Obscurity for Security: Is it really bad practice?
Obscurity for security is the art of storing important information in such a way that only you would know where or how to find it.
It’s like hiding money under a tree in the woods. The odds of anyone finding it are unlikely, but there is still a chance it could happen, and there is nothing you can do about it.
Example: Our topic for a little while has been around password security so let’s use that as an example. Imagine storing all passwords in a location on your computer or cloud storage filed under something obscure such as documents > tax > E56AF
There isn’t anything identifiable about the information contained. Still, there is little to no protection should someone happen across it, especially since there are ways of crawling folders and files en masse.
Is it safe?
In short, yes! But not in isolation as a sole means of security
Most software developers will laugh at how unsafe this can be. However, it is actually a great methodology, just not to be used in isolation.
Password protection will often provide complex, obscure passwords because they cannot be guessed and are therefore more secure. However, when we bring in password managers, it’s an additional layer of security.
It would be like burying the money under the Apple tree in a box with several locks on it.
Reacting to a security breach looks entirely different. If your password was discovered, you simply change the password, which you can do in seconds. If someone discovers the location, you have to dig up the stash, move it, and bury it again, which is significantly more work.
Multi-facet cyber security
Cyber security is only effective when its measures are stacked like a Russian Doll. You begin with an outer layer that protects everything within. If this layer is removed, then another, and another after that, exists. Of course, you want your most essential systems protected in the deepest layer.
All security can be viewed as security through obscurity. Each method or algorithm creates a more complex and secure whole. Security by obscurity will not hurt, but it cannot exist on its own. The overriding message here is that obscurity for security should not stand alone, and it must be complex, at every level.
Password security and penetration testing
If your team is remote working, then you should check-in for a security health check. Introducing a work from home cyber security policy is vital. You need to ensure staff are using password managers to create secure passwords and have access to resources on password tips.
However, the only way to be sure that your passwords are safe is to test your systems. Penetration testing is a simulated attack on your systems, conducted using the same techniques that hackers use. A pen test will reveal if your workforce has created weak passwords or stored them in a file that can be accessed.