A Clear Understanding of "Security through Obscurity"

As security professionals, many of us try to teach a few simple lessons to help system administrators become more security-conscious. In this article I’ll talk about how obscurity can aid security - -hopefully, I can clear up some misconceptions.

Obscurity: What Do We Really Mean?

        First, what does the security professional mean by bad “security through obscurity?” We really mean “security implemented solely through obscurity.” This describes the state where your entire method of security resides in hoping that the attacker doesn’t know something about the setup of your network, computer or program. Let’s say that you put your company’s secrets on an internal web server, with no password-protection on the pages. Instead of relying on passwords or another acceptable method of access control, you’re relying on something different. You’re assuming that no one will know about that web server except that anyone with some network discovery tools (like Cheops, firewalk, snmpwalk and nmap) can find just about every web server on your network. See, the problem is that you’ve used the obscurity of the data’s location as your sole method of access control. This just doesn’t work. While some attackers will never expend the effort to find that web server, many others can and will. Those will obtain access to information that you wanted to keep them away from. Another example here shows that you may think that you're running an obscure UNIX-based web server that no one would dream of breaking into, but your obscurity is no protection in an era when thousands of malicious hackers have access to powerful network scanning tools which may discover your system and its vulnerabilities. You may think that you're hiding critical data by burying it several directories deep, but you'd be wrong given the powerful search facilities built into UNIX. A software or hardware vendor might realize that a hole exists in their offering but ship it anyway, thinking that no one will find it. These kinds of holes are discovered all the time. At best, security through obscurity can provide temporary protection. But never be lulled by it -- with modest effort and time, secrets can be discovered. As Deep Throat points out on X-Files: "There's always someone watching."

The Error of Using Obscurity for Access Control

        Obscurity just doesn’t work as a method of access control. Someone will find most anything by querying your peer machines, your routers and the target machines themselves. They'll possibly run all manners of active scanners or passive sniffers. They'll even launch "social engineering" attacks, where they trick your users into giving them the information they need, usually by impersonating someone who should normally have access to that information. Since an attacker can often obtain or guess the information that we're obscuring, especially if it is as simple as the listening port of our web server process, we not implementing decent security. This is what we mean by "security implemented solely through obscurity is bad

  Is Obscurity Ever Good?

         Now, suppose you put a good password or some method of strong authentication on your company secrets website. You even make sure to put the site on an SSL server. Perhaps you even go the extra mile and authenticate people with client-side certificates. Let's suppose that you have fairly reasonable protection for your information. Now we've got decent access control.

At this point, is there any harm to hiding the name of the machine and the port number the server is running on? Really, stop and think about this. Does it hurt your site security at all? No, it really doesn't. Your good access control, in the form of strong authentication, is still present. All we've done is made the server slightly harder to find. See, so long as you understand that the server location and port number can't serve as a method of authentication, you haven't harmed your security in the slightest.

Obscurity: Force an Attacker to be less stealthy

        Let's think about what we'd see if we were monitoring the web server's network connection. In the case where we put our web server on the common port, port 80, our attacker's information probe "what version of IIS (Internet Information Services) are you running" looks (from our firewall/router logs) like every other web request coming into the machine. Our attacker knows this and is quite happy, because he has little chance of being observed while doing his information probe. Well, what about the case where we put our web server on port 253? If we put our web server on port 253, our attacker generally has got to scan a whole lot of ports on the target web server to find it. Instead of making a quiet query against port 80 on the target, he'll have to throw at least one packet at many ports on the target to find open ones, then make connections to each of the open ones until he finds the one running the web server. His attack just got a whole lot "louder." Many port scan detectors, including Bastille Linux developer Mike Rash's upcoming Port Scan Detector developer, watch for a client to throw packets at our machine on a number of different ports. When they see enough different port destinations from a single machine in a set period of time, they alert. See, we've got a much better shot at noticing the scan (or the attack) if the attacker has to go through some pain to find his target. So, there's another advantage of using obscurity. By obscuring something about our environment, we force an attacker to possibly go through more effort to learn that information before he can execute his attack. This gives us a better chance of observing him! However, don't get complacent  He can still find our server. It might not even take tons of extra effort, if he guesses well. We still might not observe him, if we have no procedures or technology set up to do the observing! But we have gained something. But what else did we gain from this little bit of obscurity

Obscurity: Potentially Slows Down the Attacker

            Remember how, in the past example, our attacker had to scan a lot more ports to find out which one is open? He also had to connect to each open port until he found the web server? Well, if you've ever run a port scanner, you'll notice that significantly slows things down. This is especially advantageous when the attacker is scanning every machine in your domain, as he has to generate a whole lot more queries and wait for a whole lot more responses, just to find his server. To get a ballpark-math feeling for this, think about a domain of 200 machines. Normally, he'd just make about 50-200 queries to find his web server, with a worst case of 200 queries. Supposing that he's scanning 1000 ports now, looking for open ports on each machine, that's 50,000 - 200,000 queries, with a worst case of 200,000. Actually, it's worse than that! He might be really thorough and check all 65,535 possible ports, for a worst case of around 13 million queries! Now, that's pretty darned good for slowing him down and making his target scan pretty loud. Well, here we see how obscurity can really help slow an attacker down. We've seen how additional obscurity can repel many of the inexperienced attackers, especially those with low-grade tools. Further, we've examined how a little obscurity can really force an attacker to be a lot less sneaky. All of this combines for some real advantages. Please, before dismissing a measure simply because it employs or increases obscurity, stop to examine the real effects in common scenarios against different classes of attacker. You'll find there are many situations where a little obscurity can definitely help out, but be careful with that because with a lot of determination and efforts an attacker can bypass your security system.