Expert Roundup: The Impact of Software Monocultures on Security Across Organizations
Why we need diversity to better fight against major online threats
The idea behind software monoculture is that users and organizations alike are inclined to use one type of software product and when zero-day attacks happen, they encounter difficulties in dealing with it. Having a limited number of software products, users could me more vulnerable and exposed to massive cyber attacks like WannaCry or nonPetya.
Knowing cyber security experts are deeply involved in studying the causes and changes of these frequent online threats, we’ve decided to ask their opinions on the topic of “Software monoculture”. Each of these experts comes with a different perspective to this question, so we recommend reading their answers.
Hopefully, these answers will help clarify some of the challenges organizations might face and I think they’ll also inspire you to act for your own online safety. You’ll find a “Read full text” link on some of them – don’t hesitate to click on it to read their entire contributions. What’s more, we plan to keep this roundup open and updated, so if you want to contribute, we would be happy to hear from you!
Time to see what these cyber security specialists answered when we asked:
“How would you evaluate the impact of software monocultures on security across organizations around the world?”
Use these links to easily navigate and read the security experts’ opinions.
Catalin Patrascu-CERT-RO– Coordinator of the Incident Handling Team
Yury Chemerkin – Security Experts at JSC Advanced Monitoring
David Harley – Senior Research Fellow at ESET
Peter Buttler – Security Consultant at PrivacyEnd
Patrick Coomans – B-Hive Europe
Vladimir Taratushka – Conference Director at HackIT
Coordinator of the Incident Handling Team, CERT-RO. He is an experienced cyber security specialist and is currently responsible for the coordination of the incident handling team of the Romanian National Computer Security Incident Response Team – CERT-RO. He can be reached on Twitter
Software monoculture is dangerous for the same reason almost any other monoculture is, as exemplified by the terrible Irish Potato Famine of 1845–1849. In short, the biggest problem of software monoculture is the potential exposure to one vulnerability, a 0-day for example.
We actually saw in the last years how rapidly a big number of systems can be compromised due to the simple fact that they are based on the same software, with WannaCry attack perfectly showcasing the potential danger. Another relevant example is the CMS market where we have a clear winner in terms of market share lately, a situation that led to widespread mass website attacks every time a vulnerability is discovered in the platform.
I would say that in the end, it’s a matter of risk assessment which is a must for any organization. And if we think about software used in different zones and for different systems of a company IT infrastructure, like user’s workstations, database servers, web servers, etc. It’s obvious that we want to avoid putting all the eggs in the same basket. For example, using the same operating system family on all IT systems could have a huge impact on security, and on the entire business in the end, because of the ransomware threat, for example, risking to have all the data on all systems encrypted.
The problem is that software monoculture is very tempting for costs and IT management efficiency reasons. Having multiple software platforms to manage leads to bigger costs for development, administration, licensing, maintenance, etc. And now it all becomes also a cost-benefit matter. At least apparently, the only benefit of using multiple software technologies, especially when it’s not imposed by other objective reasons, is that you avoid the risk of putting all the eggs on the same basket and therefore having a better security. Would this be easily explained as a benefit to the CEO’s or even CTO’s of the companies? Maybe that’s the general problem of security, the thing that the only benefit of better security it is security.
In the end, I would say that software monoculture is something that should be avoided as much as possible in any organization. But of course, this should be done without rising too much management and administration complexity of the infrastructure.
Security Expert @ JSC Advanced Monitoring
He is a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance. You can reach him on LinkedIn
The term “monoculture” is defined as “An environment in which the predominance of systems run apparently identical software components for some or all services.” Why does it seem to be a bad thing? “Such systems share vulnerabilities; hence they are at risk to the rapid spread of a virus or other malware vector, or vulnerabilities.”
From a security point of view, the environment is not only a set of software components including security tools but also the set of configurations for each component or software as a whole. What configurations are needed for security? It is a list of settings you should correctly set up, including passwords, even profiling different lists of settings for your needs. Isn’t this a lack of “monoculture”?
It’s a combination of settings for antivirus (AV) or browsers or firewalls, software patching. The monoculture has not become itself unless the one vendor builds all security tools, network-related things, all OS, all applications and, the important thing, establishes all security settings for everyone. However, it is not going to happen even in companies because the administrator builds different security settings for everyone.
