Security Through Obscurity

I wanted to respond to Don Ulsch's comment about "security through obscurity" (EC Does IT, Nov. 2000, /nov2000/ecdoesit. htm). As worded, Ulsch seems to say that (1) security professionals are against security through obscurity, and (2) in the face of threats, it's wrong to assume an attack will be made against someone else before you.

Regarding #1, surely there is nothing wrong with security through obscurity. Keeping secret keys secret is an excellent example of this, and we count on it for much of the crypto-based security on the Internet. What many security professionals rail against is depending completely, totally and only on security through obscurity, and doing so forever.

Regarding #2, one might call this the "size of the target rule." It's true that if you are a small or insignificant target, your worries should be less than if you are a large, significant one. Both of these "truths" taken together should give the responsible security manager breathing room.

Ulsch's point here is incredibly important, and should not be lost. Many enterprises (not merely security managers, because often their warnings go unheeded) are terrible at re-evaluating their risks as time passes. "We didn't get broken into yesterday, so we probably won't today" often is true in the short run, but disintegrates over time. Also, most enterprises-certainly in the United States, but maybe it's a global truth-have a very low view of the size their "target" represents. It's as if most of the companies in the world have useless products or provide worthless services.

If a company has customers or clients, it will also have enemies. The size of the target is directly proportional to the risk of attack. If only these companies didn't have such a low opinion of their worth....

As always, I enjoy the magazine and always find something to further educate me and make me think.

Fred Avolio
Avolio Consulting Inc.