One of the techniques for mitigating risk of application vulnerabilities is restricting what types of applications can be executed on your network. Windows Active Directory includes tools in group policy that can restrict application use. You can “white list” applications, meaning only applications you approve can be used, or you can blacklist applications, meaning any application can be used, except those you disallow. There is another option, where you restrict applications based on whether the application has a trusted signature (more of certificates and trust later…)
Which of these methods do you think is most appropriate? In your discussions, stay cognizant of the C-I-A triad in IT security… Frequently, we forget how important availability can be, and in our efforts to protect our networks, we may disallow needed applications. Discuss this balance in different kinds of organizations, and where these techniques might be appropriate.
Ruslan Yakush says
Hello Everyone,
As I mentioned on the WebEx class, “Carbon Black” is endpoint security software that performs advanced memory analysis of abnormal activities. It helped our organization’s infrastructure to catch a Ransomware Cryptolocker and stop it from spreading in the network.
https://www.carbonblack.com
Darin Bartholomew says
I think that whitelisting and blacklisting both have significant pros and cons. This post will be my 3rd draft of the answer because of the pros and cons. I think there are several factors that should be considered in this decision. Does the IT team have the staff needed to keep up with whitelisting applications at a large organization as they’re requested? Are the end users proficient in social engineering and general best practices where they might be able to be trusted with blacklisting known vulnerable programs and having the freedom to use others without administration being worried about use that makes the systems vulnerable? What is the potential productivity loss if the administrators move to whitelisting and an end user might have to wait a day or more for a program to be allowed? The security side of my brain says whitelisting is the best. The business undergrad mind of mine says that blacklisting is more functional. The gray area in between is the solution I would try to find. Possibly white listing at the server level and blacklisting at the client level.
Anthony Clayton Fecondo says
Darin, I completely agree with your analysis of whitelisting and blacklisting. I don’t believe that there is a definitive answer to which is better, or at least which is more appropriate. So many factors affect the effectiveness, the threat, and how disruptive either of these choices would be. The employee’s level of security awareness certainly plays a big role in this decision. I would be hard-pressed to decisively proclaim one approach superior to the other.
Anthony Clayton Fecondo says
I think choosing whitelisting or blacklisting depends on the organization. For example, if you have a large corporation with a variety of roles each with very specific job duties, you can whitelist because you can effectively list all of the necessary applications for the specific duties a given role performs. On the other hand, a smaller or less organized organization with roles that have broader duties might operate better with a blacklist because people in these roles will require a larger variety of applications to perform their collection of duties. Another consideration might be the computer literacy of a given role. Perhaps those roles with high levels of computer literacy could be trusted to make judgements on their owns and thus operate with a blacklist. In this case, certain applications will invariably be dangerous and off-limits, but outside of the blacklists the employees could make their own (security informed) decisions.
This decision really should be made on a case by case basis. Blacklisting will require updating and exposes the organization to malicious software that isn’t listed. Whereas whitelisting will require updating and will inhibit the ability of employees to perform their duties while they wait for the whitelist to be updated. I think the decision needs to be made based on the projected financial implications of whitelisting and/or blacklisting and then an appropriate solution of one or a combination of these options needs to be implemented.
Ruslan Yakush says
Part of CIA Triad compliance would be managing security of applications running in the organization. White List, Black List or Certificate/Trust based are some of available options along with other third-party solutions controlling restrictions of applications, including Symantec and Lumension Endpoint Management. All these can be used to create a controlled environment in secured fashion.
Some organizations prefer to use one solutions over another or both depending on different factors, such as:
1. How many Applications are running in the organization ?
2. How many software applications are critical to restrict ?
3. What Applications run locally in self-contained environment and what others communicate over LAN or WAN ?
4. What Applications are “must have” and “nice to have” based on business functions?
5. What applications carry sensitive data over the network and where to?
6. Is there enough IT staff to support restrictions management?
By answering the questions above, an organization may easier decide what application restriction controls to implement.
– White Listing is probably adequate restriction type for organizations with a few standard applications running on the network without much of changing environment.For example, White Listing could be a good option to configure on servers which don’t normally get changed often and have standard number of legitimate applications. Also, this option is good in very unsecured environments where extra layer of protection is not budgeted. However, having too many applications running in the network may create extra administrative overhead.
– Black Listing involves less administrative efforts, but may be appropriate only for software development organizations where users have to run different applications very often for testing and evaluation or any other purpose. Basically, if there are more legitimate applications, then BlackListing option is adequate. However, an advanced endpoint security solution should be in place to provide extra layer of security in case of malware presence. However, having too many applications running in the network may create extra administrative overhead to keep blacklist updated.
– Signature based trusted applications restriction type is an option to implement for devices and OS platforms that require vendor’s compatibility approval before the installation. If for example, an iPhone App developed by some guy in Australia wants to sell to the public for iPhone users, then that App msut be signed by Apple before it would be authorized for installation.
So, some organizations may choose one of options above and others may have hybrid restriction controls.
Andres Galarza says
Ruslan,
Excellent breakdown, In particular, I think the 6 questions you list are key to helping an organization understand the decision they are about to make regarding application controls.
Amanda M Rossetti says
Ruslan, You do a great job of explaining considerations an organization will need to analyze before deciding if white listing or blank listing is the method they would like to use. I think another consideration they will want to keep in mind is what kinds of users do they have. If an organization has a lot of call center type employees, they may want to go with white listing since is easy to identify which applications those types of employees should have access to. If, however, the organization has many different employee types who all have different needs, white listing becomes much more difficult.
Scott Radaszkiewicz says
When talking about deciding whether or not to whitelist or blacklist applications, I think it really depends on the scenario. I have had some experience with these types of tools.
One area where I see a good use for whitelisting applications is at a kiosk type station. If you have a station that is only used for 1 purpose, then whitelisting is a good idea. I have employed this in my work. Working in a school district, we have two stations setup in our library that are for using the library card catalog only. So, that is the only application permitted to run on that station. Since the station is logged in with a default user (with limited user rights), this avoids anyone from “tinkering”. Another Scenario I have seen is a company that had one dedicated machine for doing financial transactions. That machine was limited in the resources it could interact with on the Internet. IT could only reach the banking sites that it needed to do daily business with, all other traffic was blocked. So, it had a whitelisted IP list.
As far as using the whitelisting method on users, I think that’s a very difficult scenario. Too often we tighten things down so much that users can’t even do their job. It’s a decision each organization has to make. Will end user productivity suffer if they can’t access the resources they need in a timely manner? Does the threat of a breach outweigh user non-productive time? Maybe in certain scenarios it’s warranted. Maybe a user who is working with confidential information that you don’t want being released. Again, you have to evaluate each scenario, there is no common answer.
Andres Galarza says
Although this deviates a little bit from the question being asked this week, I wanted to share a blacklisting example I run into a lot at my work.
My employer has two network types that it uses to connect to the internet. The first is used mostly for enterprise-wide communication (Outlook), the second is used mainly to conduct research and testing. The enterprise-wide communication network blacklists a tremendous amount of applications and has a more restrictive nature when it comes to what websites you can visit. The research network is much more permissive in terms of web traffic, but has similar restrictions on applications.
Every employee in the organization is given access to the enterprise-wide communication network, but only certain roles are given access to the research network. However, more and more employees are trying to conduct some sort of research on the communication network, and are finding much of their options “locked down” through blacklisting. This has led to many complaints about the restrictions. Furthermore, it would be onerous and costly to give more employees access to the research network.
Noah J Berson says
For a network that I would be worried about, I would implement a white list for applications. This is the most appropriate option because the majority of work that is done on a computer is repetitive. A lot of employees use only the designated ERP, office suite, email application, web browser, and a handful of other applications that can be accounted for. It can be very easy to poll different departments for which applications they need specifically added to their department’s whitelist. Temple’s public use computers come with around a hundred commonly used programs that covers nearly every computer need. New programs should be vetted by the cyber-security department to make sure there are no hidden backdoors or viruses and the like.
This method strongly protects confidentiality of data. Only departments that need the application can be approved to use a certain one, which restricts data by separation of duties. The integrity of the data doesn’t really come into play in this case. New technologies are less accessible as requests for new applications would have to be run up the chain. Whitelisting may hurt morale as employees don’t like knowing they aren’t trusted. This should be balanced by having an easy to use process of getting applications approved in a reasonable timeframe.
Mengxue Ni says
White list and black list can be both used in an organization if necessary. Based on situation, most organizations would choose one applications. To simply explain whitelist vs blacklist:
Whitelist:
• Default-deny
• uses a list of approved apps, software, emails, domains, etc.
• Items not on the approved list are restricted or denied, depending on your company’s needs
Blacklist:
• Default-allow
• Uses a list of unapproved apps, software, emails, domains, etc
• Items not on the unapproved list can be used without any modifications or control
For a specific example, should you use whitelist or blacklist for your marketing campaign? The benefit of using whitelist is helping organizations target their ads to the right audience, you don’t need to worry about the advertisements reaching to irrelevant audience. It can improve efficiency and lower costs.
If the business doesn’t target on several audiences, there are many potential audiences that can be explore, they can use blacklists to set up a list of places where they don’t want the ads on.
Loi Van Tran says
Often times when we discuss topics regarding IT and what is the right way to do something, the answer often boils down to “it depends.” In this case I believe that there might be a best practice approach if we look at the basic architecture of a client-server model. I believe that servers are better suited for white listing and clients for blacklisting. We setup servers to perform specific tasks, so we know exactly what should be allowed on each server. Servers are the back-end and would require more protection and filters, we would prefer to allow known transmissions rather than be reactive in nature.
Client computers are better for blacklisting than servers because a user will require a wider array of applications and functionalities. If you spread that out to an organization with 10K employees, the number of applications, services, software will be dramatically be higher. Management of a whitelist for client computers would definitely be harder and more costly. Blacklisting is like having a anti-virus software. It prevents the exploit of known vulnerabilities/viruses but is reactive in nature.
Jon Whitehurst says
The decision to whitelist or blacklist depends on what your business needs are. In cases of research or educational environments the culture is that everything should be open and not to block anything or block only that is dangerous. When the business is are hospitals, pharmacy or manufacturing, your tend to whitelist only what you want to access and blacklist everything else.
In the case where your primary business is manufacturing however and there is a need for research to find and build the next widgit, the triad will have to find a happy medium for both parties. Identifying the research teams by computer name/IP address, user ID, or even a MAC address give you the ability to categories who and what then research teams will need to access from the rest of the manufacturing business. In a way your building a process for access and controlling the needs for the research teams.
Ioannis S. Haviaras says
Both blacklisting and whitelisting applications is an effective way to implement a group policy in an organization. However, both have their advantages and disadvantages. Whitelisting applications is by far the most secure way to protect an organization but it hinders the Availability part of the CIA triad. Even though this method is more secure, most organizations opt to blacklisting applications since it is easier to make all applications available besides certain few. This increases the Availability in an organization but can hinder both the Confidentiality and Integrity if a user were to run a malicious or unknown application not blacklisted.
In different organizations whitelisting might be required due to the sensitivity of its information, say for instance financial institutions and federal government might only whitelist applications after a thorough vetting process. Blacklisting on the other hand can be used in organizations in which its employees may need access to several applications and not have to go through a vetting process just to open an application or less sensitive data is used and not as detrimental if an attack was discovered.
Mengqi He says
From my point of view, it’s hard to say either whitelisting or blacklisting is better, because different approaches work best for different situations. It depends on the size and requirements of an organization.
Whitelisting is an access control mechanism that basically deny everything but allows only what is approved or authorized to access. Whitelisting is relatively easier, more effective and less resource-intensive because it only requires to check whether the applications are approved to be safe to access, or the user has a “key” to access. It provides a better protection against unknown and zero-day threats. Considering it from the point of the CIA triad in IT security, it indeed does better than blacklisting on confidentiality and integrity of information because it ensures that only approved safe applications can be accessed, but it does restrict the availability. Sometimes application not on the whitelist may be needed, but users are denied to access to the applications. Waiting for approval is time-consumed, and it will affect the effectiveness and productivity of an organizations. In addition, whitelisting also limits innovation and early adopting of latest technologies. Therefore, the whitelist should be updated regularly to ensure all necessary applications are accessible for all authorized users. I think signature based trusted applications restriction can be considered as a kind of whitelisting, because it restricts only application with trusted signatures can be accessed. It is similar to whitelisting.
In the opposite way, blacklisting basically allow everything but deny only specific and identified things to applications. It’s usually used for antivirus. The system scan everything to look for known malware listed, and thus blacklisting is resource-intensive and less effective. Considering the CIA triad in IT security, blacklisting does a good job on making most of needed applications available to authorized users. Even though it maximizes the availability of applications on the basis of security, it makes data relatively less confidential, integral and reliable. It is hard for IT department to list all malicious applications or applications with malwares or virus. If a malicious application not on the blacklist is negligently installed by a user, it will cause a great damage to the organization’s system. Since the new applications are developed so fast, blacklist should also be updated regularly, like whitelist, to ensure all possible malicious and unnecessary applications are blocked or denied.
From my point of view, I think whitelisting is securer than blacklisting, but it doesn’t mean every organization should use whitelisting in every situation. For large companies, I would recommend both methods to ensure information confidentiality, integrity and availability, while for small companies, I would recommend only whitelisting to save time and money on the basis of information security because less resources are needed.
