Author: Peter Burkin CISSP, QSA
When I started out in the IT industry, installing software was simply a matter of feeding a stack full of floppy disks one by one into a computer with fingers crossed that the hard drive was large enough to consume the new programme. Indeed, showing the younger generation a 3½ inch floppy disk today is likely to result in a reaction along the lines of; “wow, you’ve 3D printed the save icon?!”
In today’s corporate world of IT, new and up-and-coming professionals who have been raised with technology from birth are keen to test out new ideas, websites and applications to prove better methods of working, and show how sharing and reporting on data can improve performance and profits. All staff are capable of researching websites for new products, signing up to them and uploading data, blissfully unaware that they may be breaking company information security policies. Although the development of the internet has brought unprecedented opportunities, unforeseen dangers will always lurk on the web, waiting to be downloaded. Often set by organised criminals, these attacks are becoming more and more sophisticated, tricking even the most security savvy amongst us. Gone are the days of buying physical disks from a trusted vendor.
With software being developed so that it no longer requires administrator privileges to be launched or installed, malicious applications can be presented within emails, as website downloads or even advertisements. Alarmingly, such software can defeat firewalls, proxy servers, spam filters and antivirus software by using encryption methods to deliver the code to the end device and with enough uniqueness not to be detected by the signatures commonly used by antivirus software. Once running on a device located on the internal network, the software can take milliseconds to replicate to other computers. Spread of such ransomware has made headline news around the world due to the disruption caused. Even fully patched devices can fall victim to such advances by the criminals.
For these reasons, is it time to implement application whitelisting (AWL) to help bring what is running within the corporation back under control? Unlike antivirus software that actively blocks known harmful software, AWL only allows approved software to launch (known not to be malicious). This “deny by default” approach can offer greater security results, especially when an attack is in its early stages or has been targeted at a specific company. Microsoft Windows has an AWL built into the operating system, Windows AppLocker, and other vendors have solutions for sale, such as Trend Micro Endpoint Application Control and ivanti Application Control.
If whitelisting is more effective than blacklisting and it is freely available (Microsoft introduced software restriction policies within Windows XP and Windows Server 2003), why is it not widely used today? Unlike blacklisting, whitelisting can stop legitimate applications from working and early AWL systems did a poor job at deciding what would and wouldn’t run, giving it a bad reputation.
Modern operating systems and associated products have much better implementations of AWL today, allowing approved executables, scripts, installers and linked files. Monitoring, testing and development of processes to keep whitelists current in the early stages of development and deployment can prevent issues later in the life cycle. The significant security benefit of preventing unknown code to run and replicate across the network within milliseconds should be the key motivator of the extra security layer of AWL introduction.
For corporate and departmental risk reduction to be effective, it needs to link to corporate and departmental strategy and business objectives, with staff bought in to how, and why, security by design is important.
It’s not possible to secure everything and the most security mature organisations recognise that it’s a matter of when, not if breaches occur. Therefore, prioritisation of risks at corporate and departmental levels can help people balance the opportunity with the risk.
The way we recommend organisations do this is by implementing quantifiable risk assessment methodologies, starting with looking at business impact at a corporate and departmental (and even project) level. By getting the departmental activity owners to feed into, and give views on, the impact of a breach in a particular area or to a particular system, businesses can start to identify and recognise the value of putting in place risk mitigation controls based on the prioritisation of the impact of a breach.
This collaborative approach often enables a change in culture, where security is seen as supporting the business objectives of activities and projects rather than holding those activities and projects back.
Further information is available from:
SANS Institute: Application Whitelisting: Enhancing Host Security
SANS Institute: Application Whitelisting: Panacea or Propaganda
NIST Special Publication: Guide to Application Whitelisting
Infosec Institute: Top 10 Common Misconceptions About Application Whitelisting