 |
|||||||||
|
|||||||||
|
|
Recently I have been doing work in the Secure Product Development area - basically teaching product development teams about secure ways of programming their modules. In this context I came across something described as the Principle of Deterrence. According to the standards body that defined this, the principle of Deterrence states that:
If the cost of hacking into an application is greater than the value that the attacker can gain from the attack then the attack has a very low probability of occurring.
This principle has been used as the basis for designing and applying test cases by Security Testing teams which engage in penetration testing activities.
But this is a very dangerous assumption, especially for Testing teams. A hacker or a cracker is not necessarily focused on monetary gain or on what other material advantage they can gain from an exploit. Such thinking is applicable to Product Development teams which build applications for commercial use: in this case the thinking will be related to the cost of implementing a feature rather than hacking, of course. But you get the idea.
Now why is this dangerous? Thinking that hackers are focused on material or monetary gain will lull penetration testers into a false sense of security. Hackers and crackers will go after a vulnerability and exploit it especially if it is very difficult to crack. The reason is that it gives instant fame when such a difficult exploit is pulled off. Hackers and crackers go after that fame and/or notoriety even if the cost is high. They are willing to invest time and effort in learning arcane techniques and collect obscure knowledge in order to perform the exploit successfully.
The principle of Deterrence can apply to a Bank Robbery, for example, which is motivated by material goals: tighten up the security of the bank high enough and the chances of being hit are proportionately lower - unless of course you are dealing with Butch Cassidy and gang.
So for a security analyst and tester it is advisable to take Principle of Deterrence with a grain of salt. Relying on this principle as a security testing strategy will lead to much woe when the product hits the market. Caveat emptor.
