The idea of security through obscurity has been universally rebuffed by laymen and experts alike. Even so, it is still widely relied upon in even the most security-aware organizations. But hiding an asset or vulnerability or weakness from people only works for so long. Eventually, people find it. And those people aren’t always the good guys.
So why would anyone rely on this security model, let alone people who know it is fundamentally a bad idea? In my experience, there are typically two common reasons:
- The first is really a question of playing the odds or taking a calculated risk.
- The second is because the assets are so obscure, even the owners don’t know about them.
Playing the odds
Much of modern-day security relies on the fact that if it takes too long to do something, attackers will move on. Or, put another way, the juice isn’t worth the squeeze. Even the cryptography that we rely on to secure communications can be broken given enough time, but it would take so long to do that the underlying messages would probably be irrelevant so why spend the time trying to break it? Besides, it takes far less time and computing power to mine a Bitcoin so you might as well do that instead.
So, when it comes to the question of why would someone rely on obscurity to protect their assets, the relevant odds are 4,000,000,000:1. An asset on the public Internet can exist at one of the 4+ billion addresses that comprise IPv4 addressing space. Before you ask, yes, IPv6 increases that number exponentially but for now, we are still living in a v4 world. That is a lot of potential devices to look through in order to find a single asset. But that takes a lot of time, right? So it’s probably not worth the effort.
It used to take a lot of time, but not anymore. With new technology, you can actually scan the entire IPv4 space in 45 minutes.
Suddenly things aren’t so obscure. The time needed to find something is trivial and the math simply does not work in your favor anymore.
If we don’t know about the asset ourselves, how could an attacker?
At Expanse, we see assets that companies aren’t aware of all the time. And if we can see them, an attacker can, too.
Imagine someone is targeting your company. Cybersecurity 101 says they will probably start with some reconnaissance and concentrate their efforts on networks registered to your organization. The logic is pretty sound. So, if a rogue asset exists is it really a problem if it isn’t directly tied to your organization?
Short answer: Yup.
This is a scenario I like to call “On purpose, accidentally”.
Look at this from a different angle. You are the would-be attacker, just spending a quiet evening in your fortress of solitude randomly scanning networks for whatever you may find when you stumble upon a server with some open ports. You take a few minutes to jiggle the locks and look at some of the open ports when you see some information that identifies the system as an Acme Inc. asset. Sure, it is not on an Acme Inc. network, but it definitely looks like an Acme machine (think: shadow IT, a corporate laptop a user took home, old development server – we see this happen a LOT at Expanse). This orphaned asset is probably un-patched, poorly secured and definitely unmonitored. Lots of upside for the attacker who may have found it accidentally but is now solely focused on you.
Targeting you now on purpose.
Bottom line, find those obscure assets of yours before someone else does.
If you leave it, they will come
With Expander, the flagship product from Expanse, you don’t need to rely on security by obscurity. We find these obscure assets before attackers do, and we help you bring them under control. Our outside-in global Internet perspective is more sophisticated and comprehensive than anything an attacker will have and will give you a more complete look at where your organization’s assets lie on the Internet. This is the only way you can discover, monitor, and track all of your organization’s Internet-connected assets.
Request a demo to learn more about how Expanse can enable security and IT operations teams to prevent attackers from opportunistically finding exposures like the ones described here.
Brett Gordon, CISSP, is a solutions architect at Expanse. He has been in the IT field for over 20 years with a focus on end-user computing and security. He has a background in network security, endpoint security, privilege management and helping define organizational security policies. He has consulted on projects for large scale commercial and public sector clients.