Let’s consider three mobile phones almost identical but two of them with different passwords and one without a password, because a password is part of settings known as ‘locking screen.’ Is it still a monocultural software when it is possible to break into one device that does not have a password? What about the two others? Is one more secure than the other one or it is possible to bypass the locking password without a knowledge of it? It is possible than monocultural issue exists because there is a relationship to OS version issues or even brand issues. In the first case “no password” we consider that the user fails, while another example is considered to be the device’s vendor or OS vendor issue.
At the same time, same systems share the same unconditional security level, except that part where a user directly impacts on security by changing its settings. For example, when Android OS fails to protect us, we have mobile devices with pre-installed iOS and vice versa. This is the same situation with mobile applications. So, we can examine some facts about OS and apps and how the “monoculture” vs. “diversity.” How are mobile devices insecure without talking about vulnerabilities? The forensics gives us almost a 100% answer if it is possible to break into device data. What do we know about the diversity of mobile devices running iOS? More than 60 iOS versions are commercially available and are spread among 20+ different iPhones, 30+ iPad models. The first thing about diversity monoculture is: If you set up a password for your backup file then it is much easier to break when the password is not set because in this case, the password is hardware-based in fact. This is how the diversity of password settings decrease your security. How secure are the user passwords? According to the Elcomsoft article
· iOS 4 to 9 (and 10.1): about 150,000 passwords per second on GPU (NVIDIA GeForce 1080)
· iOS 10.0: about 6,000,000 passwords per second with Intel i5 CPU due to a bug we discovered
· iOS 10.2 and up (incl. iOS 11): about 5 passwords per minute (CPU); ~100 passwords per second on GPU
The simple solution to avoid ‘monoculture’ is not using these outdated devices. You can read Yury’s presentation “The rise of security assistants over security audit services” from Defcamp Conference in 2017.
iOS is a good example of “monoculture” trends at first glance, that could be something like “Apple solutions are insecure and selling more Apple-solutions makes the situation worse than better.” However, you will have simple answers about conditions if it is possible to break into the device:
- CPU, Device and Model, OS type and Version
- Jailbroken or not and Jailbreak Availability
- Should Be Unlocked
- Passcode Can Be Bypassed/Quickly Recovered
- LockdownRecord Supported/Required
- Device and Backup Password Bruteforced
Everyone who’s in a rush to say we should move to Android, must make sure the diversity works in the right way and does not bring new security issues. There are more than 50+ Android versions commercially available, and are spread among 180+ brands with thousands of different device models. Is not it the diversity everyone wishes? Can we find the simple answer if it is possible to break into Android devices? No.
Having one platform and one device brand supported is much easier to manage than the array of platforms multiplied by numerous device types. But even if we support one brand and one OS, people with different jobs have a wide range of needs, so no one supplier/device/app can meet all of them. This is known as BYOD. Nevertheless, the trend towards money savings and more flexibility has put us away from IT monoculture. Some monoculture is necessary for networks. If we communicate each other, we must use TCP/IP, SSL/TLS HTML, PDF, and other well-known protocols. The SSL/TLS is one of them are vulnerable to Man-in-the-Middle attacks when it comes to the particular OS and version.
Continue talking about mobile apps we’ve known many fails when data items transmitted in a plaintext (old releases of Instagram apps, simple taxi apps, apps that are transmitting media files, such as Foursquare or Swarm, etc.) and most of the apps store user data items (conversations, attachments, media, profiles) locally on the device without protection as well. Despite the diversity of OS and apps’ developers, we have the same issues with locally stored data on the devices that help forensics team extract user data a lot easier.
The modern monoculture is not more about environment unless every detail is the same to another one. Everyone has equipped himself with a range of devices from a dozen different manufacturers, different app versions. This trend towards mobile to the “monocultural” behavior more than the environment. In this case, we fall less into an attractive analogy for a security issues, and not ignore the fact that the actual problem in its real context is much useful to solve our problems, like there is no the lesson here “worry about monoculture” but the lesson “keep your immune system up to date and avoid insecure cases”.
