People commonly use the phrase “security through obscurity” to refer to the idea that if something is “hidden” or difficult to find, it becomes more secure by virtue of other people not knowing it’s even there to be exploited. But in reality, security through obscurity usually means that the only people who find obscure resources are the people looking to exploit them for a way in. This is why visibility, rather than obscurity, increases security. Our website risk grader provides people with an easy way to view a website's security rating by offering visibility into their internet-facing footprint. This also allows businesses to monitor their own improvement over time.
For an example of how this can work, let's look at security company Tripwire, whose CSTAR score we published on March 14th in our article comparing them with Puppet. At the time, their external score was 542, average. About a week after, they improved their score by nearly 300 points, to 827. They accomplished this by enabling SSL on their website, which we can tell by comparing the two scans. This is a great step forward for Tripwire, who as of a week or so ago can point to their own website as an example of a mostly secure configuration. There are still a few missing pieces, like DMARC for email and DNSSEC, which brings down the communications score slightly, and the 68% approval rating for their CEO brings down the business score as well.
Obscurity is a myth. Any dilettante hacker can tell if a website supports SSL, if their DNS records are protecting them from spoofing, how satisfied employees are with a given company. For someone serious about compromising a target, this information at the very least narrows down their search for an entry point. For example, if a website doesn’t have SSL, might there be forms on the page passing information (or passwords) in plain text? If a company doesn’t utilize SPF or DMARC for email, it's more likely that a spear phishing attempt will succeed. If a company or CEO is rated poorly by employees, the chances increase of socially engineering a foothold, or even finding an insider willing to assist in the attack. The only people to whom this is obscured are people not going out of their way to look for it: customers, investors, basically everyone else.
The choice to be made is whether a company reacts to a (malicious?) third-party probing their weaknesses, or proactively does it themselves and shores them up. We don’t know why Tripwire improved their security. Their website, where they sell security software, had been around for many years without SSL, but they certainly could have been planning on implementing it in 2016, coincidentally, just after their CSTAR score became publicly visible. Maybe 2016 will be “the year of SSL,” when websites that have been left insecure are finally brought up to modern standards. As consumers and others become more familiar with how to judge a company’s security, those that stand out with warnings will suffer business consequences. There’s no more obscurity-- time to stop playing ostrich and take a serious look at your risk, before someone else does.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >