Security through diversity

January 12th, 2010 | security

Someone asked me the other day whether I thought the United States was vulnerable to a large scale “cyber” attack. While I have no doubt that any particular organization can be compromised, what comforts me at the national level is the sheer diversity of our systems. We have – unintentionally – employed a very effective defensive strategy known as “security through diversity.”

Every organization’s IT system is composed of multiple layers: credential systems, firewalls, intrusion detection systems, tripwires, databases, web servers, OS builds, encryption schemes, network topologies, etc.  Due to a variety of factors — competitive markets for IT products, lack of standards, diversity of IT managers’ preferences — most institutions make independent and varied choices at each layer. This, in turn, means that each insitution requires a customized attack in order to be penetrated. It is therefore virtually impossible for a single software program (virus, worm) to infiltrate a large portion of them.

On the web, a particular form of uniformity that can be dangerous are the centralized login systems like Facebook Connect. But this is preferable to the current dominant “single sign on system”:  most regular people use the same weak password over and over for every site because it’s too hard to remember more than that (let along multiple strong passwords). This means attackers only need to penetrate one weak link (like the recent Rock You breach), and they get passwords that likely work on many other sites (including presumably banking and other “important” sites).  At least with Facebook Connect there is a well funded, technically savvy organization defending its centralized repository of passwords.

I first heard the phrase “security through diversity” from David Ackley who was working on creating operating systems that had randomly mutated instances (similar ideas have since become standard practice, e.g. stack and address space randomization). It struck me as a good idea and one that should be built into systems intentionally. But meanwhile we get many of the benefits unintentionally. The same factors that frustrate you when you try to transfer your medical records between doctors or network the devices in your house are also what help keep us safe.

Share:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Reddit
  • Slashdot
  • Suggest to Techmeme via Twitter
  • Tumblr
  • Twitter
  • HackerNews

Related posts:

  1. Bad trend of the week: security questions
  2. Information security – are we experiencing a Pax Romana?
  3. NYTimes gets computer security wrong again

View Comments

#1 Chris Clark on 01.12.10 at 4:43 pm

This may seem like a stupid question, but what is the efficient antidote to the 'single sign on system'? Someone that I, uh, know really well may fall into that category.

#2 chris dixon on 01.12.10 at 4:46 pm

I'd recommend using password software like these: http://hunch.com/iphone-password-databases/

#3 Ivan Kirigin on 01.12.10 at 5:00 pm

I almost with I was incompetent enough at Tipjoy to store user passwords in clear text (they weren't) so that I could test authenticate them with email passwords. I'm surprised no one shows me a list of contacts from email if the email/pass I used to sign up works to sign into email as well. Who needs trust building in a first experience, right?

[these are just my opinions, not of any employer]
I really like your point about facebook being a central point, but one manned by a technology company. Maybe such systems can work in a distributed way and still add value for everyone. It certainly beats the current pandemic of uniform passwords.

One problem for users is that they have no idea how technical savvy you are. The facebook contact importer asks for your gmail password – just like Rock You. But Rock You is evidently incompetent, while Facebook isn't. How is a user to know? Not just for this particular issue, but generally, how are people who have no understanding of tech supposed to make decisions around it?

#4 John Galt on 01.12.10 at 5:44 pm

Surely an attack that exploits a flaw at the server level (whether it be web/database etc server) would suffice? I'm thinking maybe a variant of the Slammer worm, something small that propagates rapidly.

#5 doke01 on 01.12.10 at 6:04 pm

What you are saying is a bit over-simplified. What you are really saying is we are insecure in a diverse manner, which is making us a bit more secure then if we we insecure in an identical manner. Diversity, like obscurity, is not a true security measure. It is like saying every house on this block has a lock by a different manufacturer so we are more secure. While to some degree that may be true, the guy with the broken lock isn't too happy. Especially if that lock secures, for example, that national power grid. Also, the current 'diversity' wasn't designed as a security measure to begin with, meaning you just replaced the door lock above with a door handle.

#6 Mark Essel on 01.12.10 at 6:40 pm

My problem with security is when it gets in the way of doing something important. There are some nifty user ID options coming down the pipes. Soon we'll have single user login that's pretty darn strong at identifying that it's actually us at the wheel, and not an untrusted infiltration.

But it's a game of cat and mouse. As probes improve, so does security. I read not too long back that bot nets are fairly significant.

Be careful or soon enough you'll be buying your cloud computing from yourself ;)

#7 David Semeria on 01.12.10 at 8:23 pm

This is possibly the only plausible upside to the (relatively) standard-less web we have created.

Even then, wikipedia lists only 6 types of web server servicing over 1 million sites. If, over time, you can get a sleeper on most of them – you can kill the web.

#8 Tweets that mention Security through diversity cdixon.org – chris dixon's blog -- Topsy.com on 01.12.10 at 11:00 pm

[...] This post was mentioned on Twitter by chris dixon, kulesh, DealHorizon.com, Mahendra Palsule, NYC Tech Eqentia and others. NYC Tech Eqentia said: Security through diversity: Source: cdixon.org http://url4.eu/17971 [...]

#9 LizScott on 01.12.10 at 11:47 pm

Interesting. I work in the DoD space, and while we routinely lament the many disparate systems we have to work with, it does add an element of cyber security that is not normally mentioned.

#10 gbattle on 01.13.10 at 12:07 am

It seems your post today was quite prescient given today's Google vs. China news, however, this news also refutes your claim of security through diversity. The data doesn't support your claim. There is no well-funded, technically savvy, company who has not had a breach of some sort. Zero. Google's bold enough to just admit it in public. As long as there are locked doors, there will be locksmiths.

#11 chris dixon on 01.13.10 at 12:10 am

I do say “I have no doubt that any particular organization can be compromised” :)

I am just saying diversity helps protect the country as a whole. Related to China, I think you could argue (and I've heard it argued by defense experts) that countries with highly centralized & standardized IT systems are more vulnerable to attack than those that are more distributed. (See LizScott's comment).

#12 traxor on 01.13.10 at 8:21 am

I try and use as many passwords as possible but I just tend to get confused.

#13 pcimaven.com» Blog Archive » HIPS vs FIM – There is a difference… on 01.14.10 at 10:45 pm

[...] Security through diversity (cdixon.org) [...]

#14 AnonMuse on 01.14.10 at 11:14 pm

I've heard that this is was an early version of Tagged did.

#15 Security through diversity | Igniting Startups - nPost on 01.20.10 at 10:11 am

[...] From cdixon.org [...]

#16 Gain more clout with these security certifications « KBT Computers on 01.22.10 at 3:37 pm

[...] Security through diversity (cdixon.org) [...]

blog comments powered by Disqus