Types of Security
As we round out cybersecurity awareness month, I wanted to close out by bringing different types of security strategies to the attention of my readers. In my opinion, all of these strategies have good aspects and all of them should be used to varying degrees, but not one is perfect. Before I explain further, it would be helpful to know what I'm talking about. So let’s go through some of the most common security strategies out there. This is probably not a comprehensive list, just the ones I see and hear about the most. This list is in no particular order.
1. Security Through Obscurity
This is probably the most commonly talked about strategy. Security Through Obscurity relies on secrecy as the first line of defense. For example, proprietary software. The first line of defense is that the source code is not open. It cannot be easily reproduced or audited, thereby leaving an attacker (or researcher) to simply take a guess at the best point to begin their attack. In the privacy world, we often see this strategy employed with data removal. Once we’ve gone through the basic, “easy” stuff like adopting secure passwords and switching to encrypted providers, it’s common for people to start taking an interest in removing themselves from the internet. This could take the form of deleting old accounts or removing their information from people search websites. It's hard to steal my identity when you can’t find it in the first place, after all.
It’s worth noting that in many circles, “Security Through Obscurity” refers specifically to purposely covering up known flaws. I think this still applies with my data removal example. After all, my identity is my identity. I can’t change my birthday or social security number. They’re weak spots. The only way I can harden them (aside from a credit freeze) is to hide them. Security Through Obscurity is sometimes a lazy out, but sometimes it’s the only (or last) solution available.
2. Security Through Obfuscation
I don’t know if this is a real term, but I’m referring to disinformation. This is a blog post I still need to make in full as I think this is a strategy that is often unspoken and under-represented in the privacy community. Disinformation in this context refers to intentionally (but legally) spreading fake information about yourself to poison any marketing profiles or waste the time and resources of any potential attackers. That attacker could be a private investigator or simply an angry internet troll. In both cases, they have finite resources – the amount of money the client has to spend or the amount of time they can waste on doxxing you, for example. The more time they waste chasing fake information, the more likely they are to run out of resources before they find anything useful on you.
3. Security Through Obsolescence
Fun fact, in a nearby town there’s a “Floppy Disk Repair Store.” I am 100% convinced that this store is some kind of front for illegal activity. Probably money laundering. No one can convince me otherwise. Has anyone even seen a floppy disk in the last decade other than the save button icon? But believe it or not, many government agencies still use severely outdated technologies like analog tape or floppy disks. In some cases, this is because of lack of funding, but in many cases this is intentional. If something is so old that modern cracking tools don’t work on it, then it becomes secure simply by that virtue alone. Sure, maybe your floppy disks aren’t encrypted, but who cares when it’s literally impossible to get your hands on a device to even plug the floppy disk in and read it? At least, that’s the logic. Some of the most important government devices are using technology that goes as far back as the 1980s for this reason. Like I said, there’s other reasons peppered in there – stability, funding, etc – but that’s definitely one of them.
“Ogres Are Like Onions...”
So which of these strategies is best? None of them. Security Through Obscurity relies on you being 100% hidden 100% of the time, which is basically impossible for anyone. Security Through Obfuscation hinges on the idea that the attacker will run out of resources before they find your real information, which may not be the case if your real information is equally as prevalent. And Security Through Obsolescence makes a lot of other tradeoffs and assumptions.
The best strategy, in my opinion, is a mixture. Take Obscurity and Obfuscation for example: I try to remove as much personal data from the internet as I can. In return, I seed a lot of disinformation. I use fake names, fake address or PO Boxes, fake or burner phone numbers, fake birthdays, etc. By combining both of these strategies, I create a lot of “noise” that any attacker would have to sift through, burying any real information that accidentally gets overlooked by my Obscurity practices. This makes it more likely to not get noticed, or to get dismissed as more fake information.
What about Obsolescence? Is there a place for that in our lives? Yes, but with a caveat: it largely depends on your threat model. For example, keeping a physical calendar may prevent your sensitive appointments from being caught up in a data breach, but if you have a high risk of a physical stalker or attacker, leaving your calendar in an unencrypted, anyone-can-access-it format might be incredibly risky. Another example would be keeping your finances in an offline spreadsheet. It may be great to protect your privacy from data-hungry financial services, but if you’re secretly stashing away money to leave your abusive partner then leaving that on a shared computer could be a recipe for disaster.
Even with a low threat model, Obsolescence requires a balance. Keeping a copy of Windows XP because it has less telemetry than Windows 10 is incredibly dangerous, especially if that device is connected to the internet. It no longer receives security updates, making it risky and vulnerable to attack. Even making it air-gapped (disconnected from the internet) may not be a good solution as researchers are continually finding new (and interesting) side-channel attacks that compromise air-gapped machines. Remember: nothing is unhackable.
So ultimately, just remember that there’s rarely one way to do things. When I was younger and early in my career, I got a great piece of advice: “you’re gonna have some great bosses, and you’re gonna have some terrible ones. When you get the great ones, figure out what makes them great and copy that aspect of them. When you meet the terrible ones, figure out why they suck and make an effort to avoid doing that.” Privacy and security are the same way: don’t take an entire strategy or solution as gospel. Figure out the bits and pieces that work and figure out how to use them to make your security posture better. And likewise, when you learn of someone’s failure, take lessons from what they did wrong and learn how to avoid those same mistakes.