Security Experts:

Connect with us

Hi, what are you looking for?



Hiding in Plain Sight: Why Your Organization Can’t Rely on Security by Obscurity

Attackers Don’t Examine Market Size When Deciding Whether or Not to Target an Organization or a Person

Attackers Don’t Examine Market Size When Deciding Whether or Not to Target an Organization or a Person

Recently, on a trip to visit potential customers in one of Europe’s smaller markets, I ran into a recurring theme.  When I speak to any audience about security, including potential customers of course, I tend to focus on concepts and ideas, rather than specific products and services.  Choosing the components of a solution is important, but can only be done once an approach is well understood.  This comes much later in the discussion.  Not surprisingly, most people prefer this approach, particularly when they are able to map between the concepts and ideas and the specific problems and challenges they face.

As you can imagine, one of the concepts I often discuss is the identification, prioritization, and mitigation of risk.  As I’ve discussed previously, this is one of the most critical components of a mature and successful security program.  This particular trip was no different from most others in that I broached this particular topic with nearly everyone I met with.  What was different on this trip, however, was one response I received repeatedly: “We are in a small market.  No one will attack us.”  This surprised me quite a bit.

Cybercrime Indeed, I have heard this line of reasoning many times in the past.  What surprised me was not that people would be inclined to think this way, but that they would be inclined to think this way in 2017.  It is surprising given how interconnected the world is, how we’ve repeatedly seen that no target is too small or too remote for the motivated attacker, and how organizations that do not come to terms with this reality ultimately pay for it, sometimes dearly.

Sadly, market size isn’t the only way in which people lure themselves into a false sense of security.  Let’s take a look at a few of the different ways in which people convince themselves that they do not need to understand the threat landscape they face and mitigate the risk it presents them with.

Organizational Size

Some people, organizations, and boards seem to think that if their organization is under a certain threshold (either employee-wise or revenue-wise), then the organization can simply fly under the attacker radar.  This line of reasoning is reminiscent of the old “security by obscurity” way of thinking.  As experienced security professionals know, this is a dangerous way of thinking that generally winds up producing disastrous results.

Attackers have shown time and time again that they care about one thing and one thing only: the location of the prize they are after.  It doesn’t matter if that prize is money, information, disruption, or any of the other ends that motivate attackers.  If an organization has what the attackers are after, they will go after it. It doesn’t matter if the organization has 10 employees or 10,000 employees.

Geographic Isolation

There is a somewhat natural tendency to feel safe and secure due to geographic isolation.  If we look at the history of kinetic wars and the kinetic battlefield, it is easy to understand why this is the case.  But this sense of security does not and should not translate to the virtual world.

Whereas to commit a physical crime in a given city, I generally need to be in that city, this is obviously not the case in the virtual world.  I can sit on one side of the world and commit cybercrime on the other side of the world.  Similarly, I can just as easily attack targets in places that may be geographically isolated as I can attack places that may be just around the corner from me.  Unfortunately, there is really nowhere to hide in the virtual world.

Language Barriers

There are many languages that a relatively small number of people speak.  In the countries that speak these languages, people may be inclined to think that they are not at risk.  For example, people may think that because all intellectual property, customer data, employee data, or other sensitive data is written in a language that is not widely spoken, then no one will ever be able to target, navigate to, and exfiltrate that data.  This is another type of “security by obscurity” that is a dangerous way of thinking.  Unfortunately for those native speakers, this could not be farther from the truth.  Attackers have shown tremendous creativity and resourcefulness when it comes to gaining access to the information they are after, regardless of the language it is written in and how many people speak that language.

Market Size

As I mentioned above, being in a smaller market does not protect an organization from attack.  No matter how small the market, there will still be people, organizations, and information that attackers will want to target.  To be quite frank, it doesn’t much matter where information resides nowadays.  The fact that it exists in an interconnected world puts it at risk.  Attackers do not examine market size when deciding whether or not to target an organization or a person that has a specific piece of information they are after. They simply go after it.

My purpose in this piece isn’t to cause panic or present a doom and gloom scenario. Rather, I’m hoping that the clever reader will see in this piece an opportunity to help educate management, executives, the board, and others of the need to approach security strategically, regardless of organization size, geographic location, spoken language, or market size.  Any of the points I’ve raised above can be countered and mitigated by approaching security as a risk mitigation exercise complete with a robust security operations and incident response capability.  No one should rely on security by obscurity and expect to fly under the radar of the modern attacker.  It’s just too risky.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack