Security through obscurity (or by obscurity) was a new phrase for me the other day and it came up as part of a security audit. I think the folks using it were joking. I hope they were joking.
"a principle in security engineering, which attempts to use secrecy of design or implementation to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them." (Wikipedia, link above).What made it even more tangled than the definition above is that it was implied that they didn't know their own security flaws, or where to find passwords and servers, so if they couldn't, then an outside intruder couldn't. Which is probably valid for phishing, but not for someone hacking remotely.
It's good to know NIST specifically argues against the practice.
Snarky: They didn't approve of our concept of Security by Obscurity. Even though we have a layoff process designed to facilitate it.
Title: But we capitalize it! That makes it a corporate standard.
No comments:
Post a Comment