This Infoworld column illustrates something I’ve talked about before, but have never given a name. I’ll start calling it the “Everyone is a security expert” syndrome. I’ve alluded to it in the following blog entries:
In the above-cited column, Roger A. Grimes, makes the declaration, “Security by obscurity: It works!” and states:
Almost every computer security “expert” alive repeats the mantra that security by obscurity is no security at all, despite overwhelming evidence to the contrary. I propose that it should be a valid part of any computer defense plan, and in fact, can be one of your best defenses.Before writing angry hate mail to your new security columnist, let me explain further. First, I did’t say security by obscurity was the only defense technique someone should use. I didn’t even say it was real security, but I am saying that it should be an important part of most computer defense strategies.
I read that and shook my head in dismay. Not because he is wrong. But, because he thinks this is a new idea. Except that none—no not one—of the computer and network security experts I know would or have ever said that. It is an often misstated security axiom (I list as a “bogon” in my list of security axioms), that is more correctly stated, that depending or relying soley on obscurity for security is misguided and gives a sense of security that is false. I say this in a February 2001 Letter to the Editor of Information Security Magazine, wherein I say in part
…surely there is nothing wrong with security through obscurity. Keeping secret keys secret is an excellent example of this, and we count on it for much of the crypto-based security on the Internet. What many security professionals rail against is depending completely, totally and only on security through obscurity, and doing so forever.
And in a 2001 column I wrote for WatchGuard Technologies, I wrote, “Though ‘security through obscurity’ is unwise as a sole defense, there is absolutely nothing wrong with making it harder for an attacker to attack.”
Even in early 1994, in an early firewall paper with Marcus Ranum, A Network Perimeter With Secure External Access, we wrote, “Security through obscurity is counter-productive. Easy-to-understand measures are more likely to be sound, and are easier to administer.”
And Bruce Schneier, in his May 15, 2002 Crypto-Gram Newsletter, writes about “Secrecy, Security, and Obscurity.”
So, Mr. Grimes, welcome aboard, and thanks for helping the security community to get this important message out. But, I am concerned. Your by-line would lead one to believe that you are the new “Security Advisor” columnist. How come you are just getting this?
You’re dogging my security by obscurity works rant InfoWorld column wondering why it took me so long to think of it??I’ve been in the field of computer security for 20 years. Its not a new idea to me. Just because I put it in a column now and then, doesnt mean its new to me. It’s just the topic of the day, something that came into my mind.
And contrary to what you imply, 99% of security experts constantly repeat over and over to students that security by obscurity doesnt work. I had dozens of security experts write me and tell how wrong I am. So, it doesnt hurt to remind the masses, from time to time, that it actually does have value.
Roger
Roger A. Grimes, Eastern Data Inc., Director of IT Security
CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH