One of the techniques for mitigating risk of application vulnerabilities is restricting what types of applications can be executed on your network. Windows Active Directory includes tools in group policy that can restrict application use. You can “white list” applications, meaning only applications you approve can be used, or you can blacklist applications, meaning any application can be used, except those you disallow. There is another option, where you restrict applications based on whether the application has a trusted signature (more of certificates and trust later…)
Which of these methods do you think is most appropriate? In your discussions, stay cognizant of the C-I-A triad in IT security… Frequently, we forget how important availability can be, and in our efforts to protect our networks, we may disallow needed applications. Discuss this balance in different kinds of organizations, and where these techniques might be appropriate.
Ryan P Boyce says
I think the right answer will change from organization to organization. For me, I might think about utilizing both policies but instead of white listing the app, I would white list the type of traffic/connections the app wants to use. I would do this after verifying its signature, of course. I might say that any app can run on a system once its signature has been verified but I might use my white list/black list to say it can only communicate via https ports. I might go further to say that, based on the subnet its running on, it can only communicate to very specific IPs/subnets via firewall rules. This way, I believe, it is easier to let the app run then open ports/firewall rules as needed. If I’m restricting what apps can run by application white/black listing, I feel this will restrict the availability of the data even more.
Neil Y. Rushi says
In a business, applications should be whitelisted if it’s absolutely required for the organization and if it can be set, set it to where only a few employees can use it on role-based or departmental needs. There are ways you can restrict applications without whitelisting or blacklisting them – imbed a credential manager. That way if an organization has a tier 1-2-3 type setup, they can only allow access to application based on what they do and when they need it. For example, when they are new employees they need to request access for simple applications that all Tier 1 would require.
Younes Khantouri says
Neil,
Thank you for the answer that explain most of it, applications should be whitelisted if it’s absolutely required for the organization and if it can be set. The IT department should decide what type of applications should be whitelisted or blacklisted. These decisions should be dependent to how much are those applications important to the organizations or how much they can harm the organization IT resources.
Fraser G says
Whitelisting versus blacklisting is an interesting topic and requires a deeper understanding of the business functions to choose which method is appropriate.
I think the majority of businesses would find a whitelist is the most effective. I think of *A*vailability in CIA and I just have to wonder what kind of IT department wouldnt know exactly which applications people need to use. Not a good situation to be in where you don’t know exactly exists. There are so many malicious programs out there, and programs that are innocuous but can be used for malicious purposes that you would have a hard time tracking them all down and blacklisting them. I think this is appropriate for most:
-Sales
-HR
-Finance
and most other departments you would find. I would find blacklisting more appropriate in businesses and organizations that have a greater diversity of users – E.G. Students at a university, Creative dept. or IT dept. Typically I think these users need access to a wider number of applications.
As Neil mentioned above, I think its just as (if not more) important to look at what the traffic does. Although resource intensive, in an ideal situation you could analyze traffic for threats and remedy them on the spot.
Ahmed A. Alkaysi says
Good point Fraser. Blacklisting vs Whitelisting is dependent on the type of department and the applications that they use. I think that the departments utilizing the Core Business functional applications can get a way with Whitelisting. Generally, the core applications would only be a few, so it would be easier to Whitelist.
Now, as you have mentioned, the IT dept might need access to multiple types of applications, both open-source and non open-source. This type of department would most likely benefit from Blacklisting applications. Otherwise, it would be a hassle to continue managing the list of blocked applications if using Whitelists.
Fred Zajac says
As an auditor, I may be a bit bias on this question…
I believe a business case must be made for all applications. When determining the business case for an application, a risk assessment should be conducted, which would include a list of recommended controls for applications on the network. The recommendations will most likely include different control options, along with a few compensating controls. The C-level executives, board members, and/or other decision makers will decide on the group policies and application access. We must be cognitive of their opinion, while giving them the information required to make the final decision. The proper information would ultimately focus around all three C.I.A.
The problem I have seen at several organizations is the willingness to be restricted. People are not happy when they told, “You are not cool enough” to have access to the playground. The not-cool-people now have an excuse over the cool people, being “I can’t do what you are asking me because I don’t have access”. This puts the cool people in difficult spot, especially if they procrastinate and need this done immediately. So, the cool person will either use the same excuse to their manager, or just give the not-cool-people access another way.
In my opinion as an auditor, the Availability to organizational assets should be on a no-access / whitelist only structure. I would make this statement to any C-Level executive I make contact with. But… Our job requires us to develop an appropriate executive summary to explain the scope, steps taken, findings, and recommendations. Try to offer different solutions and outline the goods, bads, and indifferences.
Example: If you don’t let them in, they other departments will lose MONEY. Or… If you let them in, the other departments will lose MONEY.
Brent Hladik says
Good example here I feel that companies that truly lack IT governance make policies like this then that in turn back fires and causes circumstances like this where some group try to act like they are “gods” and have all control over everything where as other groups would have no access to that. It the company had IT governance in place it would prevent situations like this from happening.
Richard Mu says
I believe that it depends on the organization. Whitelisting every websites opens a lot of risks to the organization, while blacklisting may affect availability in the C-I-A triad. From a security perspective, it is much safer to blacklist every website and only whitelist specific websites. It still limits availability, however, mitigates potential risks.
From my experience in working in a visual effects studio, most sites are whitelisted in order to gather references or resources. The only blacklisted sites were the usual blocked websites in every office setting.
Kevin Blankenship says
Blacklisting applications, websites, or other elements is very easy to do. However this is not the most secure method. Blacklisting requires constant updating and vigilance to ensure new areas don’t pop up to cause risk. This can impact confidentiality and integrity most, as an attack vector not blacklisted may sneak in unknown.
