Is that key you hid in the flower pot next to the front door going to keep a burglar from breaking into your house? Or is that list of passwords so well hidden on your computer that no one could possibly find it? Those are examples of Security Through Obscurity (STO). But if that’s the only layer of security in place, there’s really no security at all.
“Security Through Obscurity is the belief that a system can be secure so long as nobody on the outside can find out anything about what’s going on the inside,” said Nick Zabenco, TDK Technologies .Net Team Lead. “But the only reason it is secure is because no one knows the location. You are just putting it out of easy reach. But it does not actually secure the network. Anyone looking around can find it.”
A Component of a Security Profile
Companies or organizations that want to protect their data should think about STO as a part of a security profile, but not the only piece. If a programmer keeps that password list in a text file buried in the operating system under an obscure name to give the impression that it’s just another log file, it is not secure by any means. Any person with access to the machine can find the data.
“It’s just a list of passwords and would be easy to find if you know what you are looking for. Any person with access to the machine can find the data,” Zabenco said. “If obscurity is the only means of security, it is a very poor way to go. But it can be incorporated into a security profile with other security measures.”
Obscurity can add one more challenge to try to break into systems. Some protocols route encrypted traffic through a different port, but then require credentials to be able to actually gain access through that port. Others add a login page for access to Content Management Systems (CMS).
“It’s like hiding the house key under a rock, but in a lock box under the rock. You are adding more levels of security to what you are doing,” Zabenco said.
Primary Types of Security
In broad terms there are two types of security that organizations utilize to control access to data and systems. Hardware Security involves some kind of physical device that is installed on the hardware of the system to reduce vulnerability.
- Security dongles
- Security keys
- Hardware firewalls
- Proxy servers
“Hardware Security doesn’t give you access to software on the machine. It doesn’t do anything other than to validate that you are who you say you are. It’s a physical item that allows you to enter into the systems,” Zabenco said.
Software Security involves programs installed on systems to prevent computers from attacks by hackers or viruses.
- Password protection
- Software firewalls
- Access controls
“Antivirus systems can be a form of security. They stop computer viruses, Trojans, and worms from getting into systems and stealing data,” Zabenco said.
Security Through Obscurity in the Extreme
There are systems that provide high levels of security and anonymity. The Onion Router, also known as Tor, Dark Web, or the Deep Web, is an open software system designed for complete anonymity and obscurity.
The core principle is called “onion routing” which was developed in the mid-1990s by United States Naval Research Laboratory employees (mathematician Paul Syverson and computer scientists Michael G. Reed and David Goldschlag) to protect U.S. military intelligence communications online. It was further developed by the Defense Advance Research Project Agency (DARPA) in 1997. In 2006 the Tor Project was founded as a nonprofit 501c3 organization to maintain the network. Early financial support for the Tor Project included the U.S. International Broadcasting Bureau, Internews, Human Rights Watch, University of Cambridge, and Google. Since then the majority of the funding is from the U.S. government.
Tor offers two pieces of security. First, routing traffic through the Tor network obscures where the traffic originated due to the concept of “onion routing”.
- Using a Tor browser, the original message is wrapped inside three layers of security.
- The message is sent to the first of three computers all over the globe. The first layer of security gets unwrapped, revealing only where the message is going next, not the final destination.
- The message is then sent to a second computer, where the second layer of security is unwrapped, revealing only where the message goes next.
- When the message arrives at the third machine, the last security layer is removed and the message is sent to the final destination.
“Due to the anonymity provided by Tor, certain elements of society have utilized it for nefarious acts. It was not designed to be the underbelly of the web. It was designed originally for countries that have oppressed freedom of speech,” Zabenco said.
The other piece of security is that Tor itself has hidden servers. Unlike using search engines like Google, Tor does not permit search. The only way you can get to anything on the Tor network is by knowing specifically where it is located.
- Addresses are a random collection of letters and numbers conjoined together
- There is no way to search the network.
- You must know the address of the server in order to find it.
“Who sent the message and where it is coming from is completely masked,” Zabenco said. There have been some successful attacks on entrance and exit nodes of Tor. But internal attacks are almost unheard of.”
Regardless of the situation your organization faces, a security assessment by a team of IT professionals is a good first step to determine whether important data and key systems are vulnerable. Contact TDK Technologies to help you determine whether your system and digital assets are safe and available at all times.