Security through obscurity, fact or fallacy?

by Andrew Stewart

22 July 2021

Hands building a puzzle

What is the biggest cyberthreat of tomorrow?

I remember about eight years ago, early in my days in the security community, at one of these events we used to attend, long before the coronavirus cancelled them all on us; I heard a saying ‘Security through obscurity’. I was unaware of the statement’s significance or how this adage has shaped the mindsets of some security professionals today. I think it's something we need to explore.
In my role as a Security Consultant, I see the real value I can add in the security industry is by understanding what my clients' real needs are, and helping them to achieve these. However, often I see narratives and mindsets can seem to really influence the type of cybersecurity architecture organizations adopt. Let's face it, if they didn't, what really does?

‘Security through obscurity’ as subjective as the statement is, when looking at how this concept has been applied in practice, what I have observed by industry professionals is the practice of placing as many different hurdles (products) from differing vendors throughout the entire cybersecurity architecture. Essentially what this points to is the assumption that the more diversity of vendors and products throughout the entire cybersecurity architecture, the better. On the surface this may seem logical, but is it? What are the trade-offs and what are the real outcomes that this 'obscure' approach really gives us? Let's explore further.

Firstly, what I can say is, organizations I talk to nowadays are more often looking to consolidate parts of their cybersecurity architecture to essentially simplify things, such as to achieve the elimination of overlaps within the cybersecurity architecture itself, the reduction of the number of vendors they have to constantly deal with, and to scale down the amount of noise in the environment.

Abstract woman smiling

Secondly, from my perspective, having shared threat intelligence across your entire cybersecurity architecture can only provide better defence capabilities, as opposed to having siloed products from different vendors, sprawled across the cybersecurity architecture that serves no intercommunication capability. For example, let's take a scenario, if I have a modern firewall and an anti-virus solution from different vendors, and an endpoint in my network is being attacked, would my firewalls really know about the attack taking place? And if they had this capability, could the endpoint have been attacked in the first place? It makes you question how the obscure approach is serving its purpose in really securing an organization's assets, in comparison to a consolidated approach that delivers shared threat intelligence and shared security capabilities across the entire cybersecurity architecture.

Obviously, there are many scenarios we can propose, however the point I’m making is the power of security isn’t derived from obscurity alone. It’s within understanding what’s needed to be protected and identifying the best way to achieve this through people, process and technology. Therefore, what purpose does the ‘Security through obscurity’ adage provide us?
Security through obscurity: fact or fallacy? I call fallacy.

If I dare you not to think of a pink elephant, try not to think of a pink elephant! Therefore, wherever we put the focus, that’s where the focus will be. The same can be said for ‘Security through obscurity’ because this adage has assumed benefits it’s commonly adopted as a first and primary principle as it seems like a logical approach to better secure our assets. However in practice, from what I’ve observed, this approach leads to a fragmented architecture that presents vulnerabilities and in some cases has an adverse impact to overall cybersecurity operations as a whole.

Therefore when looking to deliver cyberbreach prevention methodology throughout cybersecurity architecture we need to look at the bigger picture and identify how we can achieve better outcomes by implementing 21st century thinking and new innovations, instead of falling on old adages that present us new problems to solve.

Andrew Stewart

Andrew Stewart

Cybersecurity Consultant at NTT Ltd.