References: https://www.schneier.com/blog/archives/2011/01/whitelisting_vs.html http://searchsecurity.techtarget.com/answer/Application-whitelisting-vs-blacklisting-Which-is-the-way-forward
Mushima K. Ngalande says
The advantage with whitelisting is that by default it’s set to deny access by users. They would have to be configured to be accepted.This automatically creates confidentiality and maintains integrity of the data.There is also a list of approved apps, software, emails, domains, etc.
Items not on the approved list are restricted or denied as the company sees fit/
Whereas blacklisting’s default is set to allow.This already causes issues with C-I-A. Anyone initially would be able to access data and the admin has to go through to turn off access.Though also uses a list of unapproved apps, software, emails, domains, etc., the items not on the unapproved list can be used without any modifications or control
The primary difference is that whitelisting automatically denies everything and allows a few things while blacklisting automatically approves everything and rejects a few things. If you blacklist items, you have to know the known threats associated with those programs or applications. Otherwise, you could risk infection. With a whitelist, you can approve the things that your company needs and effectively block everything else.
Based on that I would recommend whitelisting approach to apps, websites, software and more. Organizations can have better control over users whereas blacklisting could increase ther risk of infections and can impact system performance,.
Shain R. Amzovski says
The C-I-A triad focuses on three of the most important areas in IT Security: Confidentiality, Integrity, and Availability. In IT Security, the C-I-A triad is implemented using controls. These three controls are technological controls, administrative controls, and physical controls. When deciding whether to “whitelist,” “blacklist,” or restrict applications on whether or not they have a trusted certificate, these three areas must be considered, along with many other factors. Each of these solutions may be best depending on what type of organization you are dealing with. Whitelisting requires a lot of work from an administrative standpoint. This may be good for an organization in the financial industry, or accounting, where their employees only have to use certain software or applications to perform their daily tasks. Blacklisting, the opposite of whitelisting, requires less administrative work and can usually be maintained by an anti-virus or IDS/IDPS. Checking for a trusted-certificate is not always accurate either. Just because something has a trusted certificate, does not mean that it does not contain malware. The easiest solution in my opinion would be to “blacklist.” It requires minimum administrative intervention. Blacklisting is also hard to keep up with because threats and vulnerabilities change daily, but maintaining this list can be as easy as updating an anti-virus.
Vaibhav Shukla says
When deciding to blacklist or whitelist an application I feel it largely depends on organization we are serving.When we work for an organization which demands much more secure data transactions like banks there is a need of whitelisting. In organizations where systems are used by developers and testers then the system needs to be more open as the user needs more tools to work with his applications and blacklisting is a good solution
But I think Whitelisting products do not require that you only use applications what the whitelisting vendor allows. They allow you to create and maintain your own whitelist. You simply have to approve what has to be installed on your system, The idea is to provide data about the application you are loading to help you make a good decision
BIlaal Williams says
The whitelist is a simple list of applications that have been granted permission by the user or an administrator. When an application tries to execute, it is automatically checked against the list and, if found, allowed to run. An integrity check measure, such as hashing, is generally added to ensure that the application is in fact the authorized program and not a malicious or otherwise inappropriate one with the same name.
Blacklisting, the opposite approach to whitelisting, is the method used by most antivirus, intrusion prevention/detection systems and spam filters. The blacklisting approach involves maintaining a list of undesirable applications and preventing them from running. However, the ever-increasing number and variety of threats in existence means that a blacklist could never be comprehensive, and as a result is limited in its effectiveness.
When dealing with applications, I feel whitelisting is an easier method to maintain, as you can create
BIlaal Williams says
When dealing with applications, I feel whitelisting is an easier method to maintain, as you can create
BIlaal Williams says
When dealing with applications I feel whitelisting is an easier method to maintain, as you can create a list of known applications and update the list as needed when knew applications require access to the system. All other applications will be blocked. Although compiling and maintaining the whitelist may be difficult, it is better to put in the work to protect your systems and save the resources required to deal with undesirable programs and the resulting problems that the blacklist approach fails to prevent.
JR says
The ideal technique that should be used would be white-listing. However, since most organizations do not have a lot of personnel that can support white listing and troubleshooting every since application that every user in an organization would use, it might be easier to blacklist applications.
Different methodologies would support different principles of the The CIA triad (confidentiality, Integrity and Availability). White-listing would support confidentiality because only applications that are trusted would be running on the network. Blacklisting would support availability since it would only stop applications that are not needed/malicious from running on the network and users can use any application / permissions that they need to get the job done.
You would have to look at the organizational needs and characteristics such as number of applications needed, IS personnel available for support, risk aversion, etc. to find out which method to use for the organization.