Security Through Obscurity
I wanted to respond to Don Ulsch's comment about "security
through obscurity" (EC Does IT, Nov. 2000, /nov2000/ecdoesit.
htm). As worded, Ulsch seems to say that (1) security professionals
are against security through obscurity, and (2) in the face
of threats, it's wrong to assume an attack will be made against
someone else before you.
Regarding #1, surely there is nothing wrong with security through
obscurity. Keeping secret keys secret is an excellent example
of this, and we count on it for much of the crypto-based security
on the Internet. What many security professionals rail against
is depending completely, totally and only on security through
obscurity, and doing so forever.
Regarding #2, one might call this the "size of the target
rule." It's true that if you are a small or insignificant
target, your worries should be less than if you are a large,
significant one. Both of these "truths" taken together
should give the responsible security manager breathing room.
Ulsch's point here is incredibly important, and should not be
lost. Many enterprises (not merely security managers, because
often their warnings go unheeded) are terrible at re-evaluating
their risks as time passes. "We didn't get broken into
yesterday, so we probably won't today" often is true in
the short run, but disintegrates over time. Also, most enterprises-certainly
in the United States, but maybe it's a global truth-have a very
low view of the size their "target" represents. It's
as if most of the companies in the world have useless products
or provide worthless services.
If a company has customers or clients, it will also have enemies.
The size of the target is directly proportional to the risk
of attack. If only these companies didn't have such a low opinion
of their worth....
As always, I enjoy the magazine and always find something to
further educate me and make me think.
Avolio Consulting Inc.