Whitelisting May Be the Future of System Security
The use of blacklisting as a form of cybersecurity protection is common, but it requires security personnel to keep a permanent eye out for any malware they want to block from an agency’s IT environment. That can be a daunting prospect.
Rather than being on alert for external threats, some agencies take a different approach. Whitelisting lets IT teams grant advance permission for specific, trusted items (such as applications or URLs) to run on the network, instead of blocking access to previously identified risks and threats.
Given the targeted nature of today’s cyberattacks, whitelisting offers a more effective approach, says Murugiah Souppaya, a computer scientist at the National Institute of Standards and Technology and co-author of NIST’s “Guide to Application Whitelisting.”
An outlier “may get in the download directory,” Souppaya says, “but it won’t be able to execute because it’s not part of the authorized list.”
SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!
Whitelisting Is Easy to Deploy
Whitelisting use — particularly involving IP addresses and domains — has increased in the federal and private sectors in the past 18 months because implementation is fairly simple, says Chase Cunningham, a principal analyst covering risk and security at Forrester. Agencies such as the Defense and Homeland Security departments are using whitelisting solutions to restrict the apps that run in their IT environments and to block threats such as phishing attacks and spam.
“You’re probably looking at three years, at least, before it’s largely used across the entire federal industry, but it’s a glacial shift that’s coming,” says Cunningham. “The concept of, ‘We know what’s good; let’s just use that’ has shown up more. It’s pretty easy for them to say, ‘This application is going to run, and that’s it.’”
Agencies with ample resources may be able to handle more time-intensive whitelisting tasks, such as creating a signature for each system file, Souppaya says. Others may engage a vendor to do the work.
How to Add Whitelisting Capabilities to Security Suites
Agencies that already have a contract with a large security company, such as McAfee, may negotiate to add whitelisting capabilities to their current product suite, Cunningham says. Other providers, such as Carbon Black or Tripwire, offer an application whitelisting cybersecurity platform component.
The deployment of new programs, as well as software and other updates anticipated by an agency tend to be the deciding factors. Such upgrades and updates often require whitelist tweaks.
“Whenever you’re changing that default system baseline, you need to generate a new list,” Souppaya says. “That makes the staff’s workload more intense. People need to look at the whole lifecycle and the costs around managing the solution.”
Agencies should expect to dedicate significant time to initial implementation updates, says Eric Chudow, a National Security Agency senior mitigations expert.
“In most cases, the initial rollout of application whitelisting requires daily updates to the whitelist. Then, for long-term maintenance, you only need either monthly manual updates by the administrators, or an enterprise management solution that automatically tracks and incorporates changes with minimal manual changes needed,” Chudow says.
DOD, DHS Embrace Whitelisting in Different Ways
The Defense Department, which NSA supports, began using Windows 10’s Microsoft AppLocker application for further malware protection after upgrading its workstations in 2016.
Working with the Defense Information Systems Agency, which manages the Defense Department’s endpoint security program, DOD will roll out whitelisting in phases. Depending on the setting, Chudow says, different capabilities may be applied.
“In some environments, additional software is being used for enterprise implementation and management of application whitelisting,” he says. “In other environments, application whitelisting is implemented using the operating system’s built-in capabilities.”
Other agencies are also utilizing whitelisting capabilities. The Department of Homeland Security directed agencies last year to implement its Domain-based Message Authentication, Reporting and Conformance security protocol to help prevent phishing and spamming attacks. DMARC authenticates incoming email messages by comparing their server’s IP address to a predetermined list.
How Agencies Can Avoid Access Issues with Whitelisting
The Veterans Affairs Department uses McAfee Application Control as it pursues whitelisting capabilities, which the agency plans to have developed and fully implemented by fiscal 2019.
Regardless of whether an agency uses a vendor-supplied product or service, however, the VA recommends conducting a thorough assessment of both the agency’s users and its systems to ensure whitelisting success — as well as to prevent accidental shutouts of agency employees.
“Moving from a traditional blacklist approach to a whitelist approach will result in blocking something that was previously allowed,” says VA Press Secretary Curt Cashour. “Begin by auditing traffic and activities to determine business needs and requirements. Next, consult system and business owners to understand the impact of whitelisting. Last, have a plan in place to address any business impact that might occur due to whitelisting.”
Souppaya recommends giving only certain employees administrator privileges — for example, allowing non-admins to run no more than a web browser and authorized security controls such as anti-virus software.
“If a solution can be bypassed easily, some users will choose to do that to run unauthorized software,” Souppaya says. “Malware may take advantage of the configuration weakness to execute.”
Federal agencies generally have a clear sense of what items they can and can’t allow. As a result, they should be well prepared to incorporate whitelisting, Cunningham says. “It’s one of the first initiatives I’d put in place,” he says. “If 100 organizations aren’t using it, and one that’s targeted is, the bad guys will go somewhere else.”