Security

Securing from the inside: Whitelisting

In my last post, I talked about the dangers that the humble USB port can pose to the unsuspecting security administrator. I also suggested some possible ways of dealing with this often overlooked vector. This time, I want to talk about one of my suggestions -- whitelisting. It's a technology that's been around for a while now, but it's something that antivirus companies probably don't want you to know too much about.

In my last post, I talked about the dangers that the humble USB port can pose to the unsuspecting security administrator. I also suggested some possible ways of dealing with this often overlooked vector.

This time, I want to talk about one of my suggestions -- whitelisting. It's a technology that's been around for a while now, but it's something that antivirus companies probably don't want you to know too much about.

Whitelisting

Whitelisting takes a different approach to the malware problem. It involves the recording of all valid programs and prevents those not recognized from executing. As such, it can be used effectively not only against viruses and worms -- but also against spyware and unauthorized applications.

Taken a step further, whitelisting can be applied to device control as well, preventing unauthorized devices from being connected to corporate PCs and laptops.

Think about it: If you went out shopping for a new burglar alarm today, what kind of features would you look for? Would you purchase one that triggers only when it detects a known burglar or felon in your house?

Or would you go for one that will sound the alarm whenever it detects someone moving about that it doesn't know about?

The failure of traditional antivirus products

The white paper "The Extraordinary Failure of Anti-Virus Technology" quotes a Yankee Group report that 99 percent of companies have antivirus technology installed, yet 62 percent of companies suffered successful virus attacks. According to AusCERT (Australia's Computer Emergency Response Team), the two most popular and deployed antivirus products failed to stop 80 percent of new viruses.

As I explained last time, it's a trivial matter to first test a custom malware against the most popular antivirus scanners around. Certainly, this is what a black hat hacker with an assignment to penetrate the defenses of a corporate competitor and a vector to load the malware in will do.

Conclusion

The problem with a purely traditional antivirus approach is that the "virus definitions" that they work from relies on trying to recognize code sequences or known virus behaviour traits. As such, their detection abilities remain consistent, and new malware tends to get through.

This is not to say that we should immediately discard all our antivirus products. Current generation of antivirus scanners remain useful as part of a multilayered defense against known and old malware that might remain "in the wild" for years yet.

What I am suggesting, however, is that complete dependence on antivirus products need to be re-evaluated, and other options such as whitelisting need to be examined in light of the rapidly evolving malware situation that the proliferation of the Internet has brought about.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

4 comments
MarioAt
MarioAt

I'm a end user support tech for a major antivirus provider, and here's my 2 centimes: A rethinking of Windows from the ground up, because Windows was designed as a blank slate for programmers to build many millions of uses on. This is it's strength but also it's weakness. Think about that: no one deliberately puts adware, malware, spyware etc on their computer. Leaving aside whatever the hell people do to (with?) their PCs (and Macs and Linux boxes) at home, many end users download stuff for music and other downtime amusements at work, which leads to these plagues entering the network through these swinging back doors. (Techrepublic actually triggers our Download Monitor at my cubicle computer :) ) So setup and obvious points being prologue, Whitelisting would be OK on the job because your work computer is for that only. It's a terrible way to sell PCs to the public: end users want their plugins free and now, and that's not going to change regardless of the dangers. Hell, I like my freeware stuff and use lots of it at home-on my Mac, which is safe for now. That will change as market share skyrockets... Maybe a Windows/Linux White edition should be designed for secure networks and such? Of course that was the whole point of Vista, which repels security problems by being useless across the board :P

dave
dave

I'm a bit of a newbie to this field so this will sound very basic! Specifically how would one go about the whitelisting process? We have Astaro Security Gateway running as our firewall, and I know how to whitelist email addresses and even individual computers. But each program on each computer? Info appreciated!

jc@dshs
jc@dshs

Hm. I remember reading an article on TR last year (?) about how ALL computers should have come out of the factory screwed down tight security wise and you then have to "tell it" if you want anything different to run. This approach way back at the start would have prevented the whole malware, spyware, hacking cr@p that we are now lumbered with. It got my vote but unfortunately we don't have time machines, do we :-)

moffat_sitima
moffat_sitima

Whitelisting seems like a very good idea. I think you would want the program to basically behave like one I have installed on my PC, Trustnoexe. You can't install any application if it's running, but I don not know if it behaves in the same manner with malware. Also, whatever program will be responsible for the whitelisting might end up being vulnerable meaning it would need constant upgrading just like we are doing with antiviruses.

Editor's Picks