The best practice taught by computer security experts everywhere is diversification across your security products. This is different than the practice of establishing a common baseline and acquiring the same make and model of component equipment for that component function in the environment. The idea is simple, but the explanation is complex. Your security architecture is made up of many different components doing different things in order to accomplish a mission function. In the same way a house is built, a computer system is built. Many different components to make up the whole. On the surface, you have a resilient barrier to keep the outside out (IT system: boundary protection, House: stucco, brick, weather-resistant wood, roofing material). Inside of that, you have a buffer zone to insulate the interior from the impact of extreme penetrating elements (IT system: DMZ, honeypots, externally facing servers, House: wood framing, insulation). Inside of that, you have another barrier between the buffer zone and the interior (IT system: internal firewalls, authentication servers, House: interior drywall). At protected points, you have controlled access to the inside (IT system: VPN, privileged functions, House: locking doors and windows). And at unprotected points, you have holes that can be used to gain access to the inside (IT system: weaknesses expressed as vulnerabilities, House: various vents and weak points such as the garage door). Just as a house, an IT system should be fitted with security measures to mitigate the possibility that an intruder could gain access to the inside. An alarm system is analogous to audit monitoring and reporting and IDS devices. Additional reinforcements like window bars and sticks in the tracks of windows are comparable to IPS devices and two-factor authentication.
So, what is the problem? It’s with those holes, the weak points. A house built with the standard equipment used in all the rest of the houses in the neighborhood may experience a common fault, like a particularly weak locking mechanism, that if known, can be used again and again to gain access to any house using that mechanism. Furthermore, if security devices bought from the same company are used for multiple layers for protection, they may experience a common weakness, making it that much easier for an intruder to penetrate to the warm comfort of the interior. Business is business, and corporate policy dictates the way that business is conducted. A corporate takeover may introduce a weaker policy structure than what existed previously, plus you have the possibility of layoffs that may introduce an out of work expert in the technology used that is now disgruntled. This guy knows all your secrets, knows the back doors, and knows the products. You’ve just made him mad and unemployed, and in an act of desperation, he could sell what he knows, or even take an active role in a penetration attempt. At the very least, he is subject to a social engineering attempt that he is now more susceptible to because he is no longer subject to any sanctions that existed when he was employed.
Another aspect to consider is with the components themselves. A single manufacturer supplying multiple levels of protection devices with a common vulnerability or method in the design poses significant risk to an intruder because the same exploit will work at multiple layers. Take our house as an example again, it has a door with an added security door as the main entry point, but both doors are fitted with a lock from the same manufacturer. It is well known that there exists a vulnerability in certain locks that a simple application of a hammer is able to break and allow the door to be opened. Two swings, and the intruder gains access to the house. In our IT system, let’s say that both the exterior and interior firewalls are made by the same company and have a back door installed in them from the vendor. The same hard coded default password is able to open those firewalls and an intruder is in the network within seconds.
