Don’t spread around your exploits

Last week in Network World, Scott Bradner was going on about PCs, Macs, operating system “monocultures” and computer viruses (see link below). Quite a tour de force.

He was actually taking CNET to task for its story, “Seeds of Destruction” (https://news.com.com/2009-7349-5140971.html), which compared the spread of computer viruses to agricultural diseases such as “Dutch Elm Disease.” The theory being forwarded is that by limiting the varieties of PC operating systems we risk the same sorts of epidemics as arborists do by planting only a limited variety of elm trees.

After first wondering why the story is featured so prominently now (since the topic has been hotly debated for a number of years, but has abated considerably of late), Bradner goes on to comment about the proposed solution – diversifying the desktops in your organization.

Someone had suggested that no more than 10% of your desktops should run the same operating system (and, I’d guess, the same percentage for servers). That doesn’t mean Win 2000 Pro on 10%, XP on 10%, Win98 on 10%, etc. No, it means all Windows versions on 10%, another 10% of all Macintosh versions, 10% in various Linux distributions, perhaps 10% AIX/Solaris/HP-UX/other Unix. That’s only 40% though, what about the rest? OS/2? CP/M? How far back are we expected to go?

Bradner does conclude that the “no more than 10%” figure isn’t tenable. Just think of the support costs alone for keeping someone around all the time who understood each operating system. Add to that support costs for applications, not to mention what you’d need to go through to get applications that would interact reasonably well. No one is going to be able to justify those costs.

Scott suggests a more reasonable four or five different operating systems. Well, he doesn’t mention those numbers directly, but does offer 20% to 25% as a good figure for Macs in the enterprise. That would definitely be the wrong way to go, in my opinion.

It is true that by having more than 90% of our computer systems running Windows we are potentially vulnerable to any new attack that comes along. But this can be kept under control by observing good security practices. A large majority of the “new” attacks are simply re-scripted attacks against old vulnerabilities. They’re created by the so-called “script kiddies” who want to do some damage, but have no idea how to actually write good code to exploit a weakness in the system.

The real crackers – and there really aren’t that many of them at any given time – are busy looking for brand new vulnerabilities to exploit. They probe Windows for two reasons – 1) it is still very “user friendly” which means there are still potential vulnerabilities and 2) it’s widely distributed so there’s more “bang for the buck” exploiting its vulnerabilities. But Unix problems were being exploited before there was a Windows operating system. Linux cracks are becoming more prevalent every day as the number of systems (and the percentage of systems) increases. If four or five different operating systems had 20% to 25% of your desktops, then it becomes more “cost effective” for the crackers. They’ll look at exploiting those other systems more (yes, even the Macintosh) and your security issues will multiply.

Having more operating systems won’t decrease your vulnerability over all, it will just spread the exploits around. Only vigilance, monitoring, timely patching and more vigilance can really keep you safe.