Two individuals enter a keypad password to unlock a door with a secret vault behind it.
Suppose for a moment that you’re a cartoonish caricature of an affluent individual- Say, a certain copyrighted duck. And being this caricature, rather than keeping your wealth in real estate, investments and the like, you’ve opted for a good old fashioned room full of gold coins. Who among us wouldn’t love to take a physics-defying swim in such a “pool”? Of course, a large concentration of liquid assets like that is an extremely attractive target for those who might feel themselves more worthy of your fortune, regardless of the law. Some manner of protection is obviously needed for this vault of yours.
The obvious solution is a big, heavy door with a state of the art locking mechanism. But, being this affluent caricature, you have business that takes you around the world frequently, leaving your home unoccupied for significant periods of time- such caricatures are far too miserly to employ security staff. In practice, for as long as your home is unattended, that big fancy locking door is little more than a speed bump. Sure, it would take some time, but with you gone for weeks they have all the time they need to research the lock and pick it, or even just force their way through the door with explosives or a cutting torch.
What if, instead, you made the entrance to the vault hidden, perhaps accessed by pulling a few shelves out of the pantry and opening a wall panel behind it. That would-be wealth distributor might now spend weeks combing your home and never even find the vault to get started!
It’s a no-brainer, right? Well, not exactly. In practice, this caricature would at the very least need to employ a contractor to construct this vault and its access point. Bare minimum, even with zero leaks, there are at least two more people who know the secret of your vault. And as Benjamin Franklin once wrote, “Three can keep a secret if two of them are dead.”
This is what we call Security by Obscurity; a strategy that employs secrecy as the primary method to secure an asset- whether this is liquid wealth, documents, or data on a server somewhere. A strategy that has been recognized for hundreds of years now as being fundamentally flawed. If an asset is to have any actual utility, there must be a means of accessing it, and this will fundamentally entail multiple people knowing the secret, one way or another. Each individual who knows this secret is a potential vector for compromise, and as soon as the information is leaked, it is in the hands of people with neither the obligation nor the inclination to protect your assets.
This very topic was heavily discussed in the mid 1800s, specifically on the topic of maintaining secrecy for lock designs. Alfred Charles Hobbs famously stated, in favor of disclosure: “Rogues are very keen in their profession, and know already much more than we can teach them.” Essentially, the benefits of sharing the lock designs and getting more -benevolent- eyes looking for flaws significantly outweighed the risk inherent in the potential for the information being leaked to bad actors, as said bad actors happened to specialize in figuring out the workings of locks and circumventing them.
This same concept persists to this day, not only in the realm of physical locks, but in information security. We allow security professionals (like my team) to review our code, and attempt to circumvent our security and access or modify data that is supposed to be protected. We accept a little risk in doing this, as the end result is a system that is extremely difficult for a bad actor to break into. A small reduction in secrecy for a massive increase in security.
And yet, despite the well documented centuries old falliblity of the obscurity approach, many individuals and small businesses continue to rely on it as their sole line of defense, some not even bothering to secure their wifi! Relying on being a small party that no one is likely to target is fundamentally flawed, particularly when mechanisms like malware are considered. Ransomware alone has already cost billions of dollars in damages, without any need for its creators to target any given individual or company specifically.
I’m not saying that obscurity is useless- on the contrary, keeping protected information on a need to know basis is one of the core principles of security. But if used alone, it is essentially useless, as the approach inherently provides a large attack vector in the form of the human element which (as we know) is already the single largest attack vector even with thorough security measures in place. The information leak need not be intentional or even direct; simple human error can result in the leak of a secret, poor security discipline can lead to a malware infection leaking the same, and so on. Secrecy absolutely has its place as part of an overarching security strategy. It is simply not to be used alone.
So by all means, make your vault entrance a hidden door- but still make sure you spring for that locking mechanism too.