Vulnerability Management

Monoculture Revisited

by  •  • Comments Off

It’s been eight years since the “great monoculture debate” hit the press with a storm. Bruce Schneier and Marcus Ranum take on the topic in their he says/she says column for searchsecurity, though it doesn’t appear that Schneier actually believes the story any more… for good reason.

At the time, I wrote a rebuttal in Information Security Magazine. I can’t find it at the original online link, so have copied the version I have below (this might differ slightly from the published version). Let me know what you think.

ALL TOGETHER NOW

I’m sick and tired of having to be a farmer, car manufacturer, avionics expert and biologist to do my job. This whole analogy business has gone way to far. Nowadays, we spend more time making comparisons to security than we do solving security problems. Hello! Get over it!

The latest analogy everyone’s using is comparing Microsoft to a farming monoculture. This all started in late September when Dan Geer, Bruce Schneier, Becky Bace and other security mavens released “CyberInsecurity: The Cost of Monopoly,” a white paper that argued that Microsoft’s dominance in client-server computing posed a serious risk to global IT security.[1]

Now, I have no idea whether monoculture is bad to farmers. I know nothing about pesticides, fertilization methods or crop rotation. But I do know that the charges waged against Microsoft in this paper are a bit silly–at most inconsequential, and potentially destructive.

The authors argue that the solution to the dangers posed by monoculture is diversification. In a nutshell, a diversified computing base will limit the number of potentially vulnerable and exploitable systems, no matter what specific system (or systems) is targeted.

I’d suggest that this basic philosophy sounds great in theory, but is totally impractical when you get down to specifics.

The first victim of diversification is simplicity. In defining complexity, one must look at the overall computing infrastructure and all the resources in use. Every day thousands of new programmers code millions of new lines of code in an uncoordinated fashion (under competition).

The integration of many varied components further increases complexity. What are the costs of supporting a diversified base of applications and platforms, or of training half of the end users in the world on new client systems? What about the productivity losses during this transition period? What about the trillions in business that doesn’t get done?

OK, for the sake of argument, let’s assume for a minute that monoculture really is bad. What do we do about it? One suggested alternative is to purposely control market forces by limiting any vendor to 50 percent of the desktops in use. That brings 600 million desktops down to 300 million. Great, except that the most prevalent virus/worm to date has only affected a couple million systems. Even limiting 10 operating systems to equal market share gives any attacker a target of 60 million systems. And hackers have a history of adapting to new environments anyway. With the growing popularity in blended threats, a virus could bundle many different attacks against different platforms.

Perhaps the greatest problem in the push for mandatory diversification is the fact that most IT shops have spent the last 10 years pushing for “monocultural” computing environments. Monocultural is merely a synonym for “standardized.” To suggest that the risk is too great for a standard desktop is to suggest that the 20-year effort to standardize systems and systems support processes was a bad idea.

The final test of the monoculture argument is in the consequences of its adoption:

  • Application software vendors who focus on Windows operating systems will see their markets halved and their costs doubled.
  • Enterprises double their costs in providing technical support, retraining highly skilled professionals, and modifying and supporting internal applications that work on the Windows platform.
  • Attackers will focus on another lucrative target–for example, Cisco. Don’t know about you, but I’m a lot more worried about Cisco vulnerabilities creating a “cascading failure.”
  • The government sets a precedent that it will control the Internet. Innovation dies.
  • The problem doesn’t get solved. The Internet will be just as prone to cascading failure as it is today. Are 300 million vulnerable systems really better than 600 million?

I confess that I really don’t like being a Microsoft apologist. Redmond has significant problems to address if it really wants to strengthen our computing environments. But I’m constantly surprised that security professionals let their emotions get in the way of reason and intellectual rigor.

It is time to put this Microsoft bashing to bed and move on. Diversification is foolish amidst all of the other needs of an IT organization. Security professionals need to play the cards they are dealt. There are many, many different approaches to security that can be successful in securing Windows et. al. To spend life in an alternate reality that doesn’t include Microsoft is a copout.

[1] See www.ccianet.org/papers/cyberinsecurity.pdf.

PETE LINDSTROM, CISSP (petelind@spiresecurity.com), is the founder and research director of Spire Security, an IT security analyst firm. He also is a member of Information Security’s editorial board.

(originally published in Information Security Magazine and no longer available online, but referenced here)