Whitelisting: Why and How It Works
Bad guys continually tweak malware, making it tough for traditional antivirus products to keep up. Whitelisting can help, by allowing only pre-approved applications.
The rising popularity of whitelisting boils down to simple math. With a relatively small number of malware items, it made sense to compile known virus signatures to detect and prevent infection. But with a huge increase in the volume of viruses and other forms of intrusion, it isn’t easy to keep virus signatures up to date.
That is where whitelisting comes in. Instead of listing all the potential bad stuff you don't want to let in, it’s simpler to create a shorter list of applications and processes that are authorized to run.
"Traditional antivirus is based on blacklisting which helps to block known malware," said Simone Spencer, endpoint product sxpert, McAfee. "Whitelisting limits use with a 'deny by default' approach so that only approved files or applications can be installed. Dynamic application whitelisting strengthens security defenses and helps to prevent malicious software and other unapproved programs from running."
Another name for whitelisting is application control; you stay on top of which apps are allowed to run and which are not. Gartner analyst Neil MacDonald sees this kind of containment and isolation approach as an emerging foundational security strategy. Virus and malware signatures are becoming increasingly ineffective, McDonald said, so a better approach is to treat everything as a potential unknown threat.
Gartner surveys show that 25 percent of enterprises are already deploying some form of application control. And another 50 percent are seriously considering it. That's why the analyst firm predicts that whitelisting will enter the mainstream by 2017. Within three years, Gartner believes more than half of tablets, smartphones, desktops, laptops and servers will only be allowed to run pre-approved applications, with everything else denied access.
Whitelisting and Ransomware
"Whitelisting is more necessary than ever because viruses and other malware are morphing," said Rob Cheng, CEO of PC Pitstop."This means that one virus looks like hundreds or thousands of different viruses to traditional AV products."
The type of attack vector has shifted recently, with individual users and entire companies being subjected to ransomware – infections that encrypt all their data and lock them out unless they pay a ransom. Recent ransomware attacks like CryptoLocker and CryptoWall are examples of attacks that could have been prevented through the use of application whitelisting.
"The stakes have gotten higher because of ransomware viruses, which encrypt your hard drive and demand a ransom in BitCoins for all your files back," said Cheng. "It encrypts photos, videos, Excel files, PowerPoint presentations and so on, so all your most personal documents are lost."
Traditional products use a blacklist to attempt to stop ransomware. But a virus will be blocked from executing and hence infecting only if it is on the list. That can be too slow, given the speed with which the bad guys morph their malware. By the time it is on the blacklist, another variant is invading user files.
"A whitelist stops the virus morphing issue dead in its tracks," said Cheng. "From a marketing perspective, we describe the white list as a VIP list for your PC. If you are not on the list, then you are not getting in."
How to Whitelist
So how do you go about whitelisting? James Tarala, an instructor for security training organization SANS Institute and one of the principal contributors to the Council on CyberSecurity, said that whitelisting can be based on several things. This includes the name of the executable, a digital signature of the program being executed, or the location on the computer’s file system where the executable resides.
Smaller organizations might be able to compile their own whitelist. But most enterprises are advised to turn to whitelisting software preconfigured with known good executables and domains. You can then add more required domains as needed to the initial list.
Stu Sjouwerman, CEO of KnowBe4, gave an example of how a whitelisting application works: It does a scan in order to create a local whitelist. It then allows only known good executables to run. Users accessing the Internet get immediate protection in the form of a list of a known-good website, which is combined with a locally created, organization-specific whitelist. An alert is sent to anyone who tries to go to an unknown and potentially dangerous domain. They are required to either go back or confirm they really want to go there.
"Even if malware already exists on a workstation, it will be blocked when it attempts to call home," said Sjouwerman.
For those that want help in compiling whitelists, the SANS Institute and the Council on CyberSecurity created the Critical Security Controls project. This gives users access to a prioritized list of security controls that organizations can implement to help them defend against ransomware attacks and other malware, Tarala said.
Sjouwerman also recommended letting users know that a whitelist is going to be created and briefing them on its importance. This should be done via a briefing as well as follow up training.
Short List of Whitelisting Products
There are many tools out there that do some kind of whitelisting. Users should gravitate toward those that can automatically scan systems to find out which applications are already running, can also access known-good lists of Web executables, and allow the user to add or subtract apps and websites as they decide. Avoid those that are complex and tie up too much IT time.
The big security and IT firms offer whitelisting, often as add-ons to existing products or as part of a larger suite. Examples include:
But you don't have to stick with the big boys. With whitelisting technology experiencing fresh impetus, it could be that specialists will lead the industry in terms of innovation. Examples include:
Whitelisting Not a Standalone Solution
Nobody, though, is suggesting that you should dump all other lines of security and do only whitelisting.
"Whitelisting is not a replacement for antivirus," said Spencer. "It should be used as a valuable complementary piece within a comprehensive security solution."
Further, Cheng made the point that there is a downside to whitelisting. By doing so, you create the potential to block a good program which has not yet been identified. You see this on sites like Yahoo that serve up a security warning and label a site as potentially dangerous – yet it is one you have used and trusted for years.
"If this happens, the user has a way of adding that program to a local whitelist and then it can execute," said Cheng. "It is an inconvenience to the user, but they are still able to do what they want. On the other hand, as you know, the ramifications of allowing a virus to run can be severe."
Drew Robb is a freelance writer specializing in technology and engineering. Currently living in Florida, he is originally from Scotland, where he received a degree in geology and geography from the University of Strathclyde. He is the author of Server Disk Management in a Windows Environment (CRC Press).
August 07, 2014
Trustwave researchers demonstrate Backoff malware, which targets POS systems, at Black Hat. Attack that has compromised 600 retailers relies on Java.