiding critical details or function of an asset.
STO can slow reconnaissance activity, and force the attacker to initiate actions that can no longer be as stealthy, resulting in increased exposure. Obscurity measures can complement Security, and as long as it is not employed in complete isolation, it can be considered another powerful tool to provide defense in depth.