Security by obscurity is not security at all
Probably about the worst security plan you can ever use is security by obscurity.In case you aren’t familiar with the term, security by obscurity is when you plan on someone not knowing they have access to something keeping them from accessing it.
This is fairly common on file servers, and internal applications such as CRM software. All to often the domain groups Everyone or Authenticated Users will be used to grant access to network resources that only a subset of users need access to. Often this is done because “eventually more people will need access to the network resource, so well just open it to everyone now”. But even if others need access to the network resource later this isn’t a very good reason for granting everyone access to the resource.
The group that requested the resource may assume that the resource is not open to everyone (how would they know otherwise) and put data in that folder or application which others within the company shouldn’t have access to. Now all of a sudden you’ve got a security breach just waiting to happen. The employees that aren’t supose to have access find out that they have access to it, and start looking around and there’s all this data that they shouldn’t be able to see. It could be company financials, it could be HR data, it could be the executives vacation photos, or the crown jewel of data your customers personally identifiable information.
Assume that it’s customer data, that hasn’t been masked for one reason or another, and a less than scrupulous employee comes across the data. Being the less than scrupulous employee that they are they take the data and find a buyer for it, and not all of a sudden your customers all have identity theft issues. All because someone didn’t set the rights to some network resource correctly. Talk about something that should have been easy to avoid but is going to cause a lot of pain.
Considering that anywhere from 34% to 70% of data theft is by employees (depending on what report you read) security by obscurity just seams like it isn’t the way to go.
Denny
Security by obscurity shouldn’t be the only security measure taken, but there is some benefit to using it as part of the overall solution. For instance, using an IPSEC policy to block UDP/1434 and moving your SQL Server to a non-standard port, preferably one in the upper range, means it will take a lot longer for an attacker who is unfamiliar with the configuration to discover the SQL Server to attack it. And that gives you additional opportunities to discover the attacker. Of course, when he or she does, that’s when the other measures should be there for.