Security by obscurity is bad regardless of other controls because it does little to reduce probability of attack and nothing for severity. It is only barely helpful at reducing the probability of attack because it is ineffective against various forms of automated footprinting. That is just the attacker.
Security controls impact everybody though. Not only does it make the problem obscure to an attacker it also makes the problem obscure to non-attackers. This dramatically increases risks because it impacts the application and distribution of other security controls.
Since it’s barely helpful where intended and harmful where it’s unintended security by obscurity only increases risks.
The analogy to software is the belief that hiding source code makes it safer. Hidden source code is not any safer but the vulnerabilities are a bit harder to find. The benefit of open source is that the vulnerabilities are exposed to anybody who reads the code which allows more vulnerabilities to be exposed and patched.
Ehh the majority of companies practice security by obscurity as an extra layer.
There's the idea in security that an attacker knowing your algorithm/practices shouldn't mean anything yet you rarely see companies detail the security measures they take on internal systems because we know keeping this secret has no downside.
Security policies at most companies are often generic and not secret. Reporting chains for emergency remediation and asset identification are secret because those identities are potential attack vectors. Information sensitivity of that nature means it must be protected from disclosure and not that it should otherwise be hidden. The key phrase for sensitivity management is: need to know.
Security controls impact everybody though. Not only does it make the problem obscure to an attacker it also makes the problem obscure to non-attackers. This dramatically increases risks because it impacts the application and distribution of other security controls.
Since it’s barely helpful where intended and harmful where it’s unintended security by obscurity only increases risks.
The analogy to software is the belief that hiding source code makes it safer. Hidden source code is not any safer but the vulnerabilities are a bit harder to find. The benefit of open source is that the vulnerabilities are exposed to anybody who reads the code which allows more vulnerabilities to be exposed and patched.