Expert Roundup: The Impact of Software Monocultures on Security Across Organizations

The term “monoculture” is defined as “An environment in which the predominance of systems run apparently identical software components for some or all services.” Why does it seem to be a bad thing? “Such systems share vulnerabilities; hence they are at risk to the rapid spread of a virus or other malware vector, or vulnerabilities.”

From a security point of view, the environment is not only a set of software components including security tools but also the set of configurations for each component or software as a whole. What configurations are needed for security? It is a list of settings you should correctly set up, including passwords, even profiling different lists of settings for your needs. Isn’t this a lack of “monoculture”?

It’s a combination of settings for antivirus (AV) or browsers or firewalls, software patching. The monoculture has not become itself unless the one vendor builds all security tools, network-related things, all OS, all applications and, the important thing, establishes all security settings for everyone. However, it is not going to happen even in companies because the administrator builds different security settings for everyone.

Let’s consider three mobile phones almost identical but two of them with different passwords and one without a password, because a password is part of settings known as ‘locking screen.’ Is it still a monocultural software when it is possible to break into one device that does not have a password? What about the two others? Is one more secure than the other one or it is possible to bypass the locking password without a knowledge of it? It is possible than monocultural issue exists because there is a relationship to OS version issues or even brand issues. In the first case “no password” we consider that the user fails, while another example is considered to be the device’s vendor or OS vendor issue.

At the same time, same systems share the same unconditional security level, except that part where a user directly impacts on security by changing its settings.  For example, when Android OS fails to protect us, we have mobile devices with pre-installed iOS and vice versa. This is the same situation with mobile applications. So, we can examine some facts about OS and apps and how the “monoculture” vs. “diversity.” How are mobile devices insecure without talking about vulnerabilities? The forensics gives us almost a 100% answer if it is possible to break into device data. What do we know about the diversity of mobile devices running iOS? More than 60 iOS versions are commercially available and are spread among 20+ different iPhones, 30+ iPad models. The first thing about diversity monoculture is: If you set up a password for your backup file then it is much easier to break when the password is not set because in this case, the password is hardware-based in fact. This is how the diversity of password settings decrease your security. How secure are the user passwords? According to the Elcomsoft article

·        iOS 4 to 9 (and 10.1): about 150,000 passwords per second on GPU (NVIDIA GeForce 1080)

·        iOS 10.0: about 6,000,000 passwords per second with Intel i5 CPU due to a bug we discovered

·        iOS 10.2 and up (incl. iOS 11): about 5 passwords per minute (CPU); ~100 passwords per second on GPU

The simple solution to avoid ‘monoculture’ is not using these outdated devices. You can read Yury’s presentation “The rise of security assistants over security audit services” from Defcamp Conference in 2017.

iOS is a good example of “monoculture” trends at first glance, that could be something like “Apple solutions are insecure and selling more Apple-solutions makes the situation worse than better.” However, you will have simple answers about conditions if it is possible to break into the device:

• CPU, Device and Model, OS type and Version
• Jailbroken or not and Jailbreak Availability
• Should Be Unlocked
• Passcode/TouchID
• Passcode Can Be Bypassed/Quickly Recovered
• LockdownRecord Supported/Required
• Device and Backup Password Bruteforced

Everyone who’s in a rush to say we should move to Android, must make sure the diversity works in the right way and does not bring new security issues. There are more than 50+ Android versions commercially available, and are spread among 180+ brands with thousands of different device models. Is not it the diversity everyone wishes? Can we find the simple answer if it is possible to break into Android devices? No.

Having one platform and one device brand supported is much easier to manage than the array of platforms multiplied by numerous device types. But even if we support one brand and one OS, people with different jobs have a wide range of needs, so no one supplier/device/app can meet all of them. This is known as BYOD. Nevertheless, the trend towards money savings and more flexibility has put us away from IT monoculture. Some monoculture is necessary for networks. If we communicate each other, we must use TCP/IP, SSL/TLS HTML, PDF, and other well-known protocols. The SSL/TLS is one of them are vulnerable to Man-in-the-Middle attacks when it comes to the particular OS and version.

Continue talking about mobile apps we’ve known many fails when data items transmitted in a plaintext (old releases of Instagram apps, simple taxi apps, apps that are transmitting media files, such as Foursquare or Swarm, etc.) and most of the apps store user data items (conversations, attachments, media, profiles) locally on the device without protection as well. Despite the diversity of OS and apps’ developers, we have the same issues with locally stored data on the devices that help forensics team extract user data a lot easier.

The modern monoculture is not more about environment unless every detail is the same to another one. Everyone has equipped himself with a range of devices from a dozen different manufacturers, different app versions. This trend towards mobile to the “monocultural” behavior more than the environment. In this case, we fall less into an attractive analogy for a security issues, and not ignore the fact that the actual problem in its real context is much useful to solve our problems, like there is no the lesson here “worry about monoculture” but the lesson “keep your immune system up to date and avoid insecure cases”.

So is it an appropriate metaphor? Take, for example, the Great Famine in Ireland in the mid-19th century. The Duke of Devon, chairing a Royal Commission enquiring into the Irish land question, reported of the Irish cottier class:

‘…in many districts, their only food is the potato…’

Not just the potato, but in particular the ‘Irish Lumper’, a variety not only grown extensively across the region but also notably susceptible to ‘late blight’ caused by Phytophthora infestans. So when that microorganism found its way to Ireland, the effect was devastating.

However, let’s not panic about the likelihood of an IT-driven disaster on that scale (not that I’m going to discount it altogether). Most areas of computing are not so specialized as to constitute a total monoculture: while Windows versions represent an enormous combined slice of the desktop market share, there are enough different versions to resemble the model of multiple strains of a single crop, rather than a model of absolute monoculture like those regions where just one strain of potato was grown. Even Microsoft’s long-held ascendancy in terms of office productivity suites has been threatened (in the Cloud, at least) by Google Apps, not to mention desktop-oriented semi-clones like LibreOffice. In any case, many organizations are to some extent polycultural, with various departments and even individuals that may be most reliant on different systems and applications.

Having spent much of my early career in IT in support, I’m fully aware of the stresses and strains of an environment where people may use any number of versions of operating systems and applications. A more homogenized computing environment has significant strategic and economic advantages in that it reduces the need for specialized support (or for all support staff to know about everything) and a narrower range of system, application, and security training (insofar as even security training may be application-specific).

I’m not sure, however, how many organizations are as homogeneous as the homesteads of those Irish tenants. The potato is mostly propagated vegetatively rather than by seed, so in the case of the Great Famine, the widespread damage of crops due to late blight was aggravated by the fact that so many of the potatoes grown in Ireland at that time were effectively genetically identical. Genetic inheritance in software is a less cut-and-dried phenomenon. Even where the same operating system is used all across an organization, the likelihood that there will be a range of versions and apps in use, and within that range that OS will run on different hardware, and take the form of different builds, with differing update status. And because it’s rather unusual for any organization to consist entirely of people doing exactly the same job with exactly the same applications, it’s also unusual for all staff to be equally at risk from malware or a vulnerability.

But let’s not be complacent: it doesn’t have to be about being equally at risk. Consider the macro virus epidemic that reigned for several years in the 1990s. While many macro viruses were quite effective at infecting vulnerable versions of Word (Mac versions earlier than 6.0 didn’t support WordBasic), their payloads were usually Windows-specific, so their direct impact on users of infected Macs wasn’t great. However, in organizations with a large population of Mac users, those users became a sort of Typhoid Mary, foci for potential infection of systems that were vulnerable not only to infection but also to the execution of payload.

Apart from opportunity costs entailed by clean-ups on- and off-site, there was the damage caused by the sharing of infected documents with other organizations and individuals. Not only damage caused by direct infection and execution of the malware, but the damage to the reputations of the organizations and individuals inadvertently spreading it. Since commercial antivirus programs for Windows were pretty effective at detecting macro viruses, properly protected users of the much maligned and heavily malware-targeted Windows were actually less exposed to such risks as reputational damage.

