Security through Obscurity Is Old School
There are many things within information security that pundits have been claiming are dead–or should be killed by fire. Passwords are usually found at the center of such discussions. But this isn’t a post about passwords; it’s a post about honesty and trust. But let’s first take a look at the other side of the coin.
Security through Obscurity
From the beginning of time, security through obscurity has been a thing. It’s the misguided belief that as long as people don’t know about a weakness in a system, it won’t be exploited by bad people.
I think it’s about time that we lay “security through obscurity” to rest once and for all. Kill it with fire, nuke it from orbit, drive a stake through its heart, do whatever it takes.
To be clear, I don’t believe it’s the security industry that is largely pushing obscurity as a control, but rather it’s a decision that comes from the business and is sometimes enforced by external factors such as auditors.
What I mean by this is that security isn’t about preventing some bad event from happening. Neither is it about ensuring bad people don’t attack you. It’s about minimizing the risk of these events–and that’s what needs to be understood and shared.
Where It Falls Apart
However, much of this good will fall apart, and companies will revert to obscurity, denial or barefaced lying in a feeble attempt to save face.
For example, a company may disallow passwords to be pasted into its web application. Time and time again we see an exchange on social media which goes a bit like this
Customer: You don’t let me paste my password, which is inconvenient and stops me from using a password manager and a strong password.
Company’s social media team: We prevented pasting for security. It’s good security to prevent pasting passwords.
Customer: No, it’s not
Company social media team: Yes, it is.
Customer: No, it’s not. And now I’m going to mobilize all my followers to say mean things about you.
Company social media team: You’re all wrong. It’s for your own safety.
And this descends into a massive brawl for all, and nothing gets resolved.
Now, maybe the company had good reason to block pasting passwords. Perhaps they were being targeted by a certain attack and this was the easiest way to block it. Simply saying it’s for security doesn’t cut it. Now imagine if the conversation went a bit like this,
Customer: You don’t let me paste my password, which is inconvenient and stops me from using a password manager and a strong password.
Company’s social media team: We feel your pain, and we apologize. But we keep getting attacked by x, and to prevent it we disabled pasting passwords. It’s not ideal, but we’re working toward y solution.
Yes, I realize you can never truly satisfy angry security people on Twitter, but this kind of honesty can go a long way.
Internally, the issues get even more complex when trying to adopt an open and honest approach. Soldier of Fortran shared a story on Twitter recounting how auditors were reviewing logs for some appliance that used a default account. Every time the account was used it wrote
- Page 1
- Page 2