Effective Security by Obscurity

TL;DR

This paper argues that security by obscurity, when used effectively as a supplement to other security measures, can enhance overall security by reducing information asymmetry and leveraging techniques like obfuscation and diversity.

Contribution

It demonstrates that security by obscurity is a viable and underappreciated approach when integrated with established security disciplines.

Findings

Security by obscurity can be effectively employed as a supplementary security measure.

Examples include information hiding, obfuscation, diversity, and moving target defense.

Effective use of obscurity enhances in-depth security of organizational assets.

Abstract

"Security by obscurity" is a bromide which is frequently applied to undermine the perceived value of a certain class of techniques in security. This usage initially stemmed from applications and experience in the areas of cryptographic theory, and the open vs. closed source debate. Through the perceived absence of true security, the field of security by obscurity has not coalesced into a viable or recognizable approach for security practitioners. The ramifications of this has resulted in these techniques going underused and underappreciated by defenders, while they continue to provide value to attackers, which creates an unfortunate information asymmetry. Exploring effective methods for employing security by obscurity, it can be seen that examples are already embedded unrecognized in other viable security disciplines, such as information hiding, obfuscation, diversity, and moving target defense. In showing that obscurity measures are an achievable and desirable supplement to other security measures, it is apparent that the in-depth defense of an organization's assets can be enhanced by intentional and effective use of security by obscurity.