Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/11/2008
05:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Texas Bank Dumps Antivirus for Whitelisting

Tired of AV and malware, First National Bank of Bosque County adopts application whitelisting instead

Brent Rickels, senior vice president at First National Bank of Bosque County, had grown tired of dealing with antivirus software. He was tired of regularly updating virus signatures, tired of hackers constantly tweaking malware, and tired of worrying about what users had downloaded onto their PCs. So Rickels dumped the bank’s AV software for a whitelisting product and in the process, become one of its first commercial customers.

First National Bank of Bosque County, which serves the Waco, Texas, area and manages approximately $100 million in assets, had seen the volume of spam and spyware it had to beat back increase tenfold in four years. So when it was time for the bank to renew its Symantec AV license at the end of 2006, the timing was right to make a change.

“It seemed like the antivirus updates came out only after new malware had already been released,” Rickels says. Running a routine system scan with hundreds of thousands of signatures was taking half an hour or more. So the bank’s tiny IT department of only a handful of employees was spending more time maintaining its security software and less time on business applications.

The financial services firm decided to look for a different solution that was simpler to maintain and more effective. It considered GreenBorder, which quarantines any software downloaded via a user’s browser until someone moves it to the main system. But that option appeared to still require a fair amount of manual intervention.

FNB was intrigued by Lumension Security’s Sanctuary Device and Application Control systems, which offered theoretical rather than proven benefits at the time. The tools let users run administratively approved programs only and restricts any unknown and unauthorized executables from springing to life. “We liked the product’s basic design; it is easier to contain a known universe than an unknown one,” Rickels says.

The software had other appealing features. Because user software was restricted, there would be less administrative work, and Sanctuary actually ran better than AV software because it was a lighter program. And the final selling point was that the Lumension system cost about 30 percent less than the Symantec option.

Moving to Sanctuary requires scanning all of the EXC and DLL files for approved programs into a central database -- something that a small- or medium-sized business can do, but may prove cumbersome for a larger enterprise. Mirror images are then stored on individual systems, and the two communicate before providing users with access to different programs.

FNB started off running the software in non-blocking mode, basically letting users continue to use their PCs as normal. The security system includes a reporting function, so the IT department can examine what programs each user accessed. After walking users through an instance or two of what blocked applications would look like, the bank turned on the blocking mode.

But whitelisting has its tradeoffs. Currently, the bank has to install new versions of applications as well as items like Microsoft patches on both its central system and all of the user machines on an ongoing basis. Automating such tasks is something the bank would like to see in a future release. Overall, however, it sees its gamble of trading AV for whitelisting a good decision.

Because whitelisting is a relatively nascent technology, other companies may not be as willing to go there. “Whenever I talk to individuals about our experiences, they are skeptical that a whitelisting approach can work because the idea is so new,” Rickels says. But if they become frustrated enough with AV, they may be willing to try an alternative such as whitelisting.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Lumension Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/6/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-5595
    PUBLISHED: 2020-07-07
    TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
    CVE-2020-5596
    PUBLISHED: 2020-07-07
    TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
    CVE-2020-5597
    PUBLISHED: 2020-07-07
    TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
    CVE-2020-5598
    PUBLISHED: 2020-07-07
    TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
    CVE-2020-5599
    PUBLISHED: 2020-07-07
    TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...