Security Through Minority
A variant of the basic approach is to rely on the properties (including whatever vulnerabilities might be present) of a product which is not widely adopted, thus lowering the prominence of those vulnerabilities (should they become known) against random or even automated attacks. This approach has a variety of names, "minority" being the most common. Others are "rarity", "unpopularity", "scarcity", and "lack of interest".
This variant is most commonly encountered in explanations of why the number of known vulnerability exploits for products with the largest market share tends to be higher than a linear relationship to market share would suggest, but is also a factor in product choice for some large organisations.
Security through minority may be helpful for organisations who will not be subject to targeted attacks, suggesting the use of a product in the long tail. However, finding a new vulnerability in a market leading product is likely harder than for obscure products, as the low hanging fruit vulnerabilities are more likely to have already turned up, which may suggest these products are better for organisations who expect to receive many targeted attacks. The issue is further confused by the fact that new vulnerabilities in minority products cause all known users of that (perhaps easily identified) product to become targets. With market leading products, the likelihood of being randomly targeted with a new vulnerability remains greater.
The whole issue is closely linked with, and in a sense depends upon, the widely used term security through diversity - the wide range of "long tail" minority products is clearly more diverse than a market leader in any product type, so a random attack will be less likely to succeed.
The argument for security through minority runs counter to a principle observed in nature, in predator-prey scenarios. There, the term "safety in numbers", or "safety of the herd" are observed principles that would argue against the "security through minority" strategy. However, there are some very substantial differences between a lion hunting a gazelle and the interactions of an automated system. Most victims of security breaches are not direct targets at all.
Security through obsolescence is, for example, using obsolete network protocols (eg. IPX instead of TCP/IP) to make attacks from the Internet difficult. ATMs often use X.25 networks.
Read more about this topic: Security Through Obscurity
Famous quotes containing the words security and/or minority:
“Our security depends on the Allied Powers winning against aggressors. The Axis Powers intend to destroy democracy, it is anathema to them. We cannot provide that aid if the public are against it; therefore, it is our responsibility to persuade the public that aid to the victims of aggression is aid to American security. I expect the members of my administration to take every opportunity to speak to this issue wherever they are invited to address public forums in the weeks ahead.”
—Franklin D. Roosevelt (1882–1945)
“This socialism will develop in all its phases until it reaches its own extremes and absurdities. Then once again a cry of denial will break from the titanic chest of the revolutionary minority and again a mortal struggle will begin, in which socialism will play the role of contemporary conservatism and will be overwhelmed in the subsequent revolution, as yet unknown to us.”
—Alexander Herzen (1812–1870)