He is an expert with a longstanding, rich background in cybersecurity, as well as an anti-malware researcher and author on the ESET blog – We Live Security.You can also follow him on Twitter
Monoculture is a scientific term used in agriculture to denote the practice of growing just one single crop species at any one time in a single unit such as a field or farm. In computer security we use the term slightly differently: rather than thinking in terms of specific data ‘crops’, we apply it to the branded product lines we use to generate and process those data. Those applications cover an enormous range of functionality, from operating systems to databases, to text processing, to graphics manipulation, to mathematical and statistical calculation, to micro-apps for counting footsteps or playing MP3s, and a great deal more.
So is it an appropriate metaphor? Take, for example, the Great Famine in Ireland in the mid-19th century. The Duke of Devon, chairing a Royal Commission enquiring into the Irish land question, reported of the Irish cottier class:
‘…in many districts, their only food is the potato…’
Not just the potato, but in particular the ‘Irish Lumper’, a variety not only grown extensively across the region but also notably susceptible to ‘late blight’ caused by Phytophthora infestans. So when that microorganism found its way to Ireland, the effect was devastating.
However, let’s not panic about the likelihood of an IT-driven disaster on that scale (not that I’m going to discount it altogether). Most areas of computing are not so specialized as to constitute a total monoculture: while Windows versions represent an enormous combined slice of the desktop market share, there are enough different versions to resemble the model of multiple strains of a single crop, rather than a model of absolute monoculture like those regions where just one strain of potato was grown. Even Microsoft’s long-held ascendancy in terms of office productivity suites has been threatened (in the Cloud, at least) by Google Apps, not to mention desktop-oriented semi-clones like LibreOffice. In any case, many organizations are to some extent polycultural, with various departments and even individuals that may be most reliant on different systems and applications.
Having spent much of my early career in IT in support, I’m fully aware of the stresses and strains of an environment where people may use any number of versions of operating systems and applications. A more homogenized computing environment has significant strategic and economic advantages in that it reduces the need for specialized support (or for all support staff to know about everything) and a narrower range of system, application, and security training (insofar as even security training may be application-specific).
I’m not sure, however, how many organizations are as homogeneous as the homesteads of those Irish tenants. The potato is mostly propagated vegetatively rather than by seed, so in the case of the Great Famine, the widespread damage of crops due to late blight was aggravated by the fact that so many of the potatoes grown in Ireland at that time were effectively genetically identical. Genetic inheritance in software is a less cut-and-dried phenomenon. Even where the same operating system is used all across an organization, the likelihood that there will be a range of versions and apps in use, and within that range that OS will run on different hardware, and take the form of different builds, with differing update status. And because it’s rather unusual for any organization to consist entirely of people doing exactly the same job with exactly the same applications, it’s also unusual for all staff to be equally at risk from malware or a vulnerability.
But let’s not be complacent: it doesn’t have to be about being equally at risk. Consider the macro virus epidemic that reigned for several years in the 1990s. While many macro viruses were quite effective at infecting vulnerable versions of Word (Mac versions earlier than 6.0 didn’t support WordBasic), their payloads were usually Windows-specific, so their direct impact on users of infected Macs wasn’t great. However, in organizations with a large population of Mac users, those users became a sort of Typhoid Mary, foci for potential infection of systems that were vulnerable not only to infection but also to the execution of payload.
Apart from opportunity costs entailed by clean-ups on- and off-site, there was the damage caused by the sharing of infected documents with other organizations and individuals. Not only damage caused by direct infection and execution of the malware, but the damage to the reputations of the organizations and individuals inadvertently spreading it. Since commercial antivirus programs for Windows were pretty effective at detecting macro viruses, properly protected users of the much maligned and heavily malware-targeted Windows were actually less exposed to such risks as reputational damage.
This is an example of heterogeneous malware transmission (to adopt a term coined by Pete Radatti) where the quasi-monocultural use of a specific application led to a serious security issue. A more dramatic example might be the Internet Worm (Morris Worm) of 1988. This particular malware only directly affected certain UNIX machines. However, its effect on the services – notably mail services – supplied by those machines was seriously disruptive to a very large proportion of users of the Internet. Given the far wider range of systems now connected to the Internet, you might think the likelihood of a comparable incident to be unlikely, but it’s not impossible. We have, for instance, seen widespread disruption as a result of attacks on Apache-driven servers.
Nor is it safe to rely on the security of a ‘better-than-Microsoft’ or ‘better-than-Android’ operating system. Considering a recent iOS hack it’s overstating the case to claim that ‘Apple is losing the [sic] security robustness’, but the story does indicate how closely iOS, like other operating systems, is being watched. However, there’s little doubt that it’s the products with the biggest market share that get the most attention from the bad guys.
