The Case for IT Biodiversity

2:50 PM -- Computer viruses aren't just named to sound like those pesky things that give you the sniffles or that rash you don't want to tell your wife about. Computer viruses actually act a lot like human viruses too.

They enter the system through an open channel (or membrane if you're talking about a human). They find a find a vulnerability (like a weakened immune system). They make copies of one another (using cells to reproduce). And the cycle continues, infecting computers and people alike.

That's not where the similarities end. There is a common theory amongst genetics researchers that says if you have zero genetic diversity, the system of humanity becomes very prone to attack by viruses. The same is true in computer security. Genetic diversity in application development, in operating systems, in network architecture, and in the tools designed to combat viruses all create a more complex environment for viruses to travel effectively through.

Genetic diversity is one of the reasons why cross-site scripting (XSS) malware has been gaining in popularity. Because JavaScript, Flash, and Java act the same across all platforms, they are ideal for transmission of virulent code.

Let's use another concrete example. One of the least genetically rich environments is a Windows machine. For a virus writer to write an application that will affect 90 percent of the Windows machines on the net is a trivial task. What about Linux? Well, because systems aren't created equal, and kernels can and often are modified, as well as other inherent security features, writing a virus that exploits 90 percent of Linux boxes is far more difficult (there have been exceptions, like exploits in SSH for instance).

But what happens when you combine the two equally? When you have two completely different operating systems the genetic diversity has increased, making it more difficult for a virus to propagate completely.

Adding unique firewalls, Web application security, intrusion protection, and antivirus are significant improvements to the genetic diversity of the Internet, reducing the likelihood of complete exposure.

The downside, of course, is cost. Cost to build and maintain a unique set of servers that falls outside of the vulnerable sphere of what is considered to be genetically "weak."

In terms of operating systems I'm not here to preach what is weak and what is strong. All you need to do is look at the penetration of any system in the marketplace to know where the largest exposures will naturally lie. You should probably look at your own situation to decide.

Are you okay with some small percentage of your environment being penetrated but reluctant to have large-scale penetrations? In that case, go with many operating systems. If you don't want any penetrations then you should probably opt for a strain of an operating system that falls outside of the genetic group of operating systems that malware is commonly written for.

Take a look at your corporate strategy and appetite for penetrations and decide for yourself what you and your company are willing to accept. Personally, I'm not a big fan of any kind of break-ins, but everyone's willingness to accept risk is different.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading