Blacklisting and Whitelisting: Color-Coding Security

For many businesses, keeping computers out of harm’s way is afull-time job. IT departments spend increasing amounts of resources keepingout the bad stuff or finding and removing it when malware does slip infrom careless users or sloppy adherence to best practices. Viruses,spyware, Trojans and many more unwanted programs can cause seriousdamage to a computer, or an entire network.

The most common prevention method for dealing with malware is theprocess known as “blacklisting.” Antivirus and antispyware applications,armed with signature-matching databases and resource-hungry scanningengines, look for unwanted programs and remove them from memory andthe hard drive when — and if — they’re detected.

However, as intrusive software deployment becomes more sophisticated andmore widespread, some security vendors are promoting a change intactics. Why wait for a bad program to run at all, they argue.Instead, a technique known as “whitelisting” only permits approved software to install and run. Products that are not on the control list lock down thecomputer.

“Blocking the bad just doesn’t work anymore. That’s the old modelunder blacklisting. Whitelisting flips upside down the problem andonly lets run what is listed as approved,” Brian Hazzard, director ofproduct management for security firm Bit9, toldTechNewsWorld.

No Universal Color

The earliest form of whitelisting was used in firewalls. The firewallon an enterprise network served as a gatekeeper, loaded with a list ofapproved programs. Even some consumer-grade Internet security suitesinclude a firewall component with a whitelist feature for programsseeking outgoing Internet access.

The white-over-black methodology, in theory, means that if only approved products can run, computer users can send their system-slowing antivirus and antispyware products to the trash bin. However, most proponents of whitelisting do not recommend actually doing that. Naturally, traditional security software vendors also question the wisdom of trashing other security products, suggesting that notusing antivirus and antispyware apps is much like surfing the Web without a firewall for safety.

Different whitelisting products use a variety of strategies to blockexecutable files from running. Some whitelisting products providealternatives to total system lockdown if the whitelist is violated. So vendors are developing their own shades of white.

“Whitelisting is not the Holly Grail of computer security that vendorspreach. It is not bulletproof. The malware issue doesn’t go away.Whitelisting limits the access curve, though, so it does help,” DirkMorris, CTO at network security software maker Untangle, told TechNewsWorld.

Blocking Bits

The approach Bit9 takes with Parity offers enterprise users theability to automatically whitelist applications and devices. All otherapplications, including malware and unauthorized software, will notexecute on endpoints.

Most businesses have a good idea about what software its workers need.So Bit 9 developed an adaptive whitelist strategy.

“We provide a two-part process. One is the Global Software Registry.The other is the Automatic Software Acceptance done through ourrepository,” said Hazzard.

The proprietary Global Software Registry is an online index of over6 billion files. This list contains over 10 million uniqueapplications. The registry acts as a reference library for ITadministrators building their whitelists.

Bit Bouncer

Security appliance vendor CoreTrace puts a twiston the whitelist approach. CoreTrace’s Bouncer acts much like asecurity heavy at the door of a nightclub. Those not on the list don’t getin at all. Enterprise customers buy the appliance from CoreTrace and installit on their end. An embedded code on each computer talks to theappliance.

Bouncer enables IT departments to predefine multiple sources. Userscan safely install applications and have them automatically added tothe whitelist without any further IT involvement required.

Called “Trusted Change,” Bouncer simultaneously stops badapplications and allows users to do their own installation of knownsafe programs. This approach can significantly reduce a company’stotal cost of ownership for every desktop, laptop or server covered, according to the company.

“We designed an infrastructure under the hard drive that makes itunspoofable,” Toney Jennings, CEO ofCoreTrace, told TechNewsWorld. “Traditionally, whitelisting’s strength — system lockdown –is its chief weakness. Our solution is to avoid the lockdown responseby letting IT specify where users can get new applications. Thistrusted source is a very different paradigm. It requires a one-timesetup. The change is then transparent.”

The Bouncer software sits in the kernel space of the endpointcomputers, much like a software driver. This is a very small piece ofcode that does not impact resources, explained Jennings.

‘KIS’ Malware Goodbye

Software security vendor Kaspersky offers both blacklisting and whitelisting forconsumers in one package. Kaspersky Internet Security 2009,released last August, uses Bit9’s Global Software Registry ratingsand adds its own customer information to enhance the whitelist.

“We still use blacklisting used in current-generation antivirus andantimalware products and add the next-generation whitelistingtechnology. We are the only ones doing both approaches in oneproduct,” Jeff Aliber, senior director of product marketing andmanagement at Kaspersky Lab Americas, told TechNewsWorld.

Kaspersky sends user submissions of suspicious software to its virusanalysts. Confirmed rogue code is added to Kaspersky’s urgentdetection system and sent to users via ongoing hourly updates.

“The user has protections sitting on the computer plus real-time cloudupdating. It’s sort of a Web 2.0 mash-up,” said Aliber.

Slow Adoption

Not all enterprises and small businesses have been positively rushing to adopt whitelisting, according to Untangle’s Morris. Some view it as too restrictive.

About three years ago, as spyware became more prominent, Untanglethought the concept of locking down machines — which is whatwhitelisting does — would be the ideal business solution. But thecompany hasn’t seen widespread adoption.

“We found that IT sees whitelisting as too much of a pain to lock downa machine and give the approval authority to one person. That’s thesame response that SMBs have to it. For many businesses, it presentstoo much of a productivity loss in maintaining it,” he said.

Product Pricing

Bit9’s Parity product costs US$40 per end point scaled for volume.

CoreTrace’s Bouncer is priced per seat for a perpetual license. Thecompany did not provide the dollar amount. CoreTrace may add aSoftware as a Service offering in the future.

Kaspersky’s Internet Security 2009 costs consumers $79.95 forthree user licenses. The company plans to offer an enterprise productin 2009.