Security's Dirty Little Secret

Why you need to measure the long-term impact of security

5:05 PM -- Security only works as long as it's easier not to exploit it. That can be a difficult concept to understand, but it's also one of the most important ones in modern security. The more common -- and amusing -- way to illustrate it: "You don't have to run faster than the bear, you just have to run faster than the guy next to you."

That makes a lot of snakeoil look better than it actually is.

One thing I tell my clients is to build metrics on everything you can. If you can't measure it, there's no way to know if you're doing better or worse than you were before. Recording metrics can be a roadmap to better security, but it also can be a nightmare to decipher. The reason: There are lots of Websites for consumers to visit -- and for the bad guys to visit, too.

Say puts a new security measure on its site that adds an extra factor of authentication, or an extra hurdle that attackers either fear or don't understand. It doesn't actually have to provide any real security benefit, except to somehow make the attacker do more work than he would have to do elsewhere. Then the attacker simply moves on to

Has the security measure worked? Sure! All the metrics point to its obvious success in reducing losses. Management is happy and consumers are getting attacked less. All is well, right? Wrong.

Now the security company takes these metrics in hand and goes and sells the exact same security tool to where the fraud numbers have recently and inexplicably skyrocketed. One look at those stats with its recent successes in, which happens to be a direct competitor of, and it's an easy sell. The security company makes out great.

But what about the two banks? Assuming there are no other attractive targets, the attacker now must start experimenting with the security tool to see if he can circumvent it. Soon enough, he finds major weaknesses in how it's built, and in no time, he has adapted his entire strategy to evade that security technique. Both banks are now at equal risk, and the attacker exploits them equally to diversify his risk. The banks have spent potentially millions of dollars getting to the same risk level they were before implementing the security tool.

Here's the breakdown: saw a massive drop in fraud, which was good, and it could take credit for that. But then bank-a's fraud rate returned to where it was before it implemented the security tool. saw a massive increase in fraud before implementing the security tool, and then a return to normal numbers after -- almost the complete opposite effect than And now neither company can remove the security tool since that could make it easier for the attacker to return to its original tactics. Millions of dollars spent, and the consumers are still at risk.

Anecdotally, this is already happening with a number of security tools.

In the case of banks, there is big money at stake, so it's worth it to the attackers to attempt to circumvent the security when the cache of lesser targets runs dry or tightens its security. There are still so many other insecure targets out there that, for the time being, these security tools appear to be doing their job. Management is happy. So maybe it's worth it after all. If you run an environment impacted by this sort of fraud, you should at least understand the long-term impact of the products you buy.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading