Security by Obscurity is in my opinion a better security strategy than the security employed by any company today. Don’t laugh, I really mean it.
Security by obscurity is a term used to dismiss security measures that are not founded on strong mathematical principals that make it theoretically unbreakable. Don’t get me wrong – I have no objection to all the encryption and key exchanges that are based on strong mathematics. My problem is not with the theory but with its implementation.
The problem with the strong encryption and other mathematically intensive algorithms is that very few people implement those. The result is that most applications end up using the same libraries to implement such algorithms. Worse is the fact that there is a limited number of products that provide security solutions. The result is that any hacker or attacker can get their hands on the product you use to protect your environment. Additionally most of these products share large portions of the code that does the underlying math, protocols and so on.
Why is all this bad? Because every software has bugs and security holes. It’s not something we should be happy about, but it’s a fact of life. The more complex the software, the more bugs and security vulnerabilities. Complex security systems that rely on heavy mathematics will undoubtedly have their share of security holes. Since hackers can obtain the software, they can examine it until they locate those security holes. For extra incentive, once they find the security hole in the software they have hundreds if not thousands of companies they can breach.
Now imagine a world were every company wrote its own preventative measures. Maybe not the most mathematically advanced measures, but none the less unique. For hackers to break into these companies, they would need to first understand the security system, then look for vulnerabilities, and they have to do it all live. If they manage to find a way in, they still compromised only a single company. If that company is compartmentalized with different security measures protecting different departments, the hacker will need to put in a significantly higher effort to get deeper into the organization.
We don’t have to go as far as having unique measures in every company in the world to get better security for our own organizations. We just have deploy unique solutions that no one else has. It is the only way to stop hackers from getting in. Any off the shelf security solution you buy will have vulnerabilities a hacker might know.
If you can’t build your own solution, you must monitor the activity to detect breaches. In the case of databases it is impossible for you to build your own, and you must therefore monitor the activity. Oracle database auditing tools like Core Audit provide such activity monitoring and are essential to secure the Oracle database.