Description

1st student:

Vamshi Krishna Antati

Security with obscurity refers to the belief that a particular system can be protected by not allowing anybody from the outside the implementation group to know anything about the internal operation of that system (“What is “security through obscurity,” 2019). For example, the hiding of account credentials in binary files so that nobody from the outside can find them. Security through obscurity is relevant in the protection of sensitive information from the unauthorized people. If the sensitive information is accessed by the unauthorized people can be used against the system or can be used to destroy the system. Making good decisions on how to hide the sensitive information from the unauthorized people can block the vulnerabilities of the system, thus enhancing the security of the system.

Security through obscurity has some advantages and disadvantages in relation to the protection of national and critical infrastructure. The advantage of security through obscurity is that it is effective where few secrets about the system are involved. Few secrets are easily managed; thus, it makes it difficult for the information to be accessed. Thus, security through obscurity is favorable in cases where little information about the national information is involved.

Security through obscurity is disadvantaged by the fact that if the secured information is safe until it is accessed. If the attackers figure out how to access the secured information through obscurity, they can easily access that information. When the obscured information related to the national infrastructure is accessed, vulnerabilities to the system are created; thus, the infrastructure is exposed to potential attacks. Security through obscurity is not suitable where the data involved is large. This is because the management of large sensitive information through obscurity is difficult. This makes the critical and national infrastructure be easily accessed, or the method increases the chances of the system being attacked. Security through obscurity would not be beneficial in cases where the sensitive information involved are large.

References

Chang, V., Kuo, Y. H. & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24-41.

What is “security through obscurity.” (2019). Retrieved 1 August 2019, from http://users.softlab.ntua.gr/~taver/security/secur3.html

2nd student:

Discussion 5 | Security through Obscurity

COLLAPSE

The security concept of security through obscurity essentially is deliberately hiding or concealing security flaws and it provides yet another method of protecting national infrastructure. It constitutes two major situations: Long-term hiding of vulnerabilities (hiding vulnerabilities of the system instead of removing them) and Long-term suppression of information which is deliberately suppressing general information about a system to make things more difficult for adversaries, hackers, and third parties to discover potential flaws in a system (Amoroso, 2013).

It is understandable that generally there is no need to make information about an organization’s security architecture public as it serves no purpose in most cases. Keeping the vulnerabilities secret while working towards fixing them seems a logical strategy. Because, if these vulnerabilities become public, hackers could take advantage of them easily. Typically, a hacker’s approach in exploiting a system begins with identifying its known vulnerabilities. If there is no public information on those weak areas, hackers will find the system more difficult to penetrate and will eventually delay or postpone its malicious objective. I would agree that it is important to avoid public disclosure of vulnerabilities until they have been fixed. Amoroso also advised that individuals charged with protecting vulnerability information must exercise proper discretion to ensure a level of obscurity for their systems.

In the context of a national infrastructure, making all information about the system and its flaws public could make the ground fertile for hackers to start digging to discover potential vulnerabilities. For example, if an organization makes it public what technologies are being used in its information system infrastructure, default configurations of those specific systems could easily be targeted by hackers.

However, with the advance of computing power and programming techniques, security through obscurity is a weak strategy to protect a system from hackers. Correspondingly, Breithaupt, J. and Merkow, M. (2014) asserted obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all. Thus, this is not a reliable method of security and should not be used as a primary control mechanism. In situations an employee leaves the organization, for instance, there is a potential that the secret gets out too.

In fact, Rouse, M. (2015) asserts that this security approach can be effective in combination with other measures but security through obscurity on its own is deprecated.

As you may recall, on May 20, 2013, the NSA contractor Edward Snowden revealed thousands of classified NSA documents to journalists. Do you think this incident could be cited as an example of the impracticality of security through obscurity to protect a system in the today’s world?

  1. Amoroso, E. G. (2013). Cyber attacks: Protecting national infrastructure. Amsterdam: Elsevier.
  2. Mark, B. & Merkow, M. (2014). ” Information Security Principles of Success”. Retrieved on 07/30/2019 from: http://www.pearsonitcertification.com/articles/article.aspx?p=2218577&seqNum=7
  3. Rouse, M. (2015). “Security through obscurity”. Retrieved on 07/30/2019 from: https://whatis.techtarget.com/definition/security-through-obscurity