My last post for 2011 will be about a favorite and common
topic amongst security professionals: the art and technique of ‘security
through obscurity.’ Anyone and
everyone in the privacy and security fields knows about this and I am sure that
95% of the readers have knowingly used this approach to protect data and other
assets (the other 5% are probably lying).
Simply put, the ‘security through obscurity’ control, if you will, is making some
weakness so discreet, subtle or inconspicuous that you are hoping that a user
or bad guys does not find the loophole or back door, intentionally or otherwise.
I am not talking here about unanticipated ways to defeat your explicit and
obvious controls that the developers or programmers could have never contemplated;
I am talking about the “ignore that man behind the curtain” ones. Exactly the
ones that little Toto sniffing under a curtain uncovers….Like the empty police
car on the side of the highway. Or like stating that your password complexity
requirements are 9 characters that must consist of 1 lower case letter, 1
number, 1 special character and 1 upper case letter. And then not enforcing the
policy.
I got to thinking about this when I recently thought about a
line in a Gnarls Barkley song, “Smiley Faces.” The line was “Was knowing your weakness what made you
strong?” Now I have asserted in the past that a secret is only a secret if
it remains between a minimal amount of people; when the world knows it, it
becomes as useful, and valuable as yesterday’s newspaper. And if you would make
(most) private data held by governmental institutions and corporations easily
available to any one, acquiring it would mean nothing since it cannot be
readily misused, like it can be today. In the security context, knowing that
the weakness exists in your application/program/website is the strength you
need to resolve the fault proactively. And in the future, you can build in
‘privacy by design’ rather than trying to bolt on security after the fact.
Always an ugly outcome, both aesthetically and from a user experience.
My point here is that relying on the ‘security through
obscurity’ approach, to any degree, for information protection shows an overall
lack of sophistication and maturity in your security process and program. I
realize that many companies take this approach because it is cheap and fast to
deploy – building in proper controls takes time and money. Ultimately, though you
will have two choices when you decide to take a path toward security: you can
either pay now or pay later. You pay now by making the investment in proper
coding controls and preventative measures; you pay later when someone finds the
weakness/hole in your program, application or website and posts it on YouTube
and then you have re-engineer the code all over again, making double work. In
my opinion, paying now lays the groundwork in your organization for both a
respect for security and privacy considerations as a corporate value, and for a
discipline of doing the right thing right now.
Make a New Year’s resolution then to avoid the temptation of
at least one venial sin this year as you think about your security program and
policies in 2012– the sin of sloth.
Happy New Year!