Security through Obscurity

“Security through obscurity”, or the belief that a system was secure so long as nobody outside of the user group knew about it, is a hope — not a strategy.
Written by 
Richard Beals
Data Security Leader

Back in the day, I was managing Internet-facing systems for a major communications company. Internet-facing systems were still not “everywhere and always” and best practices for managing such systems were still evolving. 

But even back then “security through obscurity”, or the belief that a system was secure so long as nobody outside of the user group knew about it, was known to be a bad idea. Yet,  there were often public-facing areas in most organizations where a reduced level of security was deemed acceptable. One such item was the anonymous FTP site. After all, we had a great deal of content that we wanted the public to access, and we didn’t want to encumber them with a credentialed authentication and authorization process. Furthermore, we had technical documents we wished to share with customers for which the risk of delivery to an unauthorized person was quite low. After all, the documents in question were widely distributed, and we could safely assume the competition had copies already. 

With that in mind, the public FTP site was set up to permit anonymous access as noted above. If we needed to transmit a sensitive file, we had the option of creating a temporary login for the customer in question and locking down the path to just that set of credentials. Along the way, internal staff had been granted a blind directory mechanism that permitted them to connect, create a directory with an obscure name, and put files there for someone else to pick up. The files could be retrieved but no one could list the content of the directory. With minimal support requirements, everyone was happy. 

But (you knew it was coming) … 

The ability to create a directory without authentication meant that people with no affiliation with the company now had a distribution mechanism that was both free and supported by a corporation with global resources. As you’ll be shocked to learn, we found that we were now hosting content that was unlawful, embarrassing, and against company policy. 

The repair included the usual “deploy the latest versions, apply patches” approach, with modifications to the authentication and authorization configuration. It also involved a modest increase in hands-on support from the infrastructure team that, of course, was me at the time. 

Lessons we can take away from this:

  • We’re not as good at hiding things as we think we are
  • In an anonymous context, we must always deny everything that’s not permitted, rather than permitting everything that’s not denied

 In other words, “security through obscurity” is an oxymoron.

Bonus Content

Download PDF