Interviews

White-listing view

by Mark Rowe

Positive security is a new term being bandied about, but it’s really just the old idea of white-listing given new life, writes David Fisk, pictured, EMEA sales director, Quorum.

Almost all IT security systems today rely on black-listing – allowing all programs, except those specifically identified as a security risk. But white-listing — blocking access to all programs except those specifically allowed — makes security more robust. When white-listing was first proposed, the technology was not ready to handle the needs of such a system. We’ve come a long way since then and it’s time to give white-listing another look in our toolkit of security essentials.

In the early days of white-listing, users quickly saw the frustrations associated with it. Every time they tried to open and run a specific file not on the white-list, they had to wait for an administrator to approve it before they could run it. The best solution to the problem, namely automation, was not yet sophisticated enough to decide which programs could be trusted.

Today’s automation systems can look at much more than a specific file name. They can determine what software created the program and automatically approve or disapprove access. These systems can even “learn” the functions and processes that should be allowed, green lighting an application, but blocking system changes that the application should not be allowed to make. That means the common problems of users opening a malicious email attachment or downloading a malicious file simply vanish. The files can be in the system, but if not white-listed, they can’t run and can’t hijack the system.

White-listing also uses fewer system resources because it identifies software by hashes instead of scanning every single file included in a program. If a program does not match a defined hash, it cannot run. Compare this to blacklisting, which scans program files, using significant system resources.

White-listing is proactive in that it only allows trusted changes to a system. By contrast, blacklisting requires the threat of a given function be known before it can be blocked. That means invariably that someone has to suffer an unwanted system change before the danger of the program is recognised. White-listing and blacklisting are complimentary approaches. By proactively selecting programs allowed to run, white-listing blocks previously undetected threats. Blacklisting helps to identify and remove changes that may have been inadvertently allowed through white-listing.

Downside

Unfortunately, implementation of white-listing in a blacklisted environment is not easy. Anthony Arrington of ThreatTrack Security says:, “One of the biggest complexities of white-listing is the need to have it implemented in the over-arching cybersecurity plan from the start. Proper implementation requires you to take inventory of the company’s application stack and create hash values of every application and OS attributes. That’s not really easy to do, especially if you have an operation that’s already in production.”

But for smaller enterprises with fewer software applications, it’s less of a problem. And, because small businesses are primary targets of security threats, white-listing is a smart security approach. According to fraud detection technology provider CSID , 18 percent of cyber attacks in 2011 were directed at small and medium-sized businesses. In 2013, the figure was 31 percent. Clearly, cyber criminals see the vulnerability and are taking advantage of it. By using white-listing technology, small businesses stand a better chance at fighting these foes off. Having an inventory of applications is a vital step in the disaster recovery planning process too, so it’s something you should be doing anyway.

Although white-listing needs another look, I’m not suggesting it’s a replacement for blacklisting. A pure white-list environment would be too restrictive for many job functions. It is however, an important step toward more secure systems.

White-listing could be used to allow only applications downloaded from your company’s servers, giving you control of the software run on your employee systems. When used in conjunction with standardisation, it becomes a workable security approach that rarely causes inconvenience to users.

Of course, this limits flexibility to some extent. The proliferation of mobile apps creates a constant fluctuation in items to be white-listed, making it an impossible solution for a mobile workforce that needs to try out different apps and programs often. Whether that compromise is a true problem for your business will depend on the job function.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing