Cybersecurity threats are here to stay. The AV-TEST Security Institute recorded that 1.1 billion new pieces of malware were detected in 2020, with the number expected only to rise. All businesses and organizations need to give cybersecurity a high priority if they want to avoid malicious code or actors gaining access to their system. Not keeping your data – or your customer’s data – secure, from a technology perspective, can have disastrous consequences.
One strict cybersecurity function is that of application whitelisting – greatly reducing the potential of malware threats to your organization.
What is application whitelisting?
Application whitelisting (AWL) is a cybersecurity strategy designed to allow only a trusted list of applications to run on a device. Think of it as a sort of parent lock. Rather than constantly trying to keep ahead of malicious actors one identified malicious code at a time, an IT admin creates in advance a comprehensive list of approved apps that a computer, laptop, cell phone, or server is allowed to access, rejecting all others as potential malicious software.
Whitelisting and blacklisting – what’s the difference?
AWL is the opposite of application blacklisting, which is the strategy employed by most antivirus software: a compiled list of suspicious or malicious code or actors denied access on a network or system. A blacklist is made up of known malware, like Trojans, spyware, viruses, etc.
The default with using blacklisting is to allow entities access, which is where it differs from whitelisting. Blacklisting allows for greater user freedom – but the freedom comes with a risk, as it also allows for potential threats to access your system more readily, unless they are already known to the blacklist. It can’t be understated how easy it is for a malicious actor to change their code to get around a blacklist. It’s a matter of minutes on their end.
Advocates of whitelisting claim the ongoing maintenance needed for AWL is worth the time and effort; actively preventing potentially malicious programs from entering their networks is the top priority, despite the restrictions placed on their users.
Drawbacks of AWL
While AWL does provide much protection against ransomware attacks and malware attacks, it’s also quite an extreme measure of lockdown. It requires proper, ongoing maintenance as software falls out of use, new software is added, or when updates are needed. It also requires strategic planning when doing updates, to understand how to add them to the AWL, or see what will break ahead of time.
Compiling a whitelist is an exhaustive task; it requires detailed information about all users’ tasks and all the applications they need access to for those tasks. Maintaining the list thereafter is an ongoing process that cannot be neglected.
Deciding to implement an AWL strategy relies heavily on your organization’s needs, system functionality, and user independence. Some businesses prefer to implement a blacklist, which allows for looser restrictions – but could also leave you more vulnerable to malware or ransomware attacks.
Implementing AWL – define what to whitelist
Creating an AWL sounds simple at first: you need a list of programs that will be allowed on the protected systems; then, the AWL needs to be enforced. However, like many processes that sound simple in theory, the full strategy is much more in-depth than at first glance.
Your list of programs allowed on the operating system will require more than just the file name. The National Standards of Information and Technology (NIST) recommends implementing whitelisting on hosts that are centrally managed and have a consistent application workload, or high-risk environments where security outweighs unrestricted functionality. NIST also suggests that organizations considering AWL should perform a risk assessment to determine whether security benefits provided by AWL outweigh the possible detriments to your organization’s operations.
.
The key to whitelisting is which attributes to use. If the software allows any app with a specific file name, malicious actors only need to place malware with that file name in the permitted location. NIST recommends basing AWL on:
- File path
- File Name
- File size
- Digital signature or publisher
- Cryptographic hash
While the first three should not be used by themselves as they can easily be faked or spoofed, NIST suggests using a combination of digital signature/publisher and cryptographic hash techniques, which provides more accurate and comprehensive AWL capabilities.
Stay safe with the right experts
Implementing a whitelist depends heavily on your business goals and user requirements and will be an ongoing maintenance need. Talk to the cybersecurity experts at Technology Solutions to discover if AWL is suitable for your business needs and how to customize an AWL strategy plan today.
An AWL with 2FA combination works great for us. This along with yearly cybersecurity training for all of our employees helps to cut down on those unwanted attacks.
Blacklisting might prove useless against a zero-day attack. Yes, AWL requires more maintenance but in the long run you know you’re on the safe side.
1.1 billion new pieces of malware?! How can that be a real number, it sounds insanely high…
We recommend to our clients to use both Application whitelisting and blacklisting to cover both fronts. However, if you are at a greater risk of an attack, whitelisting might be a better option than blacklisting which might end up being used by companies that need more flexibility.