Security Threat Analysis: Interview With Dino A. Dai Zovi

Risk Versus Exploit Versus Vulnerability

Alan: I chatted with Charlie earlier and he had the same thoughts. You know, I’m not a security researcher, but I am a technical user and use Vista and Fedora Linux. I recently switched to a Mac for my personal system. We had a lot of upset readers who claimed that Apple was buying us off. (Ed.: For the record, neither Tom’s Hardware nor Alan have a relationship of any sort with Apple. They don't advertise and they don't support us with hardware--they don't even send over their press releases).

One of my goals in doing these articles and interviews is to get our readers to look at things in less of a black and white (PCs versus Macs). Just as Gray Hat hackers can take a more sophisticated analysis when they understand methods used by both sides of the battle, there is something to be said about using multiple operating systems.

Dino: There is more security in diversity and if your data is spread across those multiple systems, there is less chance of an attacker gaining access to it all. Unless, of course, you log into them from each other or they are on the same network. In reality, most system compromises occur through the Web browser these days, so an average malware attack is unlikely to breach other systems of yours over the network if they are running a different operating system.

Alan: One of the things you've tried to emphasize in your talks is the concept of risk versus vulnerability. Can you explain to our readers the difference?

Dino: A vulnerability is a weakness in a system that can potentially be exploited by an attacker. The risk presented by that vulnerability is based on the likelihood that an attacker will take advantage of that vulnerability. I also phrase this as "safety" versus "security" because that is easier for non-technical people to understand.

Leaving your house front door unlocked is always insecure, but depending on where you live, it may or may not be safe to do so.

It is important that the security of a system match its risk. Defenders, however, are always playing catch-up to the attackers unless they properly anticipate the risks. It makes little sense to wait for malware to start attacking Mac OS X in droves before developing integrated defenses against it. While we cannot anticipate the next form of Internet attacks, Web-based malware is a reality today.

Alan: And what about the difference between an exploit and a vulnerability?

Dino: A vulnerability is a software weakness that could potentially be taken advantage of by an attacker. The act of taking advantage of a vulnerability is referred to as "exploiting it" and the software program that does so is typically referred to as an "exploit." In reality, not all vulnerabilities are readily or reliably exploitable.

Without experience exploiting software security vulnerabilities, it is often difficult to ascertain whether a vulnerability may be exploitable. Quite often, vulnerabilities assumed to be exploitable are proven to be so by inventive and talented exploit developers. In gauging exploitability, the only knowable fact is whether a given vulnerability is exploitable by the analyst looking at it.

  • cruiseoveride
    Wonder why he didnt mention SELinux
    Reply
  • mrubermonkey
    If it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.
    Reply
  • AlanDang
    Not really -- the black hats make money off the Internet -- it doesn't help them. By definition though, the risk is always about "taking down" a few IXP's or the +1 nodes.
    Reply
  • "Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve".

    They may not be core functions but everyone I know who is concerned with security on the Internet uses Firefow with the add-ins Noscript & Flashblock.
    Reply
  • vaskodogama
    mrubermonkeyIf it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.I am from Iran, All the Iranian Goverment can do, is blocking porn and politics web sites! :D
    Reply
  • pcworm
    I'm also from Iran , come one, we still connect using bloody dial up, you guys cant be serious! although due to the "no copyright" law we can buy Windows, Mathlab, VS 2008 team System,office 2007 and a lot more for less than a dollar each...:-) you dont need broadband here cause piracy is official
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • I am a Mac user as well. I also use many versions of Windows and Linux in VM. I am not a security expert or anything but why is everyone hung up on someone taking down the internet. Hackers use the net to make money or prove a point. I don't think they are going to shut the net down and hold it hostage, who would be forking over the money anyway. And if they did it to prove a point how would they ever get recognition for the task when all communication stops.
    Reply