Diversity as defense

Wed Jan 21 17:55:29 UTC 2004

I can see how the biology analogy could lead itself to preordained outcome, but I do not think it was the case in this research.  For one it is really just a biology analogy, the mathematics are standard graph theory/statititical mechanics.  Actually, the original results we got back from the simulations had mass network failure occuring when 23-24% of nodes were compromised, all being of the same species.  Ended up we had a flaw in the code, but with that result you could not really argue that monopolies cause a security vulnerbility.  It would be impossible to enforce a mandate saying no one vendor could have more 23% of market.  The conclusion would be that even with a thriving competitive market vendor specific vulnerbilites can do heavy damage.  Going after Microsoft or any other quasi monopoly in this case would not accomplish much. If you look at code red affecting microsoft servers, they only made up 23-24% of servers connected to the Internet at the time (and that was all MS....

I will say it is easy to fall into the politically biased trap, especially as more people pay attention to what you are doing, but it is something we try hard to stay away from.  Sorry if this has wandered of topic in that regard.

As an aside it is interesting that no worm has yet exploited a platform that has a large market share and is at the core of the network.  

----- Original Message -----
From: Jamie Reid <Jamie.Reid at mbs.gov.on.ca>
Date: Wednesday, January 21, 2004 11:20 am
Subject: Re: Diversity as defense

> 
> These questions are of a personal interest etc...
> 
> Interesting use of biological metaphors. Is security accurately 
> expressed as an
> economy? Or rather, can security problems be solved as problems of 
> economy? 
> 
> I think it is a very compelling and thought provoking paper, but I 
> wonder if using a 
> specific biological model to support an economic conjecture is 
> sufficiently immune to 
> being coloured by political bias. 
> 
> I am not accusing the authors of unacknowledged bias, however, the 
> segway 
> from a biological model to an economic conclusion exposes the 
> conclusions to 
> being interpreted as a moral indictment of monopolies in the 
> marketplace. 
> 
> I don't mean to harp, as I have asked questions about the 
> motivations behind 
> some of your research before (namely the value of linking of 
> attacks to country 
> of origin), and I hope have any of my misconceptions corrected as 
> effectively 
> as they were previously.   
> 
> Best, 
> 
> 
> 
> 
> --
> Jamie.Reid, CISSP, jamie.reid at mbs.gov.on.ca
> Senior Security Specialist, Information Protection Centre 
> Corporate Security, MBS  
> 416 327 2324 
> >>> <sgorman1 at gmu.edu> 01/19/04 03:35pm >>>
> 
> 
> We've been seeing a bit of media attention of late to diversity as 
> a technique to make networks more secure:
> 
> http://news.com.com/2009-7349_3-5140971.html?tag=nefd_lede
> 
> The usual suspect is Microsoft with 97% of OS's, but Cisco's 86% 
> of the router market has been cited as well as SNMP 
> vulnerabilities of two years ago.  The diversity, monoculture and 
> agricutlure analogy makes nice press, but how realistic is 
> diversity as a defense.  Is cost the biggest hurdle or limited 
> avaiability of competitive products, or simply no bang for the 
> buck by diversifying.  We've run some simulations testing the 
> effects of different levels of diversity, but wanted some feedback 
> on feasibility.  
> 
> http://arxiv.org/abs/cond-mat/0401017
> 
> Any comments, feedback or discussion would be greatly appreciated.
> 
> best,
> 
> sean
> 