Home > Information Security Magazine > Columns > Interview with Macbook Hacker Dino Dai Zovi
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Interview with Macbook Hacker Dino Dai Zovi
by Dennis Fisher
Issue: Mar 2008
printer-friendly
licensing & reprints

Dino Dai Zovi, one of the men behind the MacBook hack at last year's CanSecWest conference, is a respected researcher, and that's just in his spare time. By day, Dai Zovi is a security professional in the financial services industry, where he's knee-deep in the movement toward quantifying risk in an organization.

DINO DAI ZOVI


What can you share about the risk scoring system you're working on?
It's based mainly on the Common Vulnerability Scoring System. I previously had a homebrew system, but I found having things standardized, with vulnerabilities coming pre-rated from vendors, made my life easier. What I really cared about was scoring them for my environment. Doing the research into a vulnerability provided a flexible framework for me to model less specific vulnerabilities, as opposed to specific security product vulnerabilities. It allowed me to model larger vulnerabilities in that same system.


Are you seeing security moving toward a risk management function in the financial services community?
I've seen a fair amount of financial institutions adopting that stance, where banks are actually moving their security teams under their risk management umbrellas. Some large organizations were some of the early movers and are interested in quantifying security risk, just as they do with trading risk. It's very analogous to analyzing your risk based on certain market forces and doing what you can to mitigate that risk or measure how much risk you want to take.

On the information security side, if you can quantify risk and compare that to the cost of dealing with security incidents or the likelihood of them happening, you can choose your risk threshold and exert the appropriate amount of remediation effort that's in line with that risk tolerance.

Security risk models are nowhere near as robust or proven as financial risk models, so at this time the information security practitioners have the best knowledge of the field to be able to assess this risk.


Do you think this is a good trend?
I think so. I think what it will eventually lead to is finally answering the question of how much security is enough.

I think the industry as a whole will be served when we have better anonymized data on incidents. Companies are often very reluctant to share data or even the fact that there's been an incident. So if you have more data on how often these occur and other points, we can basically estimate, based on our size and our business profile, there's x-percent chance of a customer information leak. And based on how much it would cost to prevent that leak, we can choose whether we want to take actions to remediate that or just run with it.


Read the complete interview at searchsecurity.com.





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts