Friday, September 05, 2008

Spaf on Security Through Obscurity

For a few years now, I've suspicious of folks that are quick to label something as "security through obscurity."

Not only has this become a robotic cliche (the only one I hate that is worse is so and so provides a "false sense of security"), obscurity often does provide you security (or at least reduces risk) so I was pleased to see some Sanity from Spaf

However, the usual intent behind the current use of the phrase “security through obscurity” is not correct. One goal of securing a system is to increase the work factor for the opponent, with a secondary goal of increasing the likelihood of detecting when an attack is undertaken. By that definition, obscurity and secrecy do provide some security because they increase the work factor an opponent must expend to successfully attack your system. The obscurity may also help expose an attacker because it will require some probing to penetrate the obscurity, thus allowing some instrumentation and advanced warning.

No comments: