Security through obscurity is not security?

One day, within my first few years as a developer I had suggested hosting our SQL on a non-standard port as a mean of improving security. An IT guy came around and basically ripped me a new one claiming that "Security through obscurity was not security".

This point has stuck with me for ages. You see, the problem is that almost all security is "security through obscurity". I can certainly agree that simply changing the port is not a STRONG form of security. But it IS a form of security. And I was certainly not suggesting changing the port and dropping the password or  even simplifying the password.

What really gets me though, is that a password is "security through obscurity" as well. The hacker knows that there is a password. They also know that there is a finite "pool of values" within which that password can exist. This is no different from there being a finite pool of ports to choose from to find the right one.

And while I would argue that will it is STILL important to use a password, that changing ports is actually MORE impactful in securing a network than a strong password.

Most breaches are a result of social engineering/phishing. In which case, a lot of traditional defense strategies are defeated. But, of the remaining, most are crimes of opportunity. Bad actors scan the internet  or networks they've infiltrated for vulnerabilities. There are often SO many possibilities that they simply exploit the fact that virtually all installations maintain the default settings. In short, very few hackers are going to try and discover your server if it is running on a non-standard port.

What about MFA? The way MFA is generally implemented, it is just another kind of password. For the most part, the other factors are verified remotely. And the only way to do that is to transmit a value over the internet. That value is effectively just another password. Regardless of how big the pool of values or how short lived, it is just another password. 

You don't have a human, hardwired to the receiving system, coming over and confirming that it was you, and your phone which generated the 2FA passcode. Your fingerprint is not pressed directly against the software which ultimately validates it.

I remember back in the day when Apple would claim that only Windows PCs had viruses. I laughed my f***ing head off. It is a self-defeating prophecy. I knew that Apple was only "safe" at the time because hackers weren't interested in hacking Macs. They didn't have enough market share. And guess what? As soon as they started becoming popular, they started getting attacked. And Apple was absolutely shit at responding to the attacks. Windows may have had a lot of attacks, but they were also veterans at closing vulnerabilities. These days, they are on more even footing.

The point of that was, the easiest way to get attacked is to not be discovered or to not be a desirable target to try and find; to be obscure. Using defaults and industry standards and using just those things alone means that you're chasing the same solutions that the bad actors are most interested in defeating.

You should use tried and tested means of securing things. But, you should also use multiple layers and should consider including some atypical forms of defense. Especially if they don't negatively impact you otherwise. Changing a port for example. As long as it doesn't break your software for some reason, it has no other associated cost.

You should also very much consider some solutions which are less obscurity based. Things like implementing password policies which include lock-outs and out-right bans. These sorts of measures don't make passwords any more secure but they can slow or stop brute force attacks. You also need monitoring and alerting. If all you do is slow a brute force attack and never detect it, then the chance exists that they will eventually succeed.