Security through obscurity can be your downfall. If you do not understand your security how do you know it will protect you? How can you think of ways to test your security if you do not know what you are attacking?
[h2_heading]What is security through obscurity?[/h2_heading]
To put it bluntly security through obscurity is evil. It is the false hope that your security is solid, impenetrable even. The phrase itself means no one inside the business understands what the security model is so they believe that no one else will be able to figure it out either which somehow should make it secure. Do you want to place that bet? Do you really want someone to brute force their way to find a chink in your armour?
It is not a principle that people actually implement however it is a description of how a security model looks. If you do not understand how your security is setup or why is has been set up in a particular way this can leave you vulnerable to attack. Finding ways around security is relatively trivial. There are many tools to do it for you but breaking security is a process and as such it just takes time. It requires that you first understand what is in place in order for you to create an attack to help you achieve your goal of gaining access or stealing data.
Security should be simple, there is divinity in simplicity. It should be understandable, if you do not know how it works then you will not know how it will not work. It should be in depth. You need one security strategy but you need multiple levels of security to protect your business and your data. These levels, the depth, at the very least make it take longer to bypass. If you are too hard a target you will dissuade the ones looking for an easy payday.
Half of the job of creating and protecting systems is trying to break them. It is much better that you break your system and create a fix prior to going live than letting someone else enter and leave with your data. This is why all of the large Tech companies offer ‘prizes’ for finding hacks to their systems. Even if they have 500 security researchers on staff they know that it cannot compete with 5 million potential experts taking a peak.
A few tips
- Design your security model
- Use multiple levels of defence
- Regularly test your own defences