IT Security and Monoculture
Mar 29, 2008 14:47 Subjects Internet
Hannaford
Brothers Cos., a large grocery chain in the
Northeast, recently announced that an many as 4.2
million credit cards used by its customers had been
compromised by a trojan horse that had been installed
on all its servers used to process the information
from the "swiped" cards.
http://www.boston.com/business/articles/2008/03/28/advanced_tactic_targeted_grocer/
Undoubtedly all of Hannaford Brothers's servers were running the same software using the same communications protocols, and most likely they were all running on the same hardware. Standardization cuts costs, and large corporations have been especially diligent in standardizing their information technology resources.
Standardization also made it easy, once the cyber-thieves learned how to compromise one server, to commandeer all of Hannaford Brothers's servers, quickly and quietly.
HB's information structure was a monoculture. In the natural world of living things, monocultures are highly vulnerable to disease, pests and changes in environment. Industrial agriculture requires heavy applications of pesticides, herbicides. and fertilizer to grow monocrops. The same goes for corporate IT, where at least part of the savings from standardization must be spent on anti-virus software and anti-spybot software for every organizational computer and on sophisticated firewalls between the local network and the rest of the world. And IT is still vulnerable to hackers, no matter how carefully the systems are engineered.
It might have cost Hannaford Brothers more to diversify their software and hardware, but the diversity would have made it almost impossible for thieves to have compromised the entire network and probably would have made it more likely that the exploit would be discovered.
http://www.boston.com/business/articles/2008/03/28/advanced_tactic_targeted_grocer/
Undoubtedly all of Hannaford Brothers's servers were running the same software using the same communications protocols, and most likely they were all running on the same hardware. Standardization cuts costs, and large corporations have been especially diligent in standardizing their information technology resources.
Standardization also made it easy, once the cyber-thieves learned how to compromise one server, to commandeer all of Hannaford Brothers's servers, quickly and quietly.
HB's information structure was a monoculture. In the natural world of living things, monocultures are highly vulnerable to disease, pests and changes in environment. Industrial agriculture requires heavy applications of pesticides, herbicides. and fertilizer to grow monocrops. The same goes for corporate IT, where at least part of the savings from standardization must be spent on anti-virus software and anti-spybot software for every organizational computer and on sophisticated firewalls between the local network and the rest of the world. And IT is still vulnerable to hackers, no matter how carefully the systems are engineered.
It might have cost Hannaford Brothers more to diversify their software and hardware, but the diversity would have made it almost impossible for thieves to have compromised the entire network and probably would have made it more likely that the exploit would be discovered.
|