Security Obscurity-7.19_Hiding from the Data Breach
*Note: This article was originally published by the author on July 8, 2019.
‘Security Obscurity’ is a new sporadic, short-segment series that I am writing which will focus on sobering examples of practicing security through obscurity which as a security engineer I come across more frequently than I’d like to admit in my job and in my research. May you find it as entertaining and enlightening as I did writing about it.
The saying “Ignorance is Bliss” is a blatant misnomer. I can see though, where some people might think it is true until something bad they weren’t aware of happens to them and then the bliss dissipates rather quickly… In the digital realm that is cyberspace, however, there are many, many bad actors [cybercriminals] lurking in the shadowy depths of the Internet just looking for dumbasses who either don’t know better, are too lazy, or are unwilling to take the necessary steps to protect their data. Don’t be a sheep…
In terms of cybersecurity, ignorance of all too common cyber threats can not only be dangerous, but it can also be downright devastating to a person or an organization.
To all the organizations out there that consistently show up in the Shodan scans as unpatched against published vulnerabilities for which software vendors have long ago issued patches for, yes I am talking to all of the ass hats that are still running unsupported operating systems like Windows XP and/or still haven’t patched against major vulns such as the MS-2017–010 ‘EternalBlue’ Server Message Block 1.0 (SMBv1) vulnerability published in 2017 or the CVE-2019–0708 ‘BlueKeep’ vulnerability patched on 14 May 2019.
Does this sound like you or your organization?
- Hasn’t paid any heed to the news reports about data breaches and has resisted implementing basic cybersecurity best practices
- Due to “severe” budgetary constraints is taking their sweet time (years, in fact) to implement desperately needed information security controls on their networks that really don’t cost that much? (Basic stuff like firewalls, longer minimum passwords, multifactor authentication, anti-virus)
- Hasn’t hired a single cybersecurity professional to date or refuses to outsource requirements
- Outsources and implements cybersecurity best practices just in time for an audit and then removes them for “normal” operations
If this is you, please know that your breach-free days are numbered. Ignorance is not bliss, it is only a matter of time. You will be discovered and exploited.
You’ve been forewarned numerous times and your inaction will come to haunt you sooner or later.
Please also know that your cyber insurance carrier is likely to refuse any substantial claim you submit for millions of dollars lost due to a data breach if you haven’t provided evidence that recommended security best practices were in place. Have fun with that one — NotPetya…
Chances are that you’ve already been hacked and just don’t know it yet. As the saying goes,
“There are only two types of companies — those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.” — Dmitri Alperovitch
You’ve probably heard this before. If not, then it is bound to happen sooner or unless you take swift action which is highly speculative if you’ve not done so thus far. The chances you will suddenly do so after reading this article are few and far between. There is just no excuse anymore for anyone, small, medium, or large businesses, private individuals with computers and smartphones (i.e., also a mini-computer) that hasn’t spent a dime on implementing basic cybersecurity best practices or even bothered to install a free anti-virus software like Avast, then you absolutely deserve what is coming to you. Even for the poorest of small businesses, there are basic recommended cybersecurity best practices that will help reduce the chances of a data breach.
This is not intended to be an article about basic cybersecurity best practices. For that, I suggest some light reading of the NIST Special Publication series which is super information-dense and for which, rumor has it, cures insomnia, but remains nevertheless a very good risk management framework.
By the way, NIST’s view on security by obscurity is best represented in this statement,
“System security should not depend on the secrecy of the implementation or its components.”
Security by Obscurity is…
- Hiding data in obscure locations in a computer system or network hoping that no one will find them.
- Hiding your Wi-Fi SSID as if it isn’t still easily discoverable.
- Using a free Virtual Private Network (VPN) service, you get what you pay for in terms of privacy and security.
- Writing passwords down somewhere and thinking that it is a safe practice.
- Using the same password for multiple websites.
- Saving passwords in a text file on your computer but naming it “garbage,” God help us all…
- Not hashing AND salting stored passwords.
- Steganography, or hiding secret messages within images or other media in plain sight. This can still be an extremely effective method of covert communication, however.
- Using proprietary software because it’s “safer.” The government has traditionally been really bad at this one. Reference Kerckhoff’s principle.
- Using default passwords on any systems or hardware. Overheard, “But it meets compliance because it has a password!” Hmmm. Not exactly. This is the social equivalent of men hiding cash in their socks or women stashing money in their bras. Non-effective security by obscurity.
- Turning off the computer or smartphone and thinking it can’t get hacked.
- Leaving the house key under the doormat or nearby somewhere. I mean come on folks, this is physical security 101. Never do this! At least make the bad guys work a little ok.
- Thinking that some random application or social media platform will protect your private data is a form of security by obscurity logic and also just plain dumb. These companies as a general rule of thumb should never be trusted and do not have your best interests in mind. They exist to make a profit off of your information. Do not give them your private data.
- Having all but one application in the organization using Single-Sign-On (SSO) via Central Authentication Service (CAS) except for one legacy application that is too hard to upgrade to SSO and still allows users who’ve left the organization to access the application with old account credentials… Hmmm, no bueno!
Security by Obscurity is not…
- Properly air-gapped critical systems, meaning that they are completely disconnected from the Internet in every possible way. Mind you, they are still not 100% protected from all types of threats, but as part of a layered defense strategy, it is a huge step in the right direction. Sadly, this is one area that even amongst cybersecurity professionals, we cannot all agree on. Remember this though, sometimes analog or low-tech can in itself be a very secure control.
- Creating honeypots or honeynets to fool threat actors and learn their attack tactics, techniques, and procedures or TTP.
- Intelligently obscuring data elements to make it harder for attackers or malicious insiders to steal sensitive/protected data.
- Removing the “Administrator” account from a system and creating separate Admin accounts.
- Network segmentation, it’s a good practice. You should probably do it.
- Using a password manager, yes, do this. Is it foolproof? No. Should you still use one? Yes. Do it now, move!
A little humor is good to lighten the mood, but it’s important to understand that security by obscurity is generally a very bad idea unless it is part of a larger overall security-in-depth strategy and even then it needs to be strictly implemented. That does it for this initial installment, until next time.