The principle of “Security through Obscurity” is a justifiably maligned principle within the security field. This principle relies on the assumption that a hacker does not know how the security process in question works (the “obscurity”) and, therefore, can not exploit it (the “security”). While nobody takes the opposite approach and publishes the security documentation on public forums, the organizations that are truly secure are operating under the assumption that attackers know as much as their IT team, and sometimes more.
On the other hand, the disdain that accompanies discussions of this principle overshadows the benefits that basic obscurity techniques can provide, particularly in light of modern search engines. In fact, while it should never be relied upon as a sole defense, obscurity techniques can mitigate many security risks that organizations face, limit the number of alerts that monitoring tools trigger, and help the operations team focus on the alerts that truly matter.
The Power of Search Engines
The primary reason that obscurity is so important today is due to search engines. While traditional uses of Google, Bing, and other search engines make finding Internet content such as recipes, blog comments, and news articles more efficient, it also helps attackers find sensitive information that may not have been intentionally published. For example, Google Hacking techniques find passwords, email addresses, and even social security numbers. Social media and mobile applications provide some of this data. Security breaches and public paste sites provide more. Often, search engines find, analyze, and catalog this data without the owner’s knowledge that it is even publicly available.
The Google equivalent for the growing Internet of Things is the Shodan database. Shodan searches all computers and services on the Internet for open ports and service descriptions. While used legitimately by security researchers and professionals, it is also used by hackers to quickly identify vulnerable systems. For example, if a hacker identifies a script that can exploit a particular vulnerability in IIS 7.0, the hacker can use Shodan to identify all Internet-connected computers running IIS 7.0 and attempt to exploit them. Hackers enjoy easy targets and search engines provide them in bunches.
The Power of Obscurity
Security professionals dismiss “Security through Obscurity” because a determined attacker with enough time will always defeat such a naive defense. However, basic obscurity techniques can often defeat less determined attackers before they start. While the less determined attacker is also generally less skilled and technical, s/he is often only looking for a specific vulnerability pattern and does not care where s/he finds it. For example, the GitHub project, SQLiv, uses Google to search for, and exploit as able, URL patterns that are often vulnerable to SQL injection on any application on the Internet. If successfully exploited, the attacker can gain complete control over an application’s database, resulting in a full breach of user credentials and proprietary data.
The optimal defense against SQL injection, or any other type of exploit attack, is a securely coded application service. However, it is impossible to foresee every possible type of attack and it is possible for even the best developers to make mistakes. As a first line of defense, therefore, is basic obfuscation of vulnerable patterns. Some possible obfuscation techniques for web applications are:
- Move URL parameters in applications to the body of POST requests
- Change response banners such as the server information, uptime, or service version number
- Add a robots.txt file or make the current robots.txt file more restrictive
- Eliminate session specific parameters and track them on the back-end
- Remove references to backend technology and detailed error messages
By following basic obfuscation techniques, an organization can limit its search engine footprint and thus mitigate the risk of general exploit scripts and novice hackers.
Benefits of Security Monitoring
Implementing basic obfuscation techniques can have organizational wide benefits as well. Because novice hackers and automated scripts are no longer targeting the application, the number of alerts from security monitoring tools will decrease. Monitoring tools in modern networks and applications create huge volumes of alerts to which Security Operation Centers (SOC) must respond. Decreasing the number of overall alerts, therefore, provides analysts more time to focus on the alerts that matter: those coming from the experienced and focused attacker who defeated the obfuscation. In fact, security tools detected the Target hack before it was fully exploited. However, the monitoring alerts were buried amidst false positives and, ultimately, went ignored. Thus, limiting false positives and trivial alerts is a modern initiative that improves the security of the entire organization. Obfuscation techniques, therefore, which reduce alerts from automated programs and scripts are an important element to increasing organizational security.
Security is not just the security team’s problem. Security is an organization-wide problem that all applications and departments must work together to improve. The first step is a robust security development life cycle that produces quality applications. The second step is to obscure the application from search engines and open access so that real threats can not hide in the noise of the Internet.