[_wldu]

The problem is the entire thing will be compromised. Exchange, SharePoint, clients, servers, domain controllers, etc. That's what happens to monocultures. You must have diversity at every level (OS, DB, network, apps, etc.)

Yes, it is more difficult to manage a diverse environment, but when you survive the next big ransomware attack you'll see why it's so important (while your competition struggles to recover).

This holds true for crops, people, animals, financial investing and everything else. Diversity makes us strong and resilient. Monocultures make us weak.

Monocultures are easier to manage, audit and predict, but their weaknesses outweigh those benefits IMPO.

[TheDong]

We have finite energy and knowledge.

I know how to configure a firewall on linux. I don't know how to on plan9 and windows.

Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?

To me, that makes it seem 5x as likely that I make a configuration error that leads to a critical vulnerability if I have to figure out 5 different ways to setup a firewall and sandbox.

What about using software that historically has been shown to have vulnerabilities? For example, wordpress has had a lot of vulns in the past, so should I host one of my blogs on ghost, one using jekyll, one using wordpress, or should I only use a static site made with jekyll because I know static sites are more secure?

If I'm allowed to eliminate wordpress there, why can't I eliminate diversity at other layers? I know linux is more secure than windows IME, so can't I just not run any windows hosts by the same argument that I won't use wordpress?

You mentioned "diversity at every level (network)". Do you mean I should run wireguard VPN for some of my networks, cisco for others, unencrypted for others, just so I have more diversity?

I'm genuinely curious because the model I've heard advocated so far is that a monoculture is more secure because you can eliminate less secure things (use wireguard instead of unencrypted traffic), and gain mastery of a small surface area to ensure it is harder to attack.

Adding diversity just for the sake of it, by its nature, adds more attack surface and requires more expertise to secure, so it seems to fly in the face of the common advice I normally hear.

[webmaven]

> Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?

No. At the scale of five servers, a monoculture is acceptable risk, and as long as other businesses at that scale are choosing different monocultures, the systemic risk is limited as well.

But in analogy to agricultural monocultures, larger fields make monocultures more dangerous, and many adjacent fields with the same monoculture increase the risk even more.

But geographic continuity isn't necessary in our networked world, so the analogy is of limited use, and any vendor with enough customers, no matter how spread out, makes an attractive target.

[throw0101a]

> Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?

Running Windows and Linux would be a good start. Plenty of business-y software runs on POSIX systems: perhaps your business processes don't have to run the same operating system as your desktops?

Having a file share appliance (e.g., TrueNAS, NetApp) would be a good step after that (if things get encrypted just revert to the last snapshot).

[TheDong]

You may have missed the point of the question. All my machines (business and servers) are currently linux because I know how to update and secure linux.

The parent poster is arguing for diversity for the sake of it. To me, moving from my linux monoculture to a linux+windows diaspora seems less secure.

I'm talking specifically about the idea of security through diversity, not about this specific incident, so backup recommendations aren't really related to this thread.

[fsflover]

You can run Qubes OS instead and enjoy security through isolation and diversity it provides by default.

[dllthomas]

Ransomware in particular requires the attacker to be able to make your data inaccessible; in order to do that they need a certain level of control over every system on which that data is replicated, and as you say avoiding a monoculture makes that (substantially?) more difficult.

On the other hand, a leak or breach of user privacy requires exploiting any single system containing the data. Putting the same data on a diversity of systems makes that easier, and you won't even know what's happened if you've made it too difficult to "manage, audit and predict."

Avoiding a monoculture isn't the security magic bullet you pretend it is.

[DougN7]

Diversity just leads to more attack surfaces that have to be locked down. Doesn’t sound like a good idea. And even if you had it (33% of desktop OSes each on Linux, Windows and Mac), having 1/3 of your company neutralized is still a huge problem.