It is fall here in my neck of the woods, which means the leaves are changing and falling off the trees. It makes for a great time driving with all the bright colors. Driving in to work a few days ago I passed an place where all the leaves had fallen off the trees and I was able to see a house set back that is normally not visible. This reminded me of a house I had seen years back.
While doing an audit of a small township I would regularly pass a drive with a gate and fence that vanished into a dense forest. One year I was performing the audit after the leaves had fallen. As I passed the secured drive I notice the fence went into the trees about 100 feet on either side and then stopped. I had never noticed this before because the trees had obscured my view. It struck me as odd that someone would go to the expense of putting up an elaborate gate and very nice fence, only to have it end not to far after it started. In retrospect it doesn’t seem as odd.
We always hear about security through obscurity. The idea is you gain some level of security by obscuring what you have or what you are doing. A great example of this is when you remove any identifying information from an error message on a website so that a person doesn’t know your operating system or applications your are using. Of course a determined attacker can fingerprint your system to figure it out, but you make them go the extra step. Now back to my illustration. The trees, for at least half the year, provide the illusion that the security fence surrounds the home that wants protection. This will likely deter most people who would want to get in, but a determined person would follow the fence and find the point of weakness. Has the resident achieved a higher level of security? It all depends on perspective.
You could argue that reducing the number of threats has increase security. However, I would suggest the same “obscurity” that is providing security to the home owner actually provides security to the threat. When you talk about physical security, visibility is critical. If you can’t see the threat how do you protect against it. The forest gives the threat cover to hide, while the resident feels they are secure. Now I will assume someone who goes to the expense of putting up a sophisticated fence likely has a security alarm system on the house itself. That said, the threat has all the time in the world to get as close as possible without being detected and search for vulnerabilities. Also, in the event the home is breached there is cover provided for a getaway and if the home alarm system doesn’t exist or fails there is no fear of being seen by neighbors or people passing by. In essence the obscurity relied on by the home owner provides more security to threat than to themselves.
The question we need to ask ourselves as security professionals is a simple one. Do we provide cover to a potential threat by allowing ourselves to believe obscurity gives us security. Obscurity can reduce the frequency of common threats and allow us to focus on the determined and targeted attackers. However, if we put to much faith in the security it provides we increase the risk rather than decrease it. Take the time to understand all the effects obscuring yourself has and consider if the obscurity benefits a determined attacker. If we don’t, we may find the front door open and all our valuables gone.