Security & Obscurity
Daniel Miessler has a great post on Security & Obscurity here. As I’ve been saying in training, if obscurity has no control worth, then we might as well paint our troops neon pink. Or we might as well say that encryption is useless.
Somethings to think about as you read Daniels post:
1.) Regular readers will note that we believe controls basically give us some value to prevent/detect/respond to loss events. What we haven’t revealed is that obscurity (or other controls that prevent the probability of threat events) is one preventative measure that actually, in our models, seems to have a boatload of value. Yes, boatload is the qualitative label we use 
2.) Obscurity, when used in it’s most axiomatic context, almost always references either a “fragile” and/or “unstable” risk situation:
A Fragile risk situation is when we have a single point of failure in our controls that is all that separates us from a loss.
An Unstable risk situation is when, due to a lack of controls, we are relying on a low Threat Event Frequency to prevent loss.
Those with training should recall that these risk modifiers, so far, seem to drive us from probable loss magnitude towards a worst case lost magnitude. Or, as Daniel puts it: it’s game over.
3.) Because it’s Unstable - the factors that comprise “probability of action” are very important for us to examine. You’ll recall we have perceived (on the part of the threat agent) Value, Level of Effort, and Risk. Obscurity when discovered, say, in the use of encryption to protect data - now has everything to do with level of effort to drive threat action. Successful threat action then becomes successful Loss Event when we are vulnerable (the skills and resources of the attacker can overcome the strength of our control).
Point is that there is an interplay between the existence of controls and the probability of action - but it’s from the perception of the attacker. And to me, those controls that work to prevent threat action by lowering the probability of action are extremely under-appreciated, if only because (outside of FAIR) their value isn’t as easily demonstrable.
Chandler Howell Jan 17
Since you mentioned troops, I’ll point out that when it comes to tactical site selection, one of the first concepts that is introduced to troops is the difference between “cover” (something that protects you from incoming fire) and “concealment” (something that keeps the enemy from detecting you). There are many sub-categories of both (overhead cover, direct fire cover, indirect fire cover, arial concealment, long-range concealment, thermal concealment, etc. ad nauseum) and if their characteristics are understood, they can all be useful in different ways.
Concealment reduces risk of detection, but that’s it. Cover reduces risk of injury or death and may both improve or decrease concealment. A fighting position, for example, conceals, but also may produce lots of high-visible piles of dirt, unless explicit steps are taken to conceal the dirt.
We used to have a semi-sarcastic saying, “Grass is not cover,” because during training exercises people would sometimes attempt to take “cover” in high grass–they were confusing obscurity (concealment) with security (cover).
That difference really comes into to play once the shooting starts.
As with any other risk management activity, understanding how controls interact with the environment they are deployed in will often make or break the success of the endeavour.
Lastly, there may be external value beyond the immediate benefit of not having neon-uniformed troops, but that’s getting beyond the scope.
Alex Jan 18
“Lastly, there may be external value beyond the immediate benefit of not having neon-uniformed troops, but that’s getting beyond the scope.”
There is that, isn’t there. Well, actually, in FAIR we do try to account for Reputation damage…
I like using the categories. Taxonomies have a warm place in my heart, as you know.
LonerVamp Jan 18
Whole-heartedly agree. I really get peeved to see IT pros trumpet out “security through obscurity is worthless!” while wagging a finger without really thinking about what they’re saying (and often sounding stupid in the process). It does have value.
A common one is SSH services. Changing to port 14534 for SSH won’t make the SSH service itself any more secure (it still has the same vulnerabilities), but it can have value in reducing the probability of being attacked (demonstrated by anyone who logs such attacks against SSH listeners).
By my count, that still has value to me. Obscurity alone won’t help me, but it certainly can augment my overall stance.
And yes, aren’t passwords also a form of obscurity?
Walter Jan 18
I don’t equate encryption with obscurity myself. As an example, if you google on my name, you’ll find almost 3/4 million results. If you take the time to search through them all, you’ll find me. With a good crypto system, where neither the key nor the algorithm are known, you may never decrypt. Even with the best super computers. Using obscurity, you are guaranteed to find what you’re looking for if you just look hard enough. Not so with encryption. Even if you’re the NSA.
Jack Jan 19
I agree that encryption is probably not an ideal example of obscurity as a security measure. Steganography, yes, but not encryption. I view encryption as a layer of authentication/authorization control.