Sunday, 10 July 2011

Risk Management by obscurity works

The old adage is that security by obscurity doesn't work to protect against security threats. This is true. A solution that uses propriety solutions known only to a small community, doesn't remove the vulnerability. It does though, lower the probability that somebody is able to exploit the vulnerability.
The less people know the technology the less likely it is somebody is able to exploit the vulnerability. The economics of the exploits also work in favour of the obscurity. Since the investment of the hacker in learning the ins and outs, specially the outs of the vulnerability are not likely to payoff in large amounts.
That means obscure solutions do lower the overall risk since that is a combination of the vulnerability and the probability together with the impact. For instance for cases where the Impact for the user has a limited amount of payback for hacker.
A defense in depth approach could for parts of the solution include obscure solutions when there are no other solution or standard solutions (e.g. non obscure) are too expensive or complex.