Reading Rich Mogull over on Securosis this week, I became aware that the Information Security Magazine’s November issue has a feature with Bruce Schneier and Marcus Ranum revisiting the “security monoculture” argument put forth in the paper “CyberInsecurity: The Cost of Monopoly – How the Dominance of Microsoft’s Products Poses a Risk to Security” in 2003. Authors of the original paper included Schneier, Dan Geer, Dr Charles Pfleeger, John S. Quartermain, Perry Metzger, Rebecca Bace and Peter Gutmann. As Rich Mogull says, back in the day, terms like “domino effect” and catastrophic failure were frequently linked to the concept of monoculture. It even has a small wikipedia page.
Here is how Schneier summarizes the original monoculture argument in Information Security Magazine:
In 2003, a group of security experts — myself included — published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous.
In response to the public discussion of monoculture after the publication of the paper, Marcus Ranum published an essay, in which he questioned both the existence of a monoculture and the relevance of the comparison to computing.
Fast forward to today and read the article to understand how Schneir and Ranum’s views have changed (or not) in the past 7 years.
Here are some excerpts that I think highlight the new perspectives:
This analysis makes sense as far as it goes, but suffers from three basic flaws. The first is the assumption that our IT monoculture is as simple as the potato’s. When the particularly virulent Storm worm hit, it only affected from 1–10 million of its billion-plus possible victims. Why? Because some computers were running updated antivirus software, or were within locked-down networks, or whatever. Two computers might be running the same OS or applications software, but they’ll be inside different networks with different firewalls and IDSs and router policies, they’ll have different antivirus programs and different patch levels and different configurations, and they’ll be in different parts of the Internet connected to different servers running different services. As Marcus pointed out back in 2003, they’ll be a little bit different themselves. That’s one of the reasons large-scale Internet worms don’t infect everyone — as well as the network’s ability to quickly develop and deploy patches, new antivirus signatures, new IPS signatures, and so on.
The second flaw in the monoculture analysis is that it downplays the cost of diversity. Sure, it would be great if a corporate IT department ran half Windows and half Linux, or half Apache and half Microsoft IIS, but doing so would require more expertise and cost more money. It wouldn’t cost twice the expertise and money — there is some overlap — but there are significant economies of scale that result from everyone using the same software and configuration. A single operating system locked down by experts is far more secure than two operating systems configured by sysadmins who aren’t so expert. Sometimes, as Mark Twain said: “Put all your eggs in one basket, and then guard that basket!”
The third flaw is that you can only get a limited amount of diversity by using two operating systems, or routers from three vendors. South American potato diversity comes from hundreds of different varieties. Genetic diversity comes from millions of different genomes. In monoculture terms, two is little better than one. Even worse, since a network’s security is primarily the minimum of the security of its components, a diverse network is less secure because it is vulnerable to attacks against any of its heterogeneous components.
Rather than quote Marcus, let me paraphrase him, “see, I was right!” Seriously, Marcus is more articulate and thoughtful than that, but you should read the article to get those details
Best regards, Jeff