How being open can make you safer
Security by Obscurity is making you Vulnerable. Here's the loopholes of it and real world examples of it.
The term "security by obscurity" is often met with derision from security people, particularly those who like to consider themselves experts. Security by obscurity, represents one of the truly controversial aspects of security. You will often see mocking references to people whose efforts are dismissed as "just security by obscurity."
Security by obscurity is, in a nutshell,
a system should be secure not because of its design, but because the design is unknown to an adversary.
Security by Obscurity (STO) is based on the idea that any information system is secure as long as security vulnerabilities remain hidden, making it less likely that they will be exploited by a malicious attacker. Obscurity means keeping the underlying system’s security loopholes a secret to all but the most important stakeholders, such as key developers, designers, project managers or owners. Typically, a hacker’s approach in exploiting a system begins with identifying its known vulnerabilities. If there is no public information on those weak areas, hackers will find the system more difficult to penetrate and will eventually delay or postpone its malicious objective.
Many people in the information security industry believe that if malicious attackers don’t know how software is secured, security is better. Although this might seem logical, it’s actually untrue. Security through obscurity means that hiding the details of the security mechanisms is sufficient to secure the system alone. An example of security through obscurity might involve closely guarding the written specifications for security functions and preventing all but the most trusted people from seeing it. Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all.
If the security of a system is maintained by keeping the implementation of the system a secret, the entire system collapses when the first person discovers how the security mechanism works—and someone is always determined to discover these secrets. The better bet is to make sure no one mechanism is responsible for the security of the entire system. Again, this is defense in depth in everything related to protecting data and resources.
This has had serious consequences in Banking and Financial sector as Threat Intelligence, Lessons learned from breach, recent cyber attacks are seldom shared between different organisations even though forums. As a result it's common to see trends are being set by the attackers to plan similar attacks mimicking the same techniques throughout the world.
India City Union Bank experienced a cyber attack which was similar to Bangladesh Heist in 2016 for $81 million on February 2018, Russian Central Bank disclosed they have lost $6 million on February 2018 and $110 million lost in Mexico as a result of Mexican domestic payment system SPEI being hacked.
Cybersecurity professionals and bank executives who spoke to Bloomberg said the poor coordination among financial institutions and regulators helped propagate the recent raids targeting three lenders, a brokerage and a credit union. Knowing more about how the Bancomext assault and other cyber heists went down could have helped the firms protect themselves.
There are no systems which are build from scratch, in fact the a system itself is a part of the larger network of systems which are also built using frameworks and algorithms which are developed and developing through user communities and continuous patching and feedback. All the designs, security architectures are also stored digitally somewhere which are susceptible for the same set of threats.