Biology Rules Apply to Infosec?

(Source: www.esa.org)

In biology, it is proven that consanguinity between members belonging to the same group (example: people living in the same closed area or animals from the same breed) may affect their resistance to certain diseases or reduce certain physical characteristics. It’s important to keep some level of diversity. The latest Juniper story made me remember the talk about “monoculture” presented at BlackHat Europe 2011.

A few days ago, some parts of the Internet were affected by a bug in Juniper routers BGP update code. If you have a look at the market of the core-routers, it is dominated by two manufacturers: Cisco & Juniper. Routers operated by major ISPs are crucial to maintain the Internet reliable. If most of those devices are coming from a unique manufacturer (or a very limited number of them), you increase the risks to face big issues if they are affected by a bug or a security flaw.

Now, speaking about devices or applications in general (the core-routers were just an example) and from a business point of view, monoculture is positive:

  • You can negotiate better prices (more items you buy, more discount you receive),
  • You can easily negotiate with other resellers,
  • You find plenty of engineers with the enough knowledge or external consultants,
  • Your engineers don’t need multiple skills and certifications,
  • Plenty of on-line resources may help you,
  • You get some nice goodies from the manufacturers.

But, putting the layer-8 (the “political layer“) aside, monoculture has side effects:

  • Big players offer a very large attack surface to hackers (They will select the most deployed targets),
  • Manufacturers don’t have time to re-invent the wheel and different products may re-use the same (vulnerable) piece of code,
  • Big players might be slower to react to vulnerabilities,
  • Big players might be less motivated for changes,
  • Your vision of the market is restricted.

Like in biology, monoculture can generate catastrophic situations in case of a successful attack or major bug. I don’t say that big players do a bad job (otherwise they could never reach such part of the market). Just don’t behave like a lemming. Choose the solution which match your requirements and not just because “it’s a big name“.

Do you remember the French movie “Les Rivières Pourpre” (“The Crimson Rivers“) with the closed society of Guernon?

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.