Whitelisting is very effective at keeping unfriendly actors out of our network or system. By only allowing things we know and trust, new attacks can’t rise up to circumvent out block. However, unless the organization is extremely mature and knows everything that is needed, it will inevitability run into issue with Availability as programs or applications may be unknowingly blocked and rendered useless.
Younes Khantouri says
Kevin,
I do agree with you in most parts of your post. However, using Blacklisting and White listing can be useful to block and give permission to certain applications to be part of the IT structure if the IT department keep watching the traffic to determine which application can be allowed or restricted from the IT structure.
Jason A Lindsley says
Both whitelisting and blacklisting applications can help improve security within an organization. I agree with other users that it really depends on the business environment to determine what solutions you would employ.
Whitelisting will probably result in greater Confidentiality and Integrity because only approved applications are allowed to be installed. Therefore, administrators can be confident that users are not installing applications that are prone to vulnerabilities. Availability may be impacted, however, because users may be restricted from installing applications that are urgently needed to serve a business purpose.
Blacklist will have less impact on Availability because typically only applications that are known to be vulnerable or inappropriate for business use are added to the blacklist. As other students mentioned, blacklists can be a hassle to maintain and almost certainly will not ban all vulnerable applications.
One other consideration that I would add to this discussion is limiting local administrator access for individual workstations where possible. Obviously there will always be users that require exceptions (e.g. development teams), but the majority of users in my own organization do not need local admin privileges and cannot install applications to begin with. I think the combination of a whitelist/blacklist, limiting local admin privileges, and maintaining a strong exception process is key to controlling the implementation of rogue applications.
Younes Khantouri says
In my opinion, Blacklist all the applications can cause a problem of availability which can cause an issue to add an important application that will benefit the company. However, the company should blacklist only the non trusted application and audit the traffic of communications. It is true that blacklisting all applications is the easy way to secure any company IT resources, but It’s hard to do that.
If the company uses blacklisting to block the risky applications, the impact of the availability will be less and the company will face less risk.
As a conclusion, using Blacklisting and White listing can be useful to block and give permission to certain applications to be part of the IT structure if the IT department keep watching the traffic to determine which application can be allowed or restricted from the IT structure.
Oby Okereke says
In my experience, the option of classifying an application to a white list or black list will depend entirely on the IT environment. An organization that operates in a high risk environment may opt to white list its application which conversely relates to a trusted application. On the other hand, an organization that has a low risk profile may prefer to adopt black listing. The blacklisting option allows the organization to be more flexible with what applications can be allowed or disallowed in it’s environment.
Donald Hoxhaj says
Though Black Listing and White Listing of application looks like a short-term feasible option for organizations, an organization has to decide on its implementation based on its internal needs and circumstances in future that might require changes in IT Security implemented within its Active Directories. Both Black and White listing have their own shortcomings as I see. Black listing benefits by blocking unwanted installation of APPs, but affects the Availability triad for applications that might be required in the future. Similarly, white listing could affect system changes and ad-hoc system enhancements to new security requests, therefore putting systems on hold or affecting the operations. Organizations need to first decide on the level of security and threat of risks to their business operations, and then decide on specific set of protocols to be followed in Black listing or White listing applications for internal use. Another way is to have channel rights to specific set of users to modify security settings as and when the situation arises
Shi Yu Dong says
In my opinion, I believe that both whitelisting and blacklisting applications can help companies to improve the security system and the secure the data. From my experience, I agree with classmates that it’s depends on the business environment to determine which solution is the best for the security systems. For example, I work for Temple University Admission Office and most sites are whitelisted in order to gather information and resource. However, for blacklisted sites, it most likely blocked websites and the computer systems will warm you about it
Brent Hladik says
In terms of what should and should not be approved on a corporate network I think the white list route should be implemented. In this case the corporation has control on what gets installed on their pc’s and will help potentially prevent unwanted tools that could potentially have some kind of malware tied to them. If a company goes the blacklist route then there is no control over what all gets installed and opens up a pandora box in terms of potential issues that could arise as they would have no idea as to what could be on a users system.
Matt Roberts says
The best solution will depend on the context and needs of each organization. In a very restricted, secure environment with specific, limited functionality (such as a military system) white listing may be the most effective, as only a small number of applications are necessary to be used and you don’t have to worry about keeping track of potentially unsecure ones. While white listing is the most secure method, it may hinder availability and productivity in some contexts. Applications which were not previously considered may quickly become useful and even necessary for any kind of creative work or academic research. In this situation, black listing only applications known to be risky can offer a level of protection while also providing flexibility for users to do their jobs. Keeping the black list complete and current, however, can be a daunting task which makes the signature-based approach an attractive middle ground for some organizations. Keeping track of trusted signatures can simplify the process as it can cover a wide range of applications based on their certificates without having to assess each one. Although there is no one-size-fits-all approach, this can represent a good general method which will work well for many situations.
Ronghui Zhan says
It really depends on the whole enterprise’s mission. If it’s safety critical business, safety is priority, which is bigger than anything else. Well, for the sake of discussion, combination approach is preferred. Each one of them has weakness and strength. Depending on specific case, takes whatever appropriate
Sachin Shah says
I think it should be black-list model and its up to IT staff to implement. In my work their is a combination of white-list and black-list based on user credentials. For instance non-IT staff usually can not install anything outside the scope of their job. We also lock down computers from installation of applications unless they are administrators on the PC. If a user needs an application download, they request through their manager approval. I think for IT staff, there needs to be control so staff do not install stuff to download music, streaming, or personnels, etc. It takes time to hunt down these applications to black-list but that is part of IT job.