Ever since Dan Geer was fired in 2003 from @stake.com for being an author of a paper on negatives of a computing monoculture, I’ve seen article after article recommending that administrators do away with their computer monocultures as a way of minimizing or defeating malware and hackers.
A computer monoculture is a paradigm that says if all your computers are of one type or OS platform, you are more at risk for malicious attack due to all the commonalities the attacker can use.
There is some truth to that argument, but any good idea is bound to be polluted and convoluted by the retellers. For one, many authors promoting the idea of eliminating computer monoculture are actually thinly veiling their dislike of anything Microsoft. When you ask them whether everyone should run Linux computers instead, they usually go real quiet for a few seconds and then either say yes and go on about the myriad of different Linux distros available or -- rightly -- say no. But it still took them a few seconds to answer with a straight face. (Even Dan Geer was against Linux monocultures.)
Second, many people think that if the computer monoculture went away, so too would hackers and malware. That's a generalization. Saying something could be minimized, or even decreased, is different than saying that it would eliminate the risk completely.
For most companies, adopting a noncomputer monoculture means picking up computer platforms that are new to the company’s administrators. If I’m a 20-year Windows veteran, trying to learn Linux quickly isn’t likely to make the environment safer overall.
A friend of mine, upset with Microsoft’s ISA (Internet Security and Acceleration) server firewall, decided he wanted to run OpenBSD and PF (OpenBSD’s Packet Filter firewall) at work, after seeing it running at my house. I, too, threw out all my other network firewalls after they insisted on doing things I told them not to do -- such as blocking ports and packets I told them not to block. OpenBSD with PF does exactly what you tell it to do -- “keep it simple stupid” type of stuff.
But installing and configuring OpenBSD isn’t simple for the first-time user. My friend was stumped -- he is one of those guys who has installed Linux a few times but has never run it beyond a few days before giving up. He has read my columns about how secure OpenBSD is, watched me configure PF a few times, and decided it was the solution for him. It took him months to get it up and working.
He had OpenBSD up for about four months when I first dropped by to take a look at a particular problem he was having. It was only then that I learned he had no firewall working the whole time -- he had made a misconfiguration mistake, and compounded the original error by not testing his firewall.
In his attempt to spread to a different, more secure, platform, my friend made his company weaker overall. Ah, but that’s what’s great about the computer world: Make a major mistake like that, and you never do it again.