By Marco Eggerling, Field CISO, EMEA
Quick introduction to monocultures
As an information security professional, you’ve likely heard the term ‘monoculture’ in relation to agriculture. In that context, a single type of crop, – take sweet corn for example – has a monopoly on a field. A sudden crop killer (virus or destructive insects) can lead to abominable consequences.
Monocultures in software and cyber security are subject to the same forces, vulnerabilities and problems as agricultural monocultures. A monoculture may yield some benefit, but do the risks outweigh the monoculture’s perceived utility?
Software and cyber security monocultures
In computing, the term monoculture is used to describe near-universal ecosystem reliance on a single operating system, application, programming language, cloud provider…etc. A computing monoculture translates to very limited technological diversity.
Experts began to ask ‘does a more diverse software landscape lead to improved operational security in the long-run?’ ‘Or is there security in continuing contracts with a single repudiated brand (like Microsoft) that nearly guarantees infrastructure compatibility across systems?’
The arguments against and in favor of a software monoculture are varied and complex. Let’s delve into a couple of examples and examine their impacts on organizations.
Homogeny and vulnerability
One of the most significant concerns with monocultures is that a single point of failure (a vulnerability under exploit) can lead to widespread negative repercussions. If a vulnerability is found within a dominant software, a huge number of organizations could experience temporary disruption, resulting in rippling real-world effects across sectors and society at-large.
The recent case of a successful breach by a threat actor against Microsoft, where a successful extraction of a supposedly inactive user account’s Azure AD signing key took place, is a prime example of this and goes to show how a lump risk evolves by entrusting your security defenses with a single provider. The analogy of the virus in the corn field comes to mind again.
Another example is the infamous “Heartbleed” vulnerability in OpenSSL. Three years after discovery, the flaw continued to affect 200,000 unpatched servers worldwide. Heartbleed allowed an attacker to retrieve the private memory of an application that used the vulnerable code library – in chunks of 64k at a time. The consequences were catastrophic, and organizations like GitHub, Dropbox, and the U.S. FBI were affected.
Monocultures and innovation
Monocultures may stifle innovation. After organizations have long been tethered to a single tech stack, leaders may resist the idea of adopting newer and more secure technologies. However, bringing in divergent solutions can radically increase cyber resilience. In brief, the monoculture approach can leave organizations woefully under-prepared to contend with next-generation cyber threats or leave the gates wide open to threat actors who possess the golden key to authentication systems, which were previously considered safe harbors.
Risk-based approaches
An attack that fails at one platform might succeed at another. Thus, after deploying a monoculture to defend against, or monitor, attacks, we should establish defenses against trust attacks. One approach, long advocated for, but difficult to implement and drive in reality, would be to employ fine-grained least-privilege authorization policies so that the actions one entity performs on behalf of another are limited in scope, consequence and implications. This would then lead into the discussion around Zero Trust for which Check Point provides a whitepaper (LINK).
Further thoughts
Does your risk management framework acknowledge where you may have a software monoculture and address the vulnerabilities inherent within?
Today’s CISOs and cyber security leaders need to exercise vigilance by guarding against over-reliance on a single solution while simultaneously leveraging trusted technologies. Protect your organization from the pitfalls of monocultures by diversifying software and security tools, implementing best practices and encouraging innovation.
For more insights from Field CISO Marco Eggerling, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.