Security Through Obscurity - Security Through Minority

Security Through Minority

A variant of the basic approach is to rely on the properties (including whatever vulnerabilities might be present) of a product which is not widely adopted, thus lowering the prominence of those vulnerabilities (should they become known) against random or even automated attacks. This approach has a variety of names, "minority" being the most common. Others are "rarity", "unpopularity", "scarcity", and "lack of interest".

This variant is most commonly encountered in explanations of why the number of known vulnerability exploits for products with the largest market share tends to be higher than a linear relationship to market share would suggest, but is also a factor in product choice for some large organisations.

Security through minority may be helpful for organisations who will not be subject to targeted attacks, suggesting the use of a product in the long tail. However, finding a new vulnerability in a market leading product is likely harder than for obscure products, as the low hanging fruit vulnerabilities are more likely to have already turned up, which may suggest these products are better for organisations who expect to receive many targeted attacks. The issue is further confused by the fact that new vulnerabilities in minority products cause all known users of that (perhaps easily identified) product to become targets. With market leading products, the likelihood of being randomly targeted with a new vulnerability remains greater.

The whole issue is closely linked with, and in a sense depends upon, the widely used term security through diversity - the wide range of "long tail" minority products is clearly more diverse than a market leader in any product type, so a random attack will be less likely to succeed.

The argument for security through minority runs counter to a principle observed in nature, in predator-prey scenarios. There, the term "safety in numbers", or "safety of the herd" are observed principles that would argue against the "security through minority" strategy. However, there are some very substantial differences between a lion hunting a gazelle and the interactions of an automated system. Most victims of security breaches are not direct targets at all.

Security through obsolescence is, for example, using obsolete network protocols (eg. IPX instead of TCP/IP) to make attacks from the Internet difficult. ATMs often use X.25 networks.

Read more about this topic:  Security Through Obscurity

Famous quotes containing the words security and/or minority:

    The reins of government have been so long slackened, that I fear the people will not quietly submit to those restraints which are necessary for the peace and security of the community.
    Abigail Adams (1744–1818)

    If when a businessman speaks of minority employment, or air pollution, or poverty, he speaks in the language of a certified public accountant analyzing a corporate balance sheet, who is to know that he understands the human problems behind the statistical ones? If the businessman would stop talking like a computer printout or a page from the corporate annual report, other people would stop thinking he had a cash register for a heart. It is as simple as that—but that isn’t simple.
    Louis B. Lundborg (1906–1981)