Security Experts:

Security Through Obscurity? Don't Count On It.

Prtecting Web Sites Against Automated Attacks

There are thousands of script kiddies, launching hundreds of thousands of automated attacks - at least one of these will hit your site.

One of my recent articles Plausible Deniability: The Web Security Version discussed external development and design firms, and even internal managers, who deliberately avoided testing for security flaws. They do this so that, when confronted with a security breach, they can say “To the best of my knowledge…” Hence the title, “plausible deniability.”

As I discuss this plausible deniability concept with clients and other design and development firms I get a different form of push-back, one that I had trouble labeling until I read a July 2000 article by Lance Spitzner, The Tools and Methodologies of the Script Kiddie - Know Your Enemy. Spitzner introduces the concept of Security through Obscurity, the thought that allows many companies to believe that their web presence is safe because they are so small and obscure. Companies ask themselves, “who would ever go to the trouble of attacking our minor website when there are so many big fish out there?”

As Spitzner points out, surprisingly (to most people), the law of large numbers is not working in favor of small companies, it’s working against them. The fact that a company may be one minnow of millions in the Internet ocean doesn’t provide protection. The fact is, there are thousands of script kiddies, launching hundreds of thousands of automated security scans every day - at least one of these will get to your site.

A fair analogy between script kiddies and their automated tools might come from the Discovery Channel’s Deadliest Catch TV series. The Bering Sea crab-fishing boats lay down hundreds of baited crab traps, coming back days or weeks later to check the traps and harvest the legally-sized crabs. The number of set traps is extremely large in proportion to the number of boats, with each trap capable of capturing hundreds of crabs.

A script kiddie will set his or her own traps in the form of multiple automated vulnerability scanners that each scan thousands of IP addresses (URL’s), looking for flaws. As the script kiddie reviews the results of the vulnerability scans days or weeks later, the flawed website will be targeted for further exploitation.

Web Site SecurityThere are, in fact, an amazingly large number of script kiddies in the world, each running automated vulnerability tools against blocks of IP address blocks. These IP address blocks are chosen for coverage, not potential. Note that script kiddies are scanning arbitrary IP addresses, not specific website or ‘visible’ web applications - any website that is Internet accessible is a target.

Anyone who argues that their website is too small or obscure for anyone to test for flaws isn’t paying attention to the fact that everyone’s website is being tested, all the time. If it’s accessible on the Internet, it’s a target. It is this randomness and coverage of targets that make the script kiddies such dangerous threats.

The second argument (also invalid) for Security through Obscurity goes along the line that most website owners don’t believe their site has any value to a hacker. This, unfortunately, misses the mentality of a script kiddie – they are not out for specific information nor are they targeting a specific company. The script kiddie is just someone looking for the easy target, often just for the sake of finding and exploiting security flaws because he or she can.

What most website owners miss is the fact that, to a script kiddie, a defaced site, or turning a site into a malware launch-pad, may be just as much fun as extracting thousands of credit cards.

Even more disturbing for the obscure-minded site owner, is the hack that turns his website into one of a hoard of NetBots (intentional visual imagery here) that can be used in massive denial-of-service (DoS) attacks. To turn a site to this dark side, a hacker would first find a flawed website, and then insert DoS software into that site that can be targeted and started any time in the future. Until the attack is triggered, and maybe not even then, you (the site owner) have no idea you may be part of an attack on a major government or commercial website.

As you can see, making yourself look small and unimportant isn’t going to protect your website from security attacks. Your site will get probed and evaluated and hacked, just like the “big guy” sites. In addition, even if your site has no commercial value, it can be used for attacks on other sites, or defaced because it was on someone’s mindless scanning list.

The only road to website security is, in fact, having a secure website. This requires security development (or remediation) and security testing. Or you can continue to avoid the conversation about security and start your next post-breach conversation with, “To the best of my knowledge…”

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.