It’s not just about stopping unwanted intruders from getting into a system, however. It’s also about protecting data that an intruder might be able to access if they manage to crack perimeter defenses.
One of the most important ways that companies and organizations can protect themselves is by placing restrictions on who can and cannot connect to the system. There are two lists used for this purpose: whitelisting and blacklisting. They each require different levels of effort – but may produce security results commensurate with that effort.
What is Whitelisting?
Whitelisting is a defensive measure, used to protect against malware and other malicious software. It works by allowing only trusted executables, applications and websites to run on an organization’s systems.
Whitelisting is a cybersecurity term that refers to the process of identifying and permitting safe content. It means blocking all other content from entering the network by default and then only permitting specific files that have been pre-approved.
For example, in order to avoid receiving spam emails, email users can whitelist the emails they want to receive. A whitelist is a list of items that are allowed in and can enter. Some others create separate email addresses just for subscriptions and use that as their whitelist.
Whitelisting is based on principles of “zero trust,” which means it denies everything and only allows what is absolutely essential. That means more work for security teams and admins and more hurdles for users, but the payoff is greater security.
Advantages and Disadvantages of Whitelisting
The advantages of whitelisting in cybersecurity are that it provides greater protection by restricting access to software and hardware to only those apps, websites and IP addresses that are already known and trusted. Some benefits associated with this are that it can reduce false positives, improve performance, and reduce vulnerability to malware.
However, whitelisting can be labor-intensive and time-consuming, as only things that are explicitly approved for entry are allowed in.
This means that nothing gets in without permission. The downside to this is it requires more time to add new items and this can slow productivity because users have to go through an approval process to access anything new.
What is Blacklisting?
Blacklisting is a security measure that keeps certain people, web sites or programs from a computer or network. In other words, it refers to the practice of blocking unauthorized access to a system resource.
Blacklists can be compiled manually or automatically, and can be created by analyzing data traffic and identifying malicious or unauthorized connections. Blacklisting is often used for filtering out unwanted content from social networks or websites.
Pros and Cons of Blacklisting
There are many positive aspects to blacklisting. It’s a low-effort and quick way to identify undesirable content and block it from entering the system. But the drawback is that blacklisting cannot stop all malicious content from getting in, especially if the malicious traffic is from an unknown or rare source.
Spam emails are a very good example in this case. A blacklist would be the email addresses from which you do not wish to receive emails. If you get “spam,” you can put the sender on a blacklist to prevent them from contacting you again. If you get a lot of emails from fresh email addresses, this means you’re never really on top of the threats, and as email can be the source of some of the biggest threats, some manner of adaptive security seems essential, if only a spam filter that can block email based on patterns.
Whitelisting vs. Blacklisting: Why Not Both?
Blacklisting and whitelisting both have their pros and cons, so a lot of organizations wonder which to employ to protect systems from malicious hosts.
The fact is it doesn’t have to be a choice, and many companies and security vendors use a combination of both. For example, a company may have a blacklist that blocks known malware domains from accessing its networks. That same company might use a whitelist in a critical area that only permits connections from known, trusted domains.
The whitelist approach reduces the likelihood that a single mistake on the blacklist will result in damage.
And while the blacklist method blocks any site, app or user that has been flagged as unsafe, there is the possibility of a site erroneously being blocked, in which case users or admins need whitelisting capabilities for those exceptions. The whitelist method will likely wind up blocking safe resources, but that’s the price of higher security, and users and admins just need to be prepared to make exceptions as needed. The risk there is that admins may tire of the volume of whitelisting requests and set policies that are too lax.
Blacklisting is more commonly used because it has better coverage of malicious items that are continuously changing. But whereas whitelisting can be overly restricting, blacklisting may not be prepared for new “zero day” threats that emerge frequently. Blacklisting requires the security vendor providing the service to quickly adapt to emerging threats.
Ultimately, the job of allowing or denying access would be better handled by machine learning and other adaptive security measures that can not only block known threats, but also identify unknown threats through patterns or behavior.
Until then, the best answer to the question of which is better, whitelisting or blacklisting, is “both.”