IT Wrestles with Microsoft Monoculture Myopia

Three years after an influential report flagged the security risks of relying too much on Microsoft's Windows monopoly little has changed. Why? The economics of standardizing still trump security headaches.

When Microsoft announced in March 2006 that it would add code-scrambling diversity to make Windows Vista more resilient to virus and worm attacks, you could almost visualize a wry smile from Dan Geer.

Geer, a computer security guru with a doctorate in biostatistics from Harvard University, lost his job as chief technology officer of consulting company @Stake in 2003 after co-authoring a report that blamed Microsofts operating system monopoly and complex code base for the frailty of the Internet.

Exactly three years later this month, Geer insists that the risks associated with Microsofts virtual monoculture remain the same, but a quick glance at the future direction of the worlds largest software maker gives Geer a sense of "total vindication."

Indeed, three years ago on Sept. 24, Geer penned "CyberInsecurity: The Cost of Monopoly," a 25-page report he co-authored with a whos who of computer security experts, including celebrated cryptographer Bruce Schneier and intrusion detection systems specialist Rebecca Bace.

The crux of the report was that software diversity was core to securing the Internet.

The group cautioned that the only way to prevent "massive, cascading failures" was to avoid the Windows monoculture.

"Because Microsofts near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor," the report said.

In many ways, Geers report was prescient, as Microsoft has become a huge target for hackers. Meanwhile, Microsoft has adopted some of the tactics recommended to diversify code.

"In just under three years, the idea went from something you can get fired for to a research priority for [the U.S. government] and a product plan at Microsoft," Geer, of Cambridge, Mass., said in an interview with eWeek.

"You look at what theyre doing with randomizing Vista and all the signs around virtualization, [and] its real vindication for us."

He was referring to the addition of ASLR (Address Space Layout Randomization) to Windows Vista, a security feature that randomly arranges the positions of key data areas to prevent malicious hackers from predicting target addresses.

The technique, known as memory-space randomization, will block the majority of buffer overflow tricks used in about two-thirds of all worm attacks and, even more importantly, will effectively create software diversity within a single operating system.

Despite wide recognition that software diversity is important, progress is slower than expected.

Ten days after the Geer report garnered publicity, the U.S. House of Repre-sentatives held a hearing that included an interrogation of the Department of Homeland Security on the subject of monoculture, and the National Science Foundation, an independent federal agency, pumped $750,000 into a study on cyber-diversity for computer systems as a way to fend off malicious viruses, worms and other cyber-attacks.

The result? Despite all that talk, the DHS remains a Windows shop and Microsofts flagship operating system still commands a whopping 97 percent share of the desktop security market. Businesses dabble with alternatives such as Linux but remain tethered to Windows. Why?

Despite the initial hubbub over the report, businesses are betting that the costs associated with diversification are greater than the returns from implementing technology that could be more secure yet potentially harder to manage.

"We havent changed much. Id argue that were at even more risk today than we were in 2003," said Schneier, chief technology officer and founder of Counterpane Internet Security, in Mountain View, Calif. "We have a culture of ignoring serious warnings until its way too late."

Schneier, who did stints at the Department of Defense and Bell Labs, said the monoculture risk exists beyond the desktop. "Windows has pushed into mobile devices, into embedded systems, into noncomputer CPUs. The threat of that cascading failure is even truer today," he said.

Even though the argument made in the report remains as valid as ever, diversity has been elusive because, as Schneier put it, "monoculture is attractive because it is cheaper."

"Its hard and its expensive [to diversify]. Yes, its less secure, but you only have to support one thing when you embrace monoculture. It always boils down to economics," he said.

Geer said there are two options available to government and enterprise security systems: Embrace monoculture and get consistent risk management because everything is the same, or run from monoculture in the name of survivability.

"Today, were relying on picking up the pieces," Geer said, adding that its much cheaper for a CEO to invest in anti-virus, anti-spyware, anti-spam and patch management solutions.

"Weve committed all our eggs to a basket named patch management, or were looking to virtualization to help wipe and reinstall after [malware] infection," he said.

For Andre Gold, director of information security at Continental Airlines, monoculture and security became a hot topic in 2003 after the SQL Slammer worm disrupted operations at the Houston air carrier.

/zimages/2/28571.gifVista RC1 tests show that the migration path may be rocky. Click here to read more.

"From a pure-play security perspective, we had to answer that question. Do we want to diversify to keep things running when another attack came along or stay with the monoculture and invest in securing it," Gold said in an interview with eWeek.

"It came down to economics. Its not easy to click your fingers and say, Windows is a liability; lets just switch. You soon realize you have to spend even more to get specialized staff for each computing environment," Gold said.

Several CISOs (chief information security officers) interviewed by eWeek echoed Golds sentiments, stressing that budgeting considerations always play into security decision making.

"I cant spend my entire budget trying to diversify and not have resources to secure them all. Thats not practical," said one security executive affiliated with a high-profile financial institution.

Golds situation rings true for John Pescatore, an analyst at Gartner, in Stamford, Conn. "The cost of ownership skyrockets because of diversity," Pescatore said. "The economics says to standardize, standardize, standardize."

Next Page: Its getting cheaper to deal with a single platform.