In an era where more malware is being produced than applications, blacklists may be an anachronism. Increasingly CISOs are looking at application whitelisting — creating a list of applications allowed to run on a system, and everything else is blocked — to improve access control.
Last month the U.S. National Institute of Standards and Technology (NIST) published a guide to help them understand the basics of application whitelisting as well has how to plan and implementation whitelisting technologies throughout the security deployment lifecycle.
The 17-page paper notes that an application whitelisting solution isn’t for every environment. In fact NIST says it’s best for hosts in custom environments at high risk of attack or data exposure where security takes high precedence over functionality. A standard enterprise (or what NIST calls a managed environment) should do a risk assessment to determine whether the security benefits provided by application whitelisting outweigh its possible negative impact on operations. A dedicated staff managing and maintaining the application whitelisting solution will be needed, it adds, just as one is needed for an enterprise antivirus or intrusion detection solution.
There’s also four other tips:
—Consider using application whitelisting technologies already built into the host operating system, particularly for centrally managed desktops, laptops, and servers, because of the relative ease in managing these solutions and the minimal additional cost. If this isn’t possible look for third-party solutions with robust centralized management capabilities;
—Use products that support more sophisticated application whitelisting attributes. Choosing attributes is largely a matter of achieving the right balance of security, maintainability, and usability. Simpler attributes such as file path, filename, and file size should not be used by themselves unless there are strict access controls in place to tightly restrict file activity, and even then there are often significant benefits to pairing them with other attributes. A combination of digital signature/publisher and cryptographic hash techniques generally provides the most accurate and comprehensive application whitelisting capability, but usability and maintainability requirements can put significant burdens on the organization;
—Test prospective application whitelisting technology before deploying. This testing should include a thorough evaluation of how the solution reacts to changes in software, such as installing an update. An application whitelisting technology might be considered unsuitable if, for instance, it had to be disabled in order to install security updates for the operating system or particular applications;
—Use a phased approach for deployment to minimize unforeseen issues and identify potential pitfalls early in the process.
Note these are recommendations for application whitelists. Whitelisting can also be used for software inventory, file integrity monitoring, incident response, email addresses, networks and mobile code. For mobile devices, consider an app store and/or a mobile device/mobile application management system.
If you’ve been thinking about whitelisting this is a good research resource. See also this paper put out by the U.S. National Security Agency. for a quick intro.