Using Application Whitelisting to Stop Malware
Phishing attacks are one of the most common methods that attackers use to breach organizational defenses and gain access to the protected network. In many cases, the purpose of the phishing attack is to execute malicious software on the target computer. Developing and enforcing an application whitelist is one way that organizations can dramatically decrease the threat that these phishing attacks pose to their corporate cybersecurity.
This article explains the difference between whitelists and blacklists and explores using application whitelisting to stop malware.
What is Application Whitelisting?
Before discussing the specifics of application whitelisting, it’s important to understand what a whitelist is. When trying to protect a system from malicious content (emails, websites, applications, etc.), the main two options are a blacklist and a whitelist. In a blacklist, the security system allows anything that is not explicitly denied (i.e. known malicious content). In a whitelist, only approved content is allowed through the barrier.
The choice between a whitelist and a blacklist comes down to the specifics of the situation and the tradeoff between usability and security.
If it’s possible to completely define either all possible malicious content or all possible benign content, then defining them in a blacklist or a whitelist is an ideal solution. However, in most cases, it’s impossible to exhaustively list all possibilities, meaning that the system will suffer from a potential lack of security (malicious content not included in a blacklist is allowed) or usability (benign content not included in a whitelist is blocked).
Application whitelisting refers to blocking the execution of any applications on a program that are not explicitly listed in an application whitelist. Windows 10 does this by default, allowing only apps included in the Windows Store to be run on a computer. However, Windows’ list is biased (i.e. only allowing Microsoft Edge and blocking other browsers) and may not meet the needs of an organization or individual.
Developing a personalized whitelist can help improve system security by tailoring protection to the needs of the individual or organization.
Getting Started with Application Whitelisting
Developing an application whitelist is a two-stage process. First, the list of programs that should be allowed on the protected system needs to be defined. Then, the application whitelist needs to be enforced on the target system, including mechanisms for monitoring exceptions and performing updates.
Defining an Application Whitelist
In order to protect a system using an application whitelist, it is necessary to first identify the programs that should be included on the whitelist and allowed to execute on the protected system. In order to achieve the appropriate balance between usability and security, the whitelist should be designed to allow any programs necessary for normal operation while blocking any superfluous or potentially vulnerable applications.
When defining an application whitelist, two major considerations exist: job roles and necessary background functionality. In order to maximize security and usability, application whitelists should be defined on a role-based or even individual basis. For example, a system administrator or member of the IT staff may have a very different set of necessary programs than an accountant or a salesperson. Allowing users access to programs unnecessary for their job role expands their attack surface by increasing the number of programs that must be kept updated and secure to protect against phishing and other types of attacks.
The second consideration when defining an application whitelist is the necessary background functionality for a computer to run. For example, disallowing explorer.exe (the application that allows access to files and folders) to run on a Windows computer will render it unusable. An application whitelist should allow the background programs necessary for the computer to function properly.
Once you have developed an application whitelist, the next step is to create a way to enforce it on your protected computers. The best enforcement method mainly depends on the target operating system used by your computers.
Windows computers, except for Home edition, allow application whitelisting via the computer’s Local Security policies under the Security Policies Editor. If you’re using Windows Home Edition, you’ll need to use a third-party application to enforce your application whitelist.
Mac has a couple of different options built-in for application whitelisting. Under the apps tab Parental Controls is the option to limit applications, where you can specify whether or not to allow Apps from the App Store and specific apps to allow. For a more general policy (similar to the default settings on Windows 10), you can limit installation to apps from the App Store and identified developers under the General tab of Security and Privacy settings (under System Preferences).
The Benefits of an Application Whitelisting Policy
Many phishing attacks and other attack vectors rely upon a hacker being able to download and execute malicious software on a target system. Using an application whitelist, organizations can restrict programs running on their computers to only ones pre-approved by the organization. This can help to dramatically improve organizational cybersecurity by blocking cyberattacks in their early stages rather than incurring the increased costs of later detection and cleanup.
Sword & Shield offers an array of information security services such as penetration testing, managed security and virtual security and compliance consultants (vSCC) to help you to establish and harden your systems for using application whitelisting to stop malware.
Contact us to request a consultation to get started.