Educause Security Discussion mailing list archives
Re: What's wrong with application whitelisting?
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Mon, 5 Apr 2010 14:22:24 -0700
Hi Lewis, My responses are in line below . . . Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Watkins, Lewis Sent: Monday, April 05, 2010 11:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] What's wrong with application whitelisting? Colleagues, Please help me understand something, that I have been trying to make sense of for awhile and just don't get. What's wrong with "application whitelisting"? As best I can tell, application whitelisting has very low penetration in higher education, and I simply do not understand this. There must be issues and dynamics of which I am unaware to explain this. My confusion is based on the following: - Security professionals seem to agree that anti-virus software is no longer working. No single product does the job, and it is not feasible to run multiple products on each device. - Any executable that anti-virus software will stop should also be stopped by a whitelist, since the application would not be on the approved list. [Eric Case] The whitelist will be long; it will have to cover every exe, dll, ocx, etc. for all versions in use, were in use and might become in use. Could you put a whitelist on the CS workstations were students are building apps? What about research computers also building custom apps? Maintaining the list will take a lot of time, money and effort. - Zero-day attacks are a major threat. Anti-virus is particularly bad at stopping zero-day attacks. Application whitelists are particularly good at stopping zero-day attacks. [Eric Case] I don't think so. You whitelisted the app with the 0-day vulnerability. If the exploit does not upload a new binary your whitelist only gave you a false sense of security. When the patch for the 0-day comes out, you will have to add it to the whitelist before you push the patch. - Universities use whitelisting on firewalls (i.e. we don't shut down just the ports that prove themselves to be bad - we open only those that are needed. ) - Universities use whitelisting for people (i.e. we don't let everyone in the world have an account until they prove to be bad. We maintain a list of approved users.) - However, universities use blacklisting for applications. We tend to allow any application that can find its way onto our desktop computers to run. When a program proves to be bad, we spend lots of labor and effort re-imaging the computer - then we do it again later. To the extent that application whitelisting would help prevent this, costs would be reduced and IT could concentrate more on value added efforts. [Eric Case] We know that security is about tradeoffs, but what are they with whitelisting? (just a few off the top of my head) . In institutions where users have admin access: o Would the users also be able to whitelist anything they wanted? If not, does whitelisting remove some of their admin access? o Does allowing users to whitelist anything negate the whole point to whitelisting? . In institutions that have locked down admin access: o What and how much is gained from whitelisting? o What and how much is lost in maintaining the list? In "The Psychology of Security <http://www.schneier.com/essay-155.html> " by Bruce Schneier, talks about the Prospect Theory. (I think this theory is a game changer for how we should present (frame) risk.) Schneier says: What does prospect theory mean for security trade-offs? . . . First, it means that people are going to trade off more for security that lets them keep something they've become accustomed to--a lifestyle, a level of security, some functionality in a product or service--than they were willing to risk to get it in the first place. Second, when considering security gains, people are more likely to accept an incremental gain than a chance at a larger gain; but when considering security losses, they're more likely to risk a larger loss than accept the certainty of a small one. Applied to whitelisting, I read that as, People will accept a smaller gain (AV software) than a chance at a larger gain (and expense (whitelisting)). I think, as other have pointed out, whitelisting has it use in labs (that are locked down) and in business areas that are more static. I do not see it being used anywhere users have admin access or where IT cannot respond to installs in a timely manner. Does this help? -Eric
Current thread:
- What's wrong with application whitelisting? Watkins, Lewis (Apr 05)
- <Possible follow-ups>
- Re: What's wrong with application whitelisting? Gibson, Nathan J. (HSC) (Apr 05)
- Re: What's wrong with application whitelisting? John Ladwig (Apr 05)
- Re: What's wrong with application whitelisting? Basgen, Brian (Apr 05)
- Re: What's wrong with application whitelisting? Joel Rosenblatt (Apr 05)
- Re: What's wrong with application whitelisting? Russell Fulton (Apr 05)
- Re: What's wrong with application whitelisting? Eric Case (Apr 05)
- Re: What's wrong with application whitelisting? Brad Judy (Apr 06)
- Re: What's wrong with application whitelisting? Howe, Joe (Apr 06)
- Re: What's wrong with application whitelisting? Calcutt, Andrew (Apr 06)
- Re: What's wrong with application whitelisting? Russell Fulton (Apr 06)
- Re: What's wrong with application whitelisting? Jimi Schwar (Apr 07)
- Re: What's wrong with application whitelisting? Watkins, Lewis (Apr 20)
- Re: What's wrong with application whitelisting? Gene Spafford (Apr 20)
- Re: What's wrong with application whitelisting? Leo Song (May 13)
- Re: What's wrong with application whitelisting? Everett, Alex D (May 13)