Killing security through obscurity to defeat competitors
commentary There's a principle in the information security industry that any good system does not rely on security through obscurity; that is, the design of the system shouldn't need to be a secret in order to secure it.
If good practice dictates that there are no flaws in the design of a system, then why do so few organisations disclose their information security practices, since, theoretically, they should give attackers nothing to work with? I'm not condoning that organisations bare all of their source code and issue a challenge to would-be hackers to try to break into their systems — that's a recipe for disaster — but there's room for organisations to take a more proactive approach of disclosing at least some details that will improve overall user confidence in an organisation's security.
The current approach by many organisations is to deny user and media requests for information, with the throwaway excuse that they do not comment on matters of security. This approach has the opposite effect of instilling confidence in an organisation, by leaving users wondering whether organisations have something to hide.
And, unfortunately, sometimes they do.
LinkedIn and Sony are perfect examples of organisations that didn't have the right security in place and surely wouldn't admit to it. However, I'm not looking to highlight flaws; I'm asking why more organisations aren't using security as a means to differentiate themselves. On the back of the numerous breaches we've held, there's certainly an opportunity for rival organisations to reassure their customers that they are doing the right thing. Just as cars turned initially despised safety features like seatbelts and airbags into selling points, organisations could do the same, explaining the benefits and ensuring that to stay competitive in their market, they have stay on top of security.
There probably isn't a better market to do so than in the financial industry, where, as more of our transactions make their way online, security is paramount. But despite the fact that security forms a crucial part of any online banking system, few people know much about how their bank approaches security.
For example, even after a month of enquiries, none of Australia's big four banks have been willing to discuss whether they even hash passwords or salt them. One bank even outright refused to answer simple questions, such as whether it has a minimum and maximum password length.
Granted, obscurity has its purposes when it is not the only means of security and is employed as an additional tool to make the job of hackers harder, but it shouldn't be used in such a backwards manner to undermine customer confidence — or worse, mislead them to make poor security decisions.
Blizzard initially didn't inform its customers that its Battle.Net passwords are case insensitive — knowledge that could have led users to create more secure passwords if they knew that the keyspace was shorter. But despite dealing directly with customer funds, banks are also susceptible to the same security-defeating behaviour. The Commonwealth Bank omits from its security guide and secure password tips that its online banking passwords are also case insensitive — and, strangely enough, the only place this case insensitivity is noted is in the bank's demo of NetBank, not in its actual working product.
Instead of embracing security and the way it can attract customers, organisations appear to be scared to death, withholding more and more information and leaving users in the dark. Customers don't want less information in these uncertain times; they want an organisation that is clear and transparent with how it deals with secure user information.
Rather than losing customers during a breach, there's another option: subtly, so as not to issue the "we're unhackable" challenge, organisations can show that they're on top of their game and different from their rivals. With major breaches seemingly being reported on a fortnightly basis, users are starting to pay attention, and victims will want an organisation that doesn't wait until it is breached before it hardens its security.