Home » Data Protection » Network Security

Opinion

Diversity Training

When systems are homogenized, security suffers.

By David H. Holtzman

June 01, 2003 — CSO — In 1980, the world health Organization declared smallpox eradicated. However, by the end of this year, millions of health-care personnel and other first-responders will have to be immunized against smallpox. How does an allegedly extinct disease become a national risk 20 years later? Because the lack of vaccination has homogenized the same vulnerability into a large percentage of the population. And once a virus starts, it's hard to stop it.

This idea is just as relevant to communities of computers as it is to people, and it illustrates an unappreciated principle of systems in general and networks in particulardiversity. Diversity in computer platforms can prevent viruses from taking over.

But, in truth, a large percent of the population does use the same computer platform. The antitrust case against Microsoft was meant to protect free trade, but an argument could be made that the government should also take steps to protect technodiversity for security's sake. Even a benevolent monopoly is dangerous because it becomes indispensable. If a virus or worm targets those ubiquitous systems, we are all affected because there is no vaccinated population able to withstand the attack.

Standardization, for all its benefits, is insidious because it enables virulent attacks to spread everywhere through common communications protocols, faster than an open-mouthed sneeze in Grand Central Station at rush hour.

Exacerbating this problem are convenience features built upon a homogenized computer environment, such as patching. Patching software used to be a low-priority task for administrators; it was common to see different releases of programs running side by side. It might have been a little bit of an administrative headache, but it actually worked as a benefit to a network's immune systemone system might get infected by a virus while another did not.

Unfortunately, today's applications upgrade themselves automatically. Bugs, glitches and holes that would have affected only early adopters or a few computers on a network can now become an epidemic before they're even spotted. The convenience of automation has led to uniformity, and uniformity in turn has enabled mass exposure to viral threats.

Diversity creates a natural firebreak for computers. I have never seen a virus that can infect both Linux and Windows boxes, and only a few can cross between Macs and PCs. In fact, the earliest warning of a network attack is often a log entry caused by one such system rejecting a virus even as the other system is infected.

I'm not advocating that companies create fully redundant hardware and software environments. That, of course, is not cost-feasible. On the other hand, it's good practice to be wary, in general, of single points of failure, whether hardware, software or human. Single-vendor solutions will always create such a weakness. What's more, homogeneity encourages sloppy internal practices by "certified" security experts who have been trained to use a specific application and who don't have the foundational expertise to adapt to new situations, to diversify.