It’s important to remember, though, that while vulnerabilities in operating systems and applications get a huge amount of attention, an awful lot of malware succeeds not because of technical exploits, but by the exploitation of human psychology that we call social engineering. If social engineering is backed up by viable technology, no system is safe.
He is the CEO at Heimdal Security
The approach I would indulge everyone to take is a multi-vendor approach to security. If you don’t consider it, you leave yourself at the mercy of one company’s ability to have high-quality product intelligence and threat intelligence.
Now naturally that is doable for security companies to have – but it is quite unlikely for one to know everything. When you select a security vendor it is always important to remember a few key aspects of the choice. Not only how good the product is on its own, how well the intelligence system around it performs, but also how easy it is to use the outcome it produces.
The ability to manage easily the systems you use, is of paramount importance, because not only are you looking to buy a top grade security product, but you also want to be able to use it. And backing my own claim that a multi-vendor approach is the best, then being able to make these systems work together, will also be important.
The only situation, where using a single vendor would be applicable working scenario is when that vendor actively works intelligibly to integrate and use other vendors, as part of the final product it delivers to end-users. The reason why this is valid is that the end product would then feature multiple engines and feeds, not designed by the same engineers – and hence not prone to have the same type of product or intelligence flaws, effectively bridging gaps, between the layers.
A software monoculture is a worldview that says if every one of your PCs is of one kind or OS; you are more in danger for an attack because of the considerable number of shared qualities the hacker can access.
Software monocultures are unsafe and Microsoft, being the biggest creator of monocultures out there, is the most hazardous. The essential issue with a monoculture is that it’s all helpless against a similar attack. Comparative dangers exist in organized PC frameworks.
So after all the diligent work, exertion, cash, and possibly some person’s blood, changing from a PC monoculture to something unique wouldn’t stop hackers and malware. It may back them off a bit for some time; however, it wouldn’t stop them for long. Indeed, monoculture is risky and decent variety is vital. In any case, putting time and exertion in guaranteeing our present foundation’s survival is significantly more imperative.
In the event that everybody is utilizing the same framework or similar applications or the same systems administration rules, and security vulnerability are found in that OS or software, a single can influence everybody. This is the issue of Internet worms which can infect a large number of PCs on the web.
This investigation bodes experiences three essential imperfections. The first is the suspicion that our software monoculture is as basic as the least valuable thing to us. Two PCs may run a similar OS or software, yet they’ll be inside various systems with various firewalls and IDSs and switch strategies, they’ll have distinctive antivirus software and distinctive setups, and they’ll be in various parts of the Internet associated with various servers running diverse administrations.
The second imperfection in software monoculture is that it minimizes the amount of diversity. Indeed, it would be extraordinary if a corporate IT division ran half Windows and half Linux, yet doing as such would require more ability and cost more cash. It wouldn’t cost double the aptitude and cash yet there are huge economies of scale that outcome from everybody utilizing a same operating system.
The third imperfection is that you can just get a constrained measure of variety by utilizing two working frameworks, or switches from three routers. In monoculture terms, two is superior to one. Since a system’s security is essentially the base of the security, a diverse system is less secure in light of the fact that it is helpless against assaults against any of its unrelated segments.
Some monoculture is fundamental in PC systems. We all just need to utilize TCP/IP, HTML, PDF, and a wide range of different extensions that are necessary. Truly, there will be the distinctive usage of a similar format – and this is something to be thankful for – yet that won’t ensure you totally. You can’t be excessively the same as every other person on the Internet.
Second, numerous individuals feel that if software monoculture left, so too would programmers and malware. That is a speculation. Saying something could be limited, or even diminished, is not quite the same as saying that it would take out the hazard totally.
Informing a staff to get out concerning a monoculture, you should accept that they as of now have the important ability with the new stage. It accepts that the applications they are running now can keep running on the new stage, which commonly isn’t the situation.
Obviously, security is a dependably money-saving advantage. A decent framework executive figures it out: Does the expanded cost of supporting numerous platforms counterbalances the cost of the security issues caused by a monoculture?
