For Hackers, Uniformity Is Path of Least Resistance
Standardizing network components creates more problems than it solves.
The military tackles many challenges in its cyber ecosystem—a diverse group of human users, processes and technologies and their interactions—by striving for uniformity across its hardware, software and operating systems. But standardization also can create large holes in the cyber environment, weakening defenses and contributing to successful cyber attacks. Coming at cybersecurity from a different angle could leverage differences in favor of network defenders.
Without a doubt, system consistency has its benefits. Using the same operating systems, applications, switches, routers and other components across networks reduces complexity and lowers the cost of equipment maintenance as well as defense.
But cyber is a two-way street, so approaches that benefit an organization in one respect can make it vulnerable in another. For example, if all desktops, laptops and servers in an organization are running macOS, then its members would have maximum access to information, and so would attackers. The more uniformity in the cyber ecosystem, the more—and more quickly—hackers can gain access to networks. The opposite also is true. If some devices are running the Chrome operating system, others Linux and still others Microsoft, then intruders cannot as easily take down an entire organization’s systems.
Many private organizations and government agencies almost exclusively rely on Microsoft products, which the majority of attacks target, putting cyber weapon systems directly in the line of fire.
Although diversification is touted as the best strategy in many endeavors—from investing to job hunting—in cyber ecosystems, many organizations are sticking to standardization, continuing to put their proverbial eggs into nice, neat baskets. Their reasoning is that maximizing symmetry shrinks the attack surface and facilitates systems defense. However, because the cyberspace attack surface consists of all known and unknown exploitable avenues, using a variety of operating systems and applications actually decreases accessibility by leveraging the variances in attack implementations.
Employing identical systems throughout an enterprise can pose additional challenges. Notably, it sets up the endless task of maintaining homogeneity, and often the smallest change can wreak havoc across the entire cyber environment.
Although counterintuitive, installing different operating systems, applications, hardware and devices addresses this challenge and does not preclude good cyber hygiene—one of the top arguments against adopting diversity. Package management systems help sustain practices such as installing regular updates and patches in a variety of systems simultaneously.
Embracing diversity requires looking at technology by the functionality needed and accepting various paths to provide it. For example, many good browsers, PDF readers and media players are available today. While none of these is without vulnerabilities, the odds of the same weaknesses occurring across two or three different browsers are much lower than they are when using the same browser throughout the ecosystem.
Last year’s global WannaCry ransomware attack based on the EternalBlue exploit of Microsoft’s Server Message Block illustrates the effect of manipulating uniformity for maximum results. Organizations exclusively using Microsoft operating systems experienced a massive impact because Windows Vista through 10 and Server 2008 through 2016 were all affected. Other operating systems were affected only if they had the same attack path for the ransomware to follow. EternalBlue’s creators may have understood the far-reaching consequences the attack would have through multiple versions of Microsoft operating systems spanning 10 years.
Standardizing operating systems also can make attack opportunities more attractive by decreasing their cost. Most cyber criminals prefer low-cost, high-gain targets. Diverse systems introduce variability in the cyber ecosystem and can subsequently shape their actions, forcing them to explore vulnerabilities in uniform surfaces with common paths such as Java, Flash, Bluetooth and Universal Plug and Play.
This attack strategy can aid cyber defenders, who know that hackers will target the standardized systems between disparate technologies.
Instead of robustness and resilience ratcheted up through standardization, the cyber environment becomes more secure from disorder through gains in flexibility, adaptability and diversity. Nassim Nicholas Taleb refers to this state as “antifragile” in his book Antifragile: Things That Gain From Disorder.
Uniformity is the path of least resistance. From a limited perspective, it appears to be the least costly not only for attackers but also for their targets. However, taking into account attacks such as the massive 2015 breach at the Office of Personnel Management, cybersecurity managers must determine whether the cost savings are worth the risk. The equation for the cost of standardization must include the cost of loss. After a breach, the cost of data loss, lost trust and system repairs can exceed the cost to maintain, defend and reconstitute disparate systems.
Attackers are exploiting the uniformity of technological systems and using flexibility to their advantage. While diversity is not the entire cybersecurity solution, it can be part of a holistic approach to a complex problem and environment.
Bridgit Griffin is the president of technical and cyber consulting firm 22/42 Inc. She has held positions as the chief technology officer, innovator and program manager for Air University, Maxwell Air Force Base, Alabama, where she led cross-functional teams in applying critical thinking to develop advanced solutions for improving myriad areas, including cybersecurity.