Introduction
Application whitelisting is a security technique that restricts applications or components that can be executed within an organization to a list of specifically approved (whitelisted) ones. Components in this case refers to libraries, configureation files, or other similar elements (Sedgewick, et al., 2015). Thus, only known “good” activity is allowed to continue, while all other activity is blocked. Whitelists can be contrasted with blacklists, which are lists of applications or entities which are blocked, while all other activity is allowed. The whitelisting approach allows the system administrator substantial control and prevents a significant number of threats; however, it has multiple drawbacks. These benefits and drawbacks need to be considered when planning the implementation of application whitelisting technology
Technical Details
Whitelisting applications can be achieved through a number of attributes. The most basic of these attributes are the file name and file path to a whitelisted application or component (Sedgewick, et al. 2015). This approach is easy to set up, but can be bypassed with relative ease by malware or a malicious user without additional access control. Another file attribute that can be used in conjunction with file name and path to identify whitelisted applications is the file size (Sedgewick, et al. 2015). This allows to detect and block the execution of files that have been modified without approval, which is possible in malware attacks. However, restricting access by file size can prevent legitimate modification, such as software updates. A similar approach is identifying a whitelisted file by its cryptographic hash (Sedgewick, et al., 2015). This allows to detect any change to the file in question, without necessarily affecting the file size, but it also interferes with legitimate changes. Finally, digital signatures from the software’s publisher or the organization can be used for identification (Sedgewick, et al., 2015). Using different combinations of these attributes, the administrator can fine-tune the system’s security and maintainability.
Whitelisting technology is not limited to restricting executable files, but also application components. These components can include scripts, libraries, or macros (Sedgewick, et al., 2015). Combined with the multiple methods of identification of whitelisted applications, this allows the administrator to create customized lists that include stricter or more relaxed rules for different applications. This affords some degree of flexibility to application whitelisting technology. However, without additional file access control, less strict identification rules can be bypassed by an end user, for example, manipulating the files of an unauthorized application to match the filename of an authorized one.
Benefits
The most obvious benefit of application whitelisting is the relative ease of its setup and maintenance, provided legitimate changes to the monitored files are not frequent. As an administrator is likely to be familiar with the software required for the organization’s operation, he or she can easily create the corresponding whitelist. If these requirements change, only minimal updating is necessary for this list to add or remove specific applications. Once established, a whitelist does not need to be modified to adapt to new threats as they are blocked by default.
A whitelist approach is reliable at blocking new threats, such as malware and unauthorized software. It is particularly effective at preventing zero-day attacks, for which antivirus or blacklist solutions are not updated yet. Unauthorized software, while not necessarily a direct threat, has the potential to contain vulnerabilities, which can be exploited by an attacker. Thus, preventing its installation or execution facilitates the maintenance of a system’s security as vulnerabilities in whitelisted applications tend to be known or at least expected. Finally, a potential side benefit of limiting the applications allowed on a user’s computer is improving his or her productivity by preventing the installation and use of games, messengers, or other distracting software.
Application whitelist technology is also useful in incident response. As it generally monitors authorized files for changes, it can alert the system’s administrator if such a change occurs, potentially blocking it or checking other hosts for modifications to the same files (Sedgewick, et al., 2015). This property allows to quickly detect and respond to an attack and mitigate its damage, especially if the whitelisting technology is capable of preventing modifications.
Drawbacks
Although an application is easy to add to a whitelist, issues may arise when its files are often legitimately modified. For instance, an application that receives frequent updates from its vendor will need to have its entry in the whitelisting solution updated every time. This can be time-consuming and cause significant delays if the updates are sufficiently frequent or numerous. This necessitates delaying, postponing, or canceling such updates, which can cause delays in the workflow or connectivity issues if an external contact requires a later version of the software. Alternatively, the identification criteria can be relaxed for frequently-updating applications, which reduces the overall security of the system.
Another issue related to whitelisting techniques is the user’s loss of control over his or her system. As any application the user attempts to install or execute requires additional clearance from the administrator, vetting the application can take time and cause delays. This is particularly true for open environments where individual users are allowed or required to often change their applications. Maintaining a whitelist without causing excessive delays in such an environment can be cumbersome or unfeasible. Additionally, limiting a user’s access to unauthorized applications limits his or her ability to customize his or her work environment by installing assistive software, web browser extensions, or similar applications. This can reduce the user’s productivity or contribute to the stressfulness of the work environment.
Utility of Application Whitelisting
Considering the benefits and drawbacks of application whitelisting, it is possible to suggest practical situations where such an approach would be the most beneficial, as well as ones where its use is unfeasible. An application whitelist works best in systems with a relatively limited list of authorized applications that are not updated frequently. Such systems are ones whose use is centered on a few critical applications, those that function as terminals to access cloud services, or those facing unknown users, such kiosk workstations (Sedgewick, et al., 2015). In this scenario, strict access control to the device’s functions can be implemented, preventing or severely limiting unauthorized use.
A situation where an application whitelisting approach is not feasible is one where hosts run non-uniform applications, frequently update or modify them, or install new applications. Therefore, scenarios where end users within a network are allowed to significantly customize their work environment, use a diverse or frequently changing set of applications are less suited to the implementation of application whitelisting solutions. These scenarios can describe an office environment of a creative organization, such as a design firm.
References
Sedgewick, A., Souppaya, M. P., & Scarfone, K. A.(2015). Guide to Application Whitelisting. National Institute of Standards and Technology.