This is an example of heterogeneous malware transmission (to adopt a term coined by Pete Radatti) where the quasi-monocultural use of a specific application led to a serious security issue. A more dramatic example might be the Internet Worm (Morris Worm) of 1988. This particular malware only directly affected certain UNIX machines. However, its effect on the services – notably mail services – supplied by those machines was seriously disruptive to a very large proportion of users of the Internet. Given the far wider range of systems now connected to the Internet, you might think the likelihood of a comparable incident to be unlikely, but it’s not impossible. We have, for instance, seen widespread disruption as a result of attacks on Apache-driven servers.

Nor is it safe to rely on the security of a ‘better-than-Microsoft’ or ‘better-than-Android’ operating system. Considering a recent iOS hack it’s overstating the case to claim that ‘Apple is losing the [sic] security robustness’, but the story does indicate how closely iOS, like other operating systems, is being watched. However, there’s little doubt that it’s the products with the biggest market share that get the most attention from the bad guys.

It’s important to remember, though, that while vulnerabilities in operating systems and applications get a huge amount of attention, an awful lot of malware succeeds not because of technical exploits, but by the exploitation of human psychology that we call social engineering. If social engineering is backed up by viable technology, no system is safe.

In the event that everybody is utilizing the same framework or similar applications or the same systems administration rules, and security vulnerability are found in that OS or software, a single can influence everybody. This is the issue of Internet worms which can infect a large number of PCs on the web.

This investigation bodes experiences three essential imperfections. The first is the suspicion that our software monoculture is as basic as the least valuable thing to us. Two PCs may run a similar OS or software, yet they’ll be inside various systems with various firewalls and IDSs and switch strategies, they’ll have distinctive antivirus software and distinctive setups, and they’ll be in various parts of the Internet associated with various servers running diverse administrations.

The second imperfection in software monoculture is that it minimizes the amount of diversity. Indeed, it would be extraordinary if a corporate IT division ran half Windows and half Linux, yet doing as such would require more ability and cost more cash. It wouldn’t cost double the aptitude and cash yet there are huge economies of scale that outcome from everybody utilizing a same operating system.

The third imperfection is that you can just get a constrained measure of variety by utilizing two working frameworks, or switches from three routers. In monoculture terms, two is superior to one. Since a system’s security is essentially the base of the security, a diverse system is less secure in light of the fact that it is helpless against assaults against any of its unrelated segments.

Some monoculture is fundamental in PC systems. We all just need to utilize TCP/IP, HTML, PDF, and a wide range of different extensions that are necessary. Truly, there will be the distinctive usage of a similar format – and this is something to be thankful for – yet that won’t ensure you totally. You can’t be excessively the same as every other person on the Internet.

Second, numerous individuals feel that if software monoculture left, so too would programmers and malware. That is a speculation. Saying something could be limited, or even diminished, is not quite the same as saying that it would take out the hazard totally.

Informing a staff to get out concerning a monoculture, you should accept that they as of now have the important ability with the new stage. It accepts that the applications they are running now can keep running on the new stage, which commonly isn’t the situation.

Obviously, security is a dependably money-saving advantage. A decent framework executive figures it out: Does the expanded cost of supporting numerous platforms counterbalances the cost of the security issues caused by a monoculture?

In a non-monoculture software world, the applications would turn out to be considerably more cross-stage and universal. It’s as of now happening. XML is the information interface friend in need of the world. Adobe PDFs are destined to be supplanted by OpenDocument – designed records. With OpenDocument, regardless of what stage you influence your archive on, it too can be perused by whatever another stage that backings it – and OpenDocument is without eminence. Adobe’s PDF arrange is excellent, yet you can’t make PDFs of anything.

Cross-stage dangers aren’t new by any measure. Indeed, even as of late, there were numerous cross-stage dangers that could taint DOS, Windows, and Apple Macs all the while. A month ago an exhibition infection called Lindose demonstrated that a single malware code could taint Windows and Linux running devices in the meantime.

A non-computer monoculture isn’t really an awful thing; Our advice will be to pick the correct device and stage for the activity. Adapting new stages and extending your insight is something worth being thankful for. In any case, we should ensure we express the advantages of a non-monoculture accurately. For a few conditions, it may work. For some others, it would be a considerable measure of extra cost and push to wind up with a similar issue – or more terrible.