Archive for the ‘Monoculture’ Category

I saw a fantastic article today by Roger Grimes about the mythology of computing monocultures; great stuff and right in line with (our opinion on this topic):

And if you think patching Windows is hard, try keeping up with several OSes. I sometimes curse out loud because of all the mailing lists I have to track and all the tools I have to use to make sure my systems are patched. I’m pretty sure that, as the number of platforms increases, the amount of consistent, thorough patching decreases.

So, props to Grimes for using his head and for taking a somewhat controversial position.

The Register had an article today, “As Emperor of Security, I hereby decree…” It caught my attention since it was so atypical in style. The author spends some time discussing the things that he would decree if made emperor of security. Neat concept, right? I thought so too.

The mandates were totalitarian and restrictive; purposefully so (that’s sort of the point, right?) Some of them were good ideas (mandatory education for all new computer users), some were bad ideas (fines for insecure software), and some had both good points and bad points (mandatory anti-virus, anti-spyware, and firewall software). However, what really got me thinking was the discussion about “mandatory monocultures” :

It’s pretty well been proven that operating system monocultures are a bad thing. In a biological population, the introduction of a disease into a monoculture can spell doom for the entire group: since everyone is the same, everyone is vulnerable in similar ways. This is analogous to computing monocultures: if everyone is running Windows (or Mac OS X, or Linux, or whatever) and a serious compromise enters that population, then there is the danger that everyone in that group will suffer devastating losses.

This reference, of course, points back to the one and only Dan Geer “CyberInsecurity” paper that caught so much attention when it was published because of the ramifications of it’s release.

Now, I know better than to contradict Dan Geer. And I won’t, because I believe his paper to be absolutely true. But there’s a limit to how far the analogy holds; my laptop is not a Rhesus Monkey, a Lemur, or even a bacteria. While populations of machines can (and do) share a number of similarities with a population of organisms, that doesn’t mean that everything that’s true about organisms is true of laptops. For example, don’t put a bunch of laptops in a box and expect them to start making little laptops. In other words, just because certain threats are more virulent in a monoculture world, don’t assume that all of them are. And why not? First: because nobody has to manage a population of organisms, and Second: because there are more bad things than plague…

Consider two environments: one has a thousand machines each with identical OS, architecture, patch level, etc. The other also has one thousand machines but each one has different operating systems, architectures, and patch levels. Say (for the sake of argument) that two full time administrators manage that environment – a reasonable number, right? Dan’s paper points out that the first environment is much more likely to be impacted by worms; and that’s true. But which envrionment is more manageable? Which one is more likely to have automated security tasks like patch management, central monitoring, coordinated audity, etc? See what I mean?

Take the OS and application patches alone. Say that the operating systems in the second environment (the non-uniform one) each require an average of two vendor patches per week for all installed services and apps (a ridiculously low number.) Say each of those patches require 5 minutes to download, prepare, and install (another ridiculously low number.) Guess what: that patching process would take 166 full-time hours. If you had a more MANAGEABLE environment, you could have deployed something to automate that. You could start focusing on something more strategic than patches application with all the time you’d save.

Look – monoculture does increase the risk of population-level catastrophic events. However, diversity decreases the ability to manage the environment. Reduced manageability directly increases the risk of individual-level events like targeted attack. It’s not a traditional curve where the optimal position is maximum diversity; instead, it’s a bell curve: the optimal position is diversity – but manageable diversity.

Alright, apparently Winn Schwartau has decided that he can no longer tolerate the centrality of Windows in the marketplace, and he is deciding to run a hypothetical company using Mac to see where that gets him. Now, I try to be non-biased about operating systems – I use a few of them here: Solaris, Windows 2003 Server, XP, and as my typical desktop operating platform, OS X Tiger on a Macintosh iBook. I’m not a bigot about operating systems – seriously.

I am, however, also a fan of objectivity. Scientists use “double blind” techniques and other approaches to attempt to reduce bias on the part of the observer in analyzing the way that things behave. It seems to me that Winn initiating an anlaysis with the phrase, ” an experiment predicated on the hypothesis that the WinTel platform represents the greatest violation of the basic tenets of information security and has become a national economic security risk” he might be approaching the issue with a touch of bias…

Seriously, is there any question what his “results” will be at the end of this? Why even bother doing the experiment if the bias is so strong. I’m not expecting the press to be warded off based on the flawed nature of his science; in fact, I’m sure it’ll be a press extravaganza. However, I’m hoping that the folks in the field actually making security and business decisions are smart enough to see through this transparent stunt.