Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/12/2006
09:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

A-Listing Your Apps

Enterprises enlist app whitelisting to combat malware and unauthorized tools, but the approach has a dark side

Whitelisting is getting a second look by some enterprises worried that unknown threats might get past antivirus and other blacklisting systems.

Whitelisting, the process of spelling out exactly which applications can run on a client machine, traces its roots to the mainframe and is typically considered overkill in today's networks, as well as a potential management headache. But the rise in zero-day attacks and paranoia about users running whatever they want on their machines (think peer-to-peer apps), or introducing malware via USB sticks, has led some organizations to think retro.

"It's back to the future with some of this," says Andrew Jaquith, program manager for security research at the Yankee Group.

Jaquith says the current approach of identifying and blocking the bad is starting to fail, with malware samples increasing at a rate of around 50 percent annually. "The notion that we're going to enumerate and block it –- we passed that point long ago," he says. "You almost have to enumerate the things that are good. That's arguably becoming an easier job.

"Whitelisting is increasingly becoming part of a well-balanced diet on the client," he says.

And it's quietly and slowly catching on beyond vendors such as SecureWave, Savant Protection, and Bit9 that have made a business out of whitelisting applications. Microsoft acquired the technology via Winternals, and Symantec has this feature in its Critical System Protection product, Jaquith notes.

Many of the early whitelisting adopters today are small- to medium-sized organizations, where deploying this technology across desktops wouldn't be as major an undertaking at say, a major Fortune 100 company. Most use it as another security layer along with their AV, anti-spyware, spam filtering and IPSes, for instance.

SourceMedia has been testing Savant Protection's endpoint software with whitelisting for several months. "Conceptually, it makes a ton of sense," says Ivan Latanision, vice president of information technology for SourceMedia, who adds the company hasn't made its final decision on whether to purchase the tool yet. "We're constantly patching workstations, constantly getting virus updates. We've had a couple of situations where we didn't get a [AV] patch installed quickly enough and had some outbreaks here."

Savant uses unique cryptographic algorithms and signature keys for each application on each desktop, rather than a server-based access control list. "So the crypto key for Adobe running on System A is different from the one on System B," says Ken Steinberg, Savant's CEO and founder. "So if I mistakenly let something run and give it a key, it will never work anywhere else, so it can't spread."

Patton Harris Rust & Associates has been running SecureWave's Sanctuary software for whitelisting since last year -- initially for device control and later for application control as well. John Loyd, vice president and director of IT for PHR&A, says the company installed the software for protection against zero-day attacks, ensuring its users aren't installing illegal software, and to ensure the quality of apps its engineers use.

"There are lots of little pieces of software engineers use to calculate things," he says. "Some are old and have math errors in them that produce bad data, and we want to make sure the calculators we're using are right and not older versions of the software. That's a quality issue."

But whitelisting has a down side. These endpoint tools come with plenty of administrative overhead as well as security risks. "The institutional overhead in maintaining them is extreme," says Thomas Ptacek, a researcher with Matasano Security. "Some poor group of souls in IT is charged with deciding which applications every sales person or project manager can run, and has to backstop all the ensuing arguments."

William Bell, manager of security operations at CWIE, who says he runs SecureWave's Sanctuary for bridging the gap between the known and unknown threats, says there's an initial "heavy front-load" in deploying whitelisting, but SecureWave helped with that process and the ongoing administration of the whitelist is now fairly low maintenance. "You have to get a whitelist developed."

And the technology doesn't technically combat zero-day attacks any more than blacklisting does, security experts say. "Application whitelisting doesn't do a single thing to prevent zero-days," says Marc Maiffret, CTO and chief hacking office for eEye Digital Security, whose Blink tools do both blacklisting and whitelisting.

Maiffret says the real value of whitelisting is to control the apps your users are running. "It's not to provide a level of prevention from remote attackers."

Dennis Szerszen, vice president of marketing and corporate strategy of SecureWave, says antivirus blacklisting and Sanctuary's whitelisting work best together. That's why SecureWave is developing toolkits to try to attract AV vendors to integrate their tools, he says. "We need to be triggering the AV processes so they can clean up what" they found.

And because endpoint security products introduce software agents, they are risky, says Ptacek of Matasano, which tests agent-based security and management tools. "To date, we've found a grand total of one product that survived an audit without the discovery of game-over vulnerabilities that transformed the agents into pre-installed latent bot infections."

It's better to wait for Vista's security, he says. "Enterprises will gain a much greater resistance to software attacks by the new Windows Vista security features than they will from the myriad of endpoint security products now being marketed."

CWIE's Bell admits adding agent software poses some risk. "You have to make a judgment call before you deploy this type of utility. If the level of protection provided by the system outweighs any holes that could be exploited by having another service on your computer," then it make sense, he says. Such an attack wouldn't be so easy: He says an attacker would need to have a binary that could manipulate code at the OS level. "I would bet the service would block the attempt before it was exploited."

Meanwhile, whitelisting could replace security tools in some organizations. Louise Dube, assistant vice president of technology at Connecticut River Bank NA, isn't ruling out her Savant software eventually replacing the bank's antivirus, antispyware, and anti-spam tools altogether. But Dube says the bank won't pull up its IPS for whitelisting. "We would always keep IPS in place."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWave S.A.
  • Savant Protection
  • eEye Digital Security
  • Matasano Security LLC
  • Yankee Group Research Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Unreasonable Security Best Practices vs. Good Risk Management
    Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19040
    PUBLISHED: 2019-11-17
    KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
    CVE-2019-19041
    PUBLISHED: 2019-11-17
    An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
    CVE-2019-19012
    PUBLISHED: 2019-11-17
    An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
    CVE-2019-19022
    PUBLISHED: 2019-11-17
    iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
    CVE-2019-19035
    PUBLISHED: 2019-11-17
    jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.