The Register had an article today, "As Emperor of Security, I hereby decree..." It caught my attention since it was so atypical in style. The author spends some time discussing the things that he would decree if made emperor of security. Neat concept, right? I thought so too.
The mandates were totalitarian and restrictive; purposefully so (that's sort of the point, right?) Some of them were good ideas (mandatory education for all new computer users), some were bad ideas (fines for insecure software), and some had both good points and bad points (mandatory anti-virus, anti-spyware, and firewall software). However, what really got me thinking was the discussion about "mandatory monocultures" :
It's pretty well been proven that operating system monocultures are a bad thing. In a biological population, the introduction of a disease into a monoculture can spell doom for the entire group: since everyone is the same, everyone is vulnerable in similar ways. This is analogous to computing monocultures: if everyone is running Windows (or Mac OS X, or Linux, or whatever) and a serious compromise enters that population, then there is the danger that everyone in that group will suffer devastating losses.
This reference, of course, points back to the one and only Dan Geer "CyberInsecurity" paper that caught so much attention when it was published because of the ramifications of it's release.
Now, I know better than to contradict Dan Geer. And I won't, because I believe his paper to be absolutely true. But there's a limit to how far the analogy holds; my laptop is not a Rhesus Monkey, a Lemur, or even a bacteria. While populations of machines can (and do) share a number of similarities with a population of organisms, that doesn't mean that everything that's true about organisms is true of laptops. For example, don't put a bunch of laptops in a box and expect them to start making little laptops. In other words, just because certain threats are more virulent in a monoculture world, don't assume that all of them are. And why not? First: because nobody has to manage a population of organisms, and Second: because there are more bad things than plague...
Consider two environments: one has a thousand machines each with identical OS, architecture, patch level, etc. The other also has one thousand machines but each one has different operating systems, architectures, and patch levels. Say (for the sake of argument) that two full time administrators manage that environment - a reasonable number, right? Dan's paper points out that the first environment is much more likely to be impacted by worms; and that's true. But which envrionment is more manageable? Which one is more likely to have automated security tasks like patch management, central monitoring, coordinated audity, etc? See what I mean?
Take the OS and application patches alone. Say that the operating systems in the second environment (the non-uniform one) each require an average of two vendor patches per week for all installed services and apps (a ridiculously low number.) Say each of those patches require 5 minutes to download, prepare, and install (another ridiculously low number.) Guess what: that patching process would take 166 full-time hours. If you had a more MANAGEABLE environment, you could have deployed something to automate that. You could start focusing on something more strategic than patches application with all the time you'd save.
Look - monoculture does increase the risk of population-level catastrophic events. However, diversity decreases the ability to manage the environment. Reduced manageability directly increases the risk of individual-level events like targeted attack. It's not a traditional curve where the optimal position is maximum diversity; instead, it's a bell curve: the optimal position is diversity - but manageable diversity.
Posted by Ed at March 28, 2006 05:25 PM