Enterprise Software

Never use buzzwords to justify decisions without understanding them

The term "monoculture" gets a lot of traction in IT security circles. Unfortunately, it gets misused as often as it gets used, and sometimes that leads to an increase in the vulnerability of IT resources.

You've probably heard the word "monoculture" in the context of IT security before now. It's a metaphorical reference to a concept in evolutionary biology, where it denotes a lack of genetic diversity. That lack of diversity means that if one member of a group (i.e., a species) has a vulnerability to some virus or other contagion, they all do. A single virus can wipe out the entire group. This is one reason incest is bad — because it increases the monoculture characteristics of the group, since no genetic diversity is being introduced from outside the family tree.

In the IT security context, the term "monoculture" is usually used to refer to instances where all systems of a given class are running the same operating system. It also gets used in reference to other types of software, but it's mostly the subject of operating systems that attracts the use of the term. Initially, the term was used in connection with IT security to refer to the dominance of Microsoft Windows in specific niches, where industry statistics tend to indicate that the share of systems running MS Windows is more than 90% — ignoring for the moment the likelihood such statistics are accurate.

The fear is that such overhwelming dominance of the workstation and home desktop market by a single operating system and certain key applications that run on that OS, and its known tendency to be vulnerable to viruses and other threats, presents a significant risk to the Internet at large. That risk has been realized many times in recent years, from before SQL Slammer to the present day when Conficker variants are still doing newsworthy damage.

As time goes on, the idea of an IT monoculture gets used in less specific ways. The most common use I've seen of the term lately has been in reference to a single network. People talk about the idea of increased vulnerability within a single home or business network caused by a "monoculture", suggesting that having a network comprised (primarily) of a single OS is the manifestation of a deathwish, and that having a shotgun-spray of OSes instead makes your network somehow better protected.

The truth is that the monoculture effect doesn't really apply at the individual network scale that way. People see someone warning against the dangers of a software monoculture, and they think that means that having no more than a single OS amongst a number of computers makes them more vulnerable. The kind of vulnerability being discussed in each case is different, however.

At the Internet-wide level, where the "monoculture" danger is most applicable, the vulnerability being discussed is the vulnerability of the whole system to a single threat. This means that if you're using the same software as everyone else, and everybody else is affected by the same computer virus, you'll be affected too. The kind of vulnerability discussed at the level of the individual network is the vulnerability to any system on the network being affected. At that level, where all the systems in the network are within your particular area of responsibility, you should be selecting software to ensure the best functionality and security characteristics for the systems' purposes. The reason multiple OSes provides resilience is redundancy, which isn't really very well provided via multiple OSes in a local network context.

Far from increasing your security, using multiple OSes can actually increase your vulnerability, if you're doing so without good reason. I use more than one OS on a network; in fact, one could argue that I'm running seven of them on this network (though I think it's more accurate to say there are five OSes, since the other two are just release versions of the same OS line). There are good reasons for using all of those OSes, reasons that trump the benefits of reducing vulnerability by reducing the number of OSes I have on the network so that an automated threat's chance of accidentially picking the right OS to target when aiming at me is reduced.

The fact is that to be smart about security you must be very smart about any decisions to use more than one OS. A recent trojan threat called Trojan.Flush.M can affect the security of an entire DHCP network, no matter how many OSes you have running on it. All that you need to be vulnerable to this is one single computer running MS Windows.

While this particular instance is a case of a Microsoft Windows vulnerability, and in fact it is MS Windows systems that make up the most likely targets of such threats because of their notorious ease of exploitation, the truth is that any OS can be in the wrong place at the wrong time. Regardless of the specific OSes involved, you should always be careful and deliberate when choosing to add another OS to your network — particularly so when the OS you're considering adding is more commonly exploited than the OSes that are already on the network.

If you have a good reason to diversify your software selections, go ahead and do so. Trying to avoid a "monoculture", on the other hand, is not a good reason. Remember: if you make security decisions based on principles you don't understand, you're likely to make decisions that damage your security.

About Chad Perrin

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks

Free Newsletters, In your Inbox