In a non-monoculture software world, the applications would turn out to be considerably more cross-stage and universal. It’s as of now happening. XML is the information interface friend in need of the world. Adobe PDFs are destined to be supplanted by OpenDocument – designed records. With OpenDocument, regardless of what stage you influence your archive on, it too can be perused by whatever another stage that backings it – and OpenDocument is without eminence. Adobe’s PDF arrange is excellent, yet you can’t make PDFs of anything.
Cross-stage dangers aren’t new by any measure. Indeed, even as of late, there were numerous cross-stage dangers that could taint DOS, Windows, and Apple Macs all the while. A month ago an exhibition infection called Lindose demonstrated that a single malware code could taint Windows and Linux running devices in the meantime.
A non-computer monoculture isn’t really an awful thing; Our advice will be to pick the correct device and stage for the activity. Adapting new stages and extending your insight is something worth being thankful for. In any case, we should ensure we express the advantages of a non-monoculture accurately. For a few conditions, it may work. For some others, it would be a considerable measure of extra cost and push to wind up with a similar issue – or more terrible.
Patrick Coomans is an entrepreneur turned coach and matchmaker. He leads CyberHive, a CyberSecurity innovation community for the financial industry at B-Hive Europe. He can be found on Twitter and LinkedIn
A lot has already been written in the past about the impact on the security of software monocultures, so much that it reminds me to dinner party discussions on topics like iPhone versus Android, or Apple versus Windows. One can easily find arguments for both sides. And probably the answer will – as always – lie somewhere in the middle.
All depends on what is being defined under “security”. Is it highly critical infrastructure that if breached would result in a catastrophic event of international scale, e.g. a nuclear power plant? Or is it the total financial damage if 20% of all personal computers experience a virus outbreak?
From a (cyber) security perspective, RISK is mostly defined as LIKELIHOOD x IMPACT. The impact of an exploited vulnerability in a computer in the control room of a nuclear power plant is potentially much higher than if it would concern my son’s school laptop.
So how does having a Software Monoculture affect Likelihood and Impact? I would have to revert to my typical consultants’ answer: It Depends of the Use Case. In a typical enterprise IT environment, all maintenance has to be done within a given budget. Personally, I would prefer to have all computers in my enterprise environment to run at exactly the same OS and version, so that I could spend the maximum on in-house knowledge, tools, patch management and maintenance, protection, and sufficient capacity for a swift incident and problem resolution. OS and application diversity simply spread my budget thinner, making it less effective.
Let us take a look at the Security Impact of Software Monocultures by comparing with an industry that is older and much more mature: Automotive. Quality and Risk are extensively covered by Automotive Supply Chain Risk Management Strategies and requirements are an embedded in Supply Chain Certification. Total risk is typically mitigated by spreading it between a few suppliers, thus reducing the factor likelihood, and even further reduced by requiring suppliers to be e.g. ISO/TS16949 certified.
Let us not try to reinvent the wheel in IT, rather apply cross-industry lessons learned. My personal preference would go out to maintaining a shortlist of 2 to 4 different software vendors/versions for every application, depending on use case, and require vendors to continuously deliver proof of robustness from a security perspective (software quality, release management quality, ability to execute quickly on vulnerabilities found, etc.). I can’t hide that I am a strong proponent of rigorous certification, provided the certification process itself is meaningful, applicable, rigorous and continuous as well. Compare to PCI DSS: if this is only a check-in-the-box yearly exercise, PCI certification is absolutely meaningless. If it is a representation of a company’s’ internal values and core beliefs, it does make sense.
And finally, let me conclude that I would feel much safer about software security if there would be much better information sharing and common efforts between government and industry regarding software vulnerabilities. Think of the government’s’ role in warranting automotive and roadside security and safety.
Vladimir is a computer geek since 6 years old, started hacking in games, later – commercial software. Studied informational and economic security. Blockchain startup Co-Founder. Mined bitcoins since 27$ price.
Software monoculture paradigm is easy to use, maintain and monitor. Workplaces could be very strong and defended, but it’s extremely weak against APT attacks.
If somebody will find a way to get into one computer, he will automatically get full access. And also, more researchers working on software, more bugs they will find. Look at bug bounty platforms, companies that have most bugs are the oldest ones as a BB program publishes. The casino always wins.
We want to thank everyone who took the time share their inputs, answer this question and provide the community some necessary insights about this topic.
Do you have another perspective on the impact of software monocultures on security? Please let us know what you think?