Positive Security: A New Spin On Whitelisting

Whitelisting

Positive security is a new term being bandied about the industry, but it’s really just the old idea of whitelisting given new life. Almost all security systems today rely on blacklisting – allowing all programs, except those specifically identified as a security risk. But whitelisting – blocking access to all programs except those specifically allowed – makes security more robust.

When whitelisting was first proposed, the technology was not ready to handle the needs of such a system. We’ve come a long way since then and it’s time to give whitelisting another look in our toolkit of security essentials.

Why Whitelisting Failed

In the early days of whitelisting, users quickly saw the frustrations associated with it. Every time they tried to open and run a specific file not on the whitelist, they had to wait for an administrator to approve it. The best solution to the problem, namely automation, was not yet sophisticated enough to decide which programs could be trusted.

Automation Changes Everything

Today’s automation systems can look at much more than a specific file name. They can determine what software created the program and automatically approve or disapprove access. These systems can even “learn” the functions and processes that should be allowed, green lighting an application, but blocking system changes that the application should not be allowed to make.

That means the common problems of users opening a malicious email attachment or downloading a malicious file simply vanish. The files can be in the system, but if not whitelisted, they can’t run and can’t hijack the system. Whitelisting also uses fewer system resources because it identifies software by hashes instead of scanning every single file included in a program. If a program does not match a defined hash, it cannot run. Compare this to blacklisting, which scans program files, using significant system resources.

Proactive Security Compliments Blacklisting

Whitelisting is proactive in that it only allows trusted changes to a system. By contrast, blacklisting requires the threat of a given function be known before it can be blocked. That means invariably that someone has to suffer an unwanted system change before the danger of the program is recognised.

Whitelisting and blacklisting are complimentary approaches. By proactively selecting programs allowed to run, whitelisting blocks previously undetected threats. Blacklisting helps to identify and remove changes that may have been allowed through whitelisting.

The Downside

Unfortunately, implementation of whitelisting in a blacklisted environment is not easy. Anthony Arrington of ThreatTrack Security explains: “One of the biggest complexities of whitelisting is the need to have it implemented in the over-arching cybersecurity plan from the start. Proper implementation requires you to take inventory of the company’s application stack and create hash values of every application and OS attributes. That’s not really easy to do, especially if you have an operation that’s already in production.”

But for smaller enterprises with fewer software applications, it’s less of a problem. And, because small businesses are primary targets of security threats, whitelisting is a smart security approach. According to fraud detection technology provider CSID, 18 percent of cyber attacks in 2011 were directed at small and medium-sized businesses.

In 2013, the figure was 31 percent. Clearly, cyber criminals see the vulnerability and are taking advantage of it. By using whitelisting technology, small businesses stand a better chance at fighting these foes off. Having an inventory of applications is a vital step in the disaster recovery planning process too, so it’s something you should be doing anyway.

Not The Only Answer

Although whitelisting needs another look, I’m not suggesting it’s a replacement for blacklisting. A pure whitelist environment would be too restrictive for many job functions. It is however, an important step toward more secure systems. Whitelisting could be used to allow only applications downloaded from your company’s servers, giving you control of the software run on your employee systems. When used in conjunction with standardisation, it becomes a workable security approach that rarely causes inconvenience to users.

Of course, this limits flexibility to some extent. The proliferation of mobile apps creates a constant fluctuation in items to be whitelisted, making it an impossible solution for a mobile workforce that needs to try out different apps and programs often. Whether that compromise is a true problem for your business will depend on the job function.

Tomorrow’s Security – From Yesterday

The old idea of whitelisting is likely to become an important part of security going forward. It will be part of a comprehensive approach of blacklisting, whitelisting, and backing up data to protect against potential failures of these security systems. Whichever security systems you use, a backup solution can help you keep your data intact and secure in the event of a security breach. Both cloud and hardware solutions offer flexibility, redundancy, and simple recovery to keep your business moving in the face of any threat.

Tony Craythorne

Tony Craythorne is vice president of business development, Quorum. Tony has over 25 years of experience in developing fast growth sale channels in the USA. Previous to his role at Quorum Craythorne most recently served as senior vice president of worldwide sales at Connected Data/Drobo, where he assumed responsibility for all sales and marketing. His accomplishments there included leading the successful launch of the company’s private cloud solutions and managing the merger with Drobo. Prior to Connected Data/Drobo, Craythorne was the senior vice president of global channel sales at 3VR. While there, channel revenue grew over 100 percent; international growth surged over 150 percent.