Connect with us

Hi, what are you looking for?


Application Security

Security Through Obscurity? Don’t Count On It.

Prtecting Web Sites Against Automated Attacks

There are thousands of script kiddies, launching hundreds of thousands of automated attacks – at least one of these will hit your site.

Prtecting Web Sites Against Automated Attacks

There are thousands of script kiddies, launching hundreds of thousands of automated attacks – at least one of these will hit your site.

One of my recent articles Plausible Deniability: The Web Security Version discussed external development and design firms, and even internal managers, who deliberately avoided testing for security flaws. They do this so that, when confronted with a security breach, they can say “To the best of my knowledge…” Hence the title, “plausible deniability.”

As I discuss this plausible deniability concept with clients and other design and development firms I get a different form of push-back, one that I had trouble labeling until I read a July 2000 article by Lance Spitzner, The Tools and Methodologies of the Script Kiddie – Know Your Enemy. Spitzner introduces the concept of Security through Obscurity, the thought that allows many companies to believe that their web presence is safe because they are so small and obscure. Companies ask themselves, “who would ever go to the trouble of attacking our minor website when there are so many big fish out there?”

As Spitzner points out, surprisingly (to most people), the law of large numbers is not working in favor of small companies, it’s working against them. The fact that a company may be one minnow of millions in the Internet ocean doesn’t provide protection. The fact is, there are thousands of script kiddies, launching hundreds of thousands of automated security scans every day – at least one of these will get to your site.

A fair analogy between script kiddies and their automated tools might come from the Discovery Channel’s Deadliest Catch TV series. The Bering Sea crab-fishing boats lay down hundreds of baited crab traps, coming back days or weeks later to check the traps and harvest the legally-sized crabs. The number of set traps is extremely large in proportion to the number of boats, with each trap capable of capturing hundreds of crabs.

A script kiddie will set his or her own traps in the form of multiple automated vulnerability scanners that each scan thousands of IP addresses (URL’s), looking for flaws. As the script kiddie reviews the results of the vulnerability scans days or weeks later, the flawed website will be targeted for further exploitation.

Web Site SecurityThere are, in fact, an amazingly large number of script kiddies in the world, each running automated vulnerability tools against blocks of IP address blocks. These IP address blocks are chosen for coverage, not potential. Note that script kiddies are scanning arbitrary IP addresses, not specific website or ‘visible’ web applications – any website that is Internet accessible is a target.

Anyone who argues that their website is too small or obscure for anyone to test for flaws isn’t paying attention to the fact that everyone’s website is being tested, all the time. If it’s accessible on the Internet, it’s a target. It is this randomness and coverage of targets that make the script kiddies such dangerous threats.

Advertisement. Scroll to continue reading.

The second argument (also invalid) for Security through Obscurity goes along the line that most website owners don’t believe their site has any value to a hacker. This, unfortunately, misses the mentality of a script kiddie – they are not out for specific information nor are they targeting a specific company. The script kiddie is just someone looking for the easy target, often just for the sake of finding and exploiting security flaws because he or she can.

What most website owners miss is the fact that, to a script kiddie, a defaced site, or turning a site into a malware launch-pad, may be just as much fun as extracting thousands of credit cards.

Even more disturbing for the obscure-minded site owner, is the hack that turns his website into one of a hoard of NetBots (intentional visual imagery here) that can be used in massive denial-of-service (DoS) attacks. To turn a site to this dark side, a hacker would first find a flawed website, and then insert DoS software into that site that can be targeted and started any time in the future. Until the attack is triggered, and maybe not even then, you (the site owner) have no idea you may be part of an attack on a major government or commercial website.

As you can see, making yourself look small and unimportant isn’t going to protect your website from security attacks. Your site will get probed and evaluated and hacked, just like the “big guy” sites. In addition, even if your site has no commercial value, it can be used for attacks on other sites, or defaced because it was on someone’s mindless scanning list.

The only road to website security is, in fact, having a secure website. This requires security development (or remediation) and security testing. Or you can continue to avoid the conversation about security and start your next post-breach conversation with, “To the best of my knowledge…”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.