Gus Van Horn blog Posted April 3, 2018 Report Share Posted April 3, 2018 If you've ever heard someone pooh-poohing "security by obscurity" (but wondered if he knew what he was talking about), Daniel Miessler has some food for thought over at his eponymous blog: Photo by Allef Vinicius on Unsplash Many of us are familiar with a concept known as Security by Obscurity. The term has negative connotations within the infosec community -- usually for the wrong reason. There's little debate about whether security by obscurity is bad; this is true because it means the secret being hidden is the key to the entire system's security.When added to a system that already has decent controls in place, however, obscurity not only doesn't hurt you but can be a strong addition to an overall security posture. [minor edits]It had always truck me as strange to hear people disparage obscurity as a security measure, but I never gave it more thought than, "It certainly doesn't hurt, and I'm pretty sure it can help." (That said, I was not making the incorrect assumption, that obscurity can carry the whole load, though. Some people do.) What Miessler does in the rest of his post is walk through is the nature of the benefit of obscurity and explain exactly how it helps. For the mathematically inclined, he even reduces this down to a product of conditional probabilities. But the math is easily translated into plain English: Obscurity reduces your odds of being attacked in the first place, but you should avail yourself of ways to reduce the effects of a successful attack, too.-- CAV Link to Original Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.