A significant number of articles are showing up on the Web advocating whitelisting as the only way to effectively protect enterprise networks from malware attacks. While it is a good idea in principle, is it really practical?
In an article last week, Larry Greenemeier wrote that today’s antivirus model is broken (“Antivirus 2.0: The Bouncer Approach”, InformationWeek, January 20, 2007). Supporting his assertions with a report by email security vendors Proofpoint and Commtouch Software, Greenemeier writes that the ability of today’s malware to continuous change their signatures results in a continuous flow of zero-day attacks—attacks that no antivirus program can keep up with. The article describes whitelisting as a possible answer.
Whitelisting consists of preventing workstations from running anything but software approved by the business. Implementing this approach requires conducting an exhaustive inventory of all applications used today. Once the inventory is complete, each application must be reviewed to ensure it is required to perform day-to-day tasks. This is usually a contentious process.
The open nature of PCs in most organizations has resulted in users installing a wide variety of applications that they use to get through the day. Any IT manager who has attempted to prohibit the use of these “productivity” applications knows that this is a dangerous road to travel. Unless she obtains strong support from all layers of management for this approach, the final destination will be unreachable.
Another option is blacklisting. Blacklisting, as its name implies, is the opposite of whitelisting. Workstations are prevented from running applications that are specifically prohibited by management. While this may be a palatable solution for the business users, this is a weak defense if not supported by additional controls. New malicious or highly vulnerable applications are created or identified faster than they can be placed on a blacklist.
Both blacklisting and whitelisting usually require the purchase and implementation of additional software. However, there is a simple way to at least begin controlling what is installed on our networks without major disruption to IS or to the business—the least privilege approach.
The least privilege approach in a Windows environment is simple; disallow local administrator and power user access on all workstations. In a January 19th article, Kelly Jackson Higgins takes a look at a healthcare company that did just that (“Company Cuts Privileges to Cut Malware”). The result in this case was a “huge drop in malware infections”. Granted, third party software was used in this instance, but it isn’t always necessary. Aside from this example, exploits related to a large number of the vulnerabilities patched by Microsoft each month require the user to have local administrator access.
When least privilege is invoked, existing software continues to function normally, resulting in little impact on business users. New installs require approval.
Whitelisting might be the final answer to protecting our networks from criminal elements. However, it’s probably an impossible leap for many organizations. Simply following security best practice by limiting access rights may be a good first step.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.