Risk Versus Exploit Versus Vulnerability
Alan: I chatted with Charlie earlier and he had the same thoughts. You know, I’m not a security researcher, but I am a technical user and use Vista and Fedora Linux. I recently switched to a Mac for my personal system. We had a lot of upset readers who claimed that Apple was buying us off. (Ed.: For the record, neither Tom’s Hardware nor Alan have a relationship of any sort with Apple. They don't advertise and they don't support us with hardware--they don't even send over their press releases).
One of my goals in doing these articles and interviews is to get our readers to look at things in less of a black and white (PCs versus Macs). Just as Gray Hat hackers can take a more sophisticated analysis when they understand methods used by both sides of the battle, there is something to be said about using multiple operating systems.
Dino: There is more security in diversity and if your data is spread across those multiple systems, there is less chance of an attacker gaining access to it all. Unless, of course, you log into them from each other or they are on the same network. In reality, most system compromises occur through the Web browser these days, so an average malware attack is unlikely to breach other systems of yours over the network if they are running a different operating system.
Alan: One of the things you've tried to emphasize in your talks is the concept of risk versus vulnerability. Can you explain to our readers the difference?
Dino: A vulnerability is a weakness in a system that can potentially be exploited by an attacker. The risk presented by that vulnerability is based on the likelihood that an attacker will take advantage of that vulnerability. I also phrase this as "safety" versus "security" because that is easier for non-technical people to understand.
Leaving your house front door unlocked is always insecure, but depending on where you live, it may or may not be safe to do so.
It is important that the security of a system match its risk. Defenders, however, are always playing catch-up to the attackers unless they properly anticipate the risks. It makes little sense to wait for malware to start attacking Mac OS X in droves before developing integrated defenses against it. While we cannot anticipate the next form of Internet attacks, Web-based malware is a reality today.
Alan: And what about the difference between an exploit and a vulnerability?
Dino: A vulnerability is a software weakness that could potentially be taken advantage of by an attacker. The act of taking advantage of a vulnerability is referred to as "exploiting it" and the software program that does so is typically referred to as an "exploit." In reality, not all vulnerabilities are readily or reliably exploitable.
Without experience exploiting software security vulnerabilities, it is often difficult to ascertain whether a vulnerability may be exploitable. Quite often, vulnerabilities assumed to be exploitable are proven to be so by inventive and talented exploit developers. In gauging exploitability, the only knowable fact is whether a given vulnerability is exploitable by the analyst looking at it.