Interview with Macbook Hacker Dino Dai Zovi

PING: Dino Dai Zovi

This article can also be found in the Premium Editorial Download: Information Security magazine: Reviews of six top Web application firewalls:

Dino Dai Zovi, one of the men behind the MacBook hack at last year's CanSecWest conference, is a respected researcher, and that's just in his spare time. By day, Dai Zovi is a security professional in the financial services industry, where he's knee-deep in the movement toward quantifying risk in an organization.

DINO DAI ZOVI


What can you share about the risk scoring system you're working on?
It's based mainly on the Common Vulnerability Scoring System. I previously had a homebrew system, but I found having things standardized, with vulnerabilities coming pre-rated from vendors, made my life easier. What I really cared about was scoring them for my environment. Doing the research into a vulnerability provided a flexible framework for me to model less specific vulnerabilities, as opposed to specific security product vulnerabilities. It allowed me to model larger vulnerabilities in that same system.


Are you seeing security moving toward a risk management function in the financial services community?
I've seen a fair amount of financial institutions adopting that stance, where banks are actually moving their security teams under their risk management umbrellas. Some large organizations were some of the early movers and are interested in quantifying security risk, just as they do with trading risk. It's very analogous to analyzing your risk based on certain market forces and doing what you can to mitigate that risk or measure how much risk you want to take.

On the information security side, if you can quantify risk and compare that to the cost of dealing with security incidents or the likelihood of them happening, you can choose your risk threshold and exert the appropriate amount of remediation effort that's in line with that risk tolerance.

Security risk models are nowhere near as robust or proven as financial risk models, so at this time the information security practitioners have the best knowledge of the field to be able to assess this risk.


Do you think this is a good trend?
I think so. I think what it will eventually lead to is finally answering the question of how much security is enough.

I think the industry as a whole will be served when we have better anonymized data on incidents. Companies are often very reluctant to share data or even the fact that there's been an incident. So if you have more data on how often these occur and other points, we can basically estimate, based on our size and our business profile, there's x-percent chance of a customer information leak. And based on how much it would cost to prevent that leak, we can choose whether we want to take actions to remediate that or just run with it.



Read the complete interview at searchsecurity.com.

This was first published in March 2008

Dig deeper on Security Industry Market Trends, Predictions and Forecasts

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close