rj07thomas3d ago

Just seen a post on LinkedIn to the effect of "we've all been practising security through obscurity but it's time that stopped."

We *all* practice security through obscurity, all the time, and not just digitally. If we really wanted to be secure, nobody would connect devices to the internet. But that's impractical, and on a personal level we assume that we're not very interesting targets. Same with companies. If you're a small coffee shop, you're unlikely to have an NDR in place because you assume a malicious actor is going to go after a big coffee shop chain.

Offline, it's unlikely you've laid landmines around the perimeter of your property or wrapped your car in barbed wire. These are very secure solutions but totally impractical. You've made the assumption The Last Of Us hasn't happened in your town yet so it's probably OK to skip these measures for now.

Security through obscurity is bad practice but there's no other way of living without going mad and turning into Fox Mulder.

rj07thomas3d ago
Show threadDave 🐶

@rj07thomas "Oh, you don't practice security through obscurity?? Okay then, publish your company's full asset register - including networking devices - detailing running OS and last patch date...

What? You say that's 'confidential'?

Sounds like obscurity to me!"

Mar 24 at 8:23amWeb
Show threadrj07thomas3d ago

@Cyberoutsider exactly! It's a good idea to behave as far as possible as if you are a target of interest, but you can only go so far.

Can't remember why but I once had to set up secure ftp on port 22; granted this was for functional reason, but it behaved like security through obscurity (was funny to watch someone try and ssh on to that service repeatedly one day)