Just because most people say it's so doesn't make it correct.

Because of this, I have a new rule: You should not teach, lead, or write about something until you've at least tried it once yourself. Don't just repeat the same things as mantra without testing to see if the statement holds water.

For instance, I often hear security by obscurity doesn't work, when it so clearly does! This is the most often perpetuated myth of them all. The myth says that security that relies only on obscurity (when the malicious hackers cannot launch a successful attack only because they do not know all the pertinent facts) isn't real security. The rationale is that if the attacker learns the pertinent information, the "fake" veil of security falls quickly and the victim succumbs to the subsequent attack.

As I noted in my very first column (http://www.infoworld.com/article/05/08/19/34OPsecadvise_1.html), examples of security by obscurity include renaming the Administrator or root account, moving service ports to nondefault port numbers, installing software to nonstandard locations, and more.

The myth would have you believe that security by obscurity has no value and any scheme using it should be immediately discounted. But the fact of the matter is that security by obscurity works, and works well. It is among the least expensive security defenses you can employ. It should be considered a part of anyone's defense-in-depth plan.