Using Application Whitelisting to Stop Malware
Phishing attacks are one of the most common methods attackers use to breach organizational defenses and gain access to the network. In many cases, the purpose of the phishing attack is to execute malicious software on the target computer.
Developing and enforcing an application whitelist is one way organizations can dramatically decrease the threat these phishing attacks pose to their corporate cybersecurity.
This article explains the difference between whitelists and blacklists and explores using application whitelisting to stop malware.
What is Application Whitelisting?
Before discussing the specifics of application whitelisting, it’s important to understand what a whitelist is.
When trying to protect a system from malicious content (emails, websites, applications, etc.), the main two options are a blacklist and a whitelist. In a blacklist, the security system allows anything that is not explicitly denied (i.e. known malicious content). In a whitelist, only approved content is allowed through the barrier.
The choice between the two comes down to the specifics of the situation and the trade off between usability and security.
If it’s possible to completely define either all possible malicious content or all possible benign content, then defining them in a blacklist or a whitelist is an ideal solution. However, in most cases, it’s impossible to exhaustively list all possibilities. This means that the system will suffer from a potential lack of security (malicious content not included in a blacklist is allowed) or usability (benign content not included in a whitelist is blocked).
Application whitelisting refers to blocking the execution of any applications not explicitly listed. Windows 10 does this by default, allowing only apps included in the Windows Store to be run on a computer. However, Windows’ list is biased (i.e. only allowing Microsoft Edge and blocking other browsers) and may not meet the needs of an organization or individual.
Developing a personalized whitelist can help improve system security by tailoring protection to the needs of the individual or organization.
Developing an application whitelist is a two-stage process. First, the list of programs that should be allowed on the protected system needs to be defined. Then, the application whitelist needs to be enforced on the target system, including mechanisms for monitoring exceptions and performing updates.
In order to protect a system using an application whitelist, you need to first identify the programs allowed to execute on the protected system. The whitelist should be designed to allow any programs necessary for normal operation. It should block superfluous or potentially vulnerable applications. Doing this achieves the appropriate balance between usability and security.
When defining an application whitelist, two major considerations exist: job roles and necessary background functionality.
In order to maximize security and usability, application whitelists should be defined on a role-based or even individual basis. For example, a system administrator or member of the IT staff may have a very different set of necessary programs than an accountant or a salesperson. Allowing users access to programs unnecessary for their job role expands their attack surface.
The second consideration is the necessary background functionality for a computer to run. For example, disallowing explorer.exe (the application that allows access to files and folders) to run on a Windows computer will render it unusable. An application whitelist should allow background programs necessary for proper computer function.
The next step is to create a way to enforce your application whitelist on your protected computers. The best enforcement method mainly depends on the target operating system used by your computers.
Windows computers, except for Home edition, allow application whitelisting via the computer’s Local Security policies under the Security Policies Editor. If you’re using Windows Home Edition, you’ll need to use a third-party application to enforce your policy.
Mac has a couple of different built-in options. Under the apps tab Parental Controls is the option to limit applications. You can specify whether or not to allow apps from the App Store and define specific apps to allow.
For a more general policy (similar to the default settings on Windows 10), you can limit installation to apps from the App Store and identified developers under the General tab of Security and Privacy settings (under System Preferences).
The Benefits of an Application Whitelisting Policy
Many phishing attacks and other attack vectors rely upon a hacker being able to download and execute malicious software on a target system. Using an application whitelist, organizations can restrict programs to only those pre-approved by the organization. This can help to dramatically improve organizational cybersecurity. The practice blocks cyberattacks in their early stages instead of incurring the increased costs of later detection and cleanup.
Sword & Shield offers an array of information security services to establish and harden your systems to stop malware. These include penetration testing, managed security and virtual security and compliance consultants (vSCC).
Contact us to request a consultation to get started.