Source: Obscurity is a Valid Security Layer
risk = probability X impact
This means you lower risk (and increase security) by doing one of two things:
- Reducing the probability of being attacked, or…
- Reducing the impact if you are attacked.
The key point is that both methods improve security. The question is really which should you focus on at any given point. Is adding obscurity the best use of my resources given the controls I have in place, or would I be better off adding a different (non-obscurity-based) control?