I’ve always been of the mantra that “security through obscurity” isn’t security. Period. Next question. But there have been a couple of thought running through my brain that are making me take, well, a more nuanced view of this classic mantra.
A while back I mentioned I’d been comparing notes between the IBM X-Force Mid-Year 2012 Trend and Risk Report and the Verizon 2012 Data Breach Investigations Report trying to get a sense of how much they agree on attack vectors. One of the interesting distinctions that emerged is that among smaller organizations, 79% of attacks are “opportunistic” and only 16% of attacks could be considered “targeted” attacks. On the other hand, among large organizations, only 35% of attacks are opportunistic and 50% of attacks are targeted. It made me wonder, “are the IT priorities and agenda of significantly different for smaller companies because most of the attacks on them are opportunistic?”
This hit home for me this past weekend when I attended WordCamp Raleigh. WordCamp conferences are community organized, informal conferences for WordPress users and developers. Lots of small businesses attend. One of the presentations I sat in on was Michael McNeil’s “WordPress Security: No Nonsense Edition” presentation. The room was packed, largely with inexperienced people who are setting up WordPress for their small business. The level of security knowledge was low. I doubt there were 10 people in the room that could explain an SQL injection attack. But everyone is concerned about security.
Michael’s presentation hit all the usual bases. Strong passwords. Check. Web application firewalls. Check. Don’t trust third party components just because they come from the WordPress repository. Monitor your configuration. Apply Updates. Ask your hosting provider about their security certifications. Check. Check. Check. All good advice. Can’t argue against any of it. Sounds obvious but folks in the room were taking notes.
The Security Through Obscurity Slide
And then we hit slide 31 “Change your database table prefix.” When you install WordPress. The databases it creates are, by default, tables are prefixed with “wp_”. Michael related that the WordPress security community strongly recommends changing this prefix. Why? Because automated bots looking for non-secure WordPress installations usually assume the names of the tables start with “wp_”.
My initial reaction was, “that’s security through obscurity” and it isn’t a proper security control. But the more I thought about it, the more I realized this is perfectly legitimate. It’s the same type of control as telling people to change the default names of administrator accounts when they install a new middleware component.
If you are a small business and 79% of the attacks on your infrastructure are “opportunistic.” this recommendation not only seems legitimate it becomes a more and more important security control. Most attackers are going to be coming at you with automated scripts that look for database tables with the wp_ prefix. If they don’t find them, their bot is likely to move on, looking for an easier target. So this “security through obscurity” tactic is likely to deflect a large number of attacks on your WordPress site.
Furthermore, this security control doesn’t require buying anything. It doesn’t require installing anything else. There are WordPress plugins that make it easy to change the prefix so that even a new WordPress user can do it.
The lesson for me here is that when attacks are largely “opportunistic,” any security control/tactic that increases the likelihood of an attacker being deflected to someone else is completely legitimate, even if it is technically “security through obscurity.”