Myth or truism? Security experts judge

They are etched into the conventional wisdom of IT security, but are these 12 articles of faith (to some) actually wise, or are they essentially myths? We've assembled a panel of experts to offer their judgments.

1. There's security in obscurity

David Lacey, Jericho Forum founder and researcher: Yes, there is. Not everything is known or knowable to an attacker. This uncertainty prevents and deters the vast majority of attacks.

Nick Selby, analyst, The 451 Group: No, there's convenience in security. Say you're trying to keep your kid from discovering the birthday party plans you're making, and you don't want the workaday toil of waiting until he's asleep to discuss them. So around the dinner table, speak German. Now, for protection of ... well, anything, it's just not on. Wherever you hide the front door, it is trivially discovered, so recognize you live in a bad area, get a strong front door with good locks -- and don't hide the key under the garden gnome.

Bruce Schneier, crypto expert, chief security technology officer at BT: All security requires some secrets: a cryptographic key, for example. But good security comes from minimizing and encapsulating those secrets. The more parts of a system you can make public -- the less you have to rely on secrecy or obscurity -- the more secure your system is.

Peter Johnson, global information security architect, Lilly UK: It can slow down the bad guys, but they will find out in the end. It is like closing the front door at home, and hoping nobody will try opening it.

John Pescatore, Gartner analyst: Only true within the bounds of the tried and true concept of 'need to know.' For example, keeping your password obscure is obviously a smart strategy -- only you have a need to know. ... Where this one falls apart is when the assumption is that 'obscurity means security.' This is never true -- and worse, when people design software with this concept in mind, all kinds of bad things happen.

Richard Stiennon, independent analyst: I was thinking about this in terms of Web application firewalls. There are 70 million Web sites but probably only a few thousand Web application firewalls sold so far. Most Web sites are protected by the principal of security through obscurity.

Andrew Yeomans, vice president global information security at an investment bank, and Jericho Forum member: Obscurity buys you time, but doesn't last forever. Obscurity can add an extra barrier, and may deter poorly resourced attacks. But a better-resourced attacker may succeed, and as costs keep dropping, may only need low-cost resources in the future. And once obscurity is lost, security is lost forever, too.

Join the newsletter!

Error: Please check your email address.

Tags securitycybercrime

More about ACTAES EnvironmentalBT AustralasiaGartnerRSASecurity SystemsWeb Security

Show Comments