Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What's wrong with application white listing?

From: "Warner, David F" <DWarner () COMMNET EDU>
Date: Tue, 6 Apr 2010 08:19:08 -0400
We have done some initial testing with a product McAfee bought called
Solidcore.  Uses a white-listing technology to block/permit applications
from running.  The new name is going to be McAfee Application Control :
http://www.mcafee.com/us/enterprise/products/system_security/servers/app
lication_control.html 

 

Looks quite promising.  A bit easier to manage than a desktop HIPS
product.

 

 

David Warner
Senior Security Specialist
CT Community Colleges

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Watkins, Lewis
Sent: Monday, April 05, 2010 2:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] What's wrong with application whitelisting?

 

Colleagues,  Please help me understand something, that I have been
trying to make sense of for awhile and just don't get.   What's wrong
with "application whitelisting"?   As best I can tell, application
whitelisting has very low penetration in higher education, and I simply
do not understand this.   There must be issues and dynamics of which I
am unaware to explain this.   My confusion is based on the following:

 

-  Security professionals seem to agree that anti-virus software is no
longer working.   No single product does the job, and it is not feasible
to run multiple products on each device.

-  Any executable that anti-virus software will stop should also be
stopped by a whitelist, since the application would not be on the
approved list.

-  Zero-day attacks are a major threat.   Anti-virus is particularly bad
at stopping zero-day attacks.   Application whitelists are particularly
good at stopping zero-day attacks. 

-  Universities use whitelisting on firewalls (i.e. we don't shut down
just the ports that prove themselves to be bad - we open only those that
are needed. )

-  Universities use whitelisting for people (i.e. we don't let everyone
in the world have an account until they prove to be bad.  We maintain a
list of approved users.)

-  However, universities use blacklisting for applications.   We tend to
allow any application that can find its way onto our desktop computers
to run.   When a program proves to be bad, we spend lots of labor and
effort re-imaging the computer - then we do it again later.    To the
extent that application whitelisting would help prevent this, costs
would be reduced and IT could concentrate more on value added efforts.

-  We have many bots and Trojans infecting computers and do not seem to
have solid solutions for preventing these infections.   If using
whitelisting, even if a rogue program finds its way onto a person's
computer, it will not execute.    I've seen improved network monitoring
proposed as a strategy so infections will be identified and stopped more
quickly based on traffic analysis.  This is good, but would it not be
better just to prevent the malware from executing to begin with?

-  Much of the malware that finds its way onto our computers does so
without the user's knowledge.   A whitelist would prevent these from
executing - thus protecting the user from doing harm without intent or
knowledge.  This could prevent us from attacking our neighbors at the
next desk and other universities and institutions.

 

There is no doubt that we in higher education have improved
significantly over the past decade in the area of information security.
However it seems the stakes are higher than ever and our threats and
adversaries are evolving very rapidly.   We need new some strategies.   

 

Thanks - I appreciate your insights, comments, and thoughts.   Also,
please let me know if the base assumptions above are incorrect.   This
is something I really do want to understand.

 

    Lewis Watkins, CISO - University of Texas System

    lwatkins () utsystem edu

 

 

 

 

___________________________________________-__

 

**** CONFIDENTIALITY STATEMENT ****
The information in this message may be confidential. 

If you received the message in error, please notify 

me and delete the message.  Further dissemination 

is prohibited. Thank you.

_____________________________________________

 

Lewis Watkins, Chief Information Security Officer

The University of Texas System

201 W. 7th Street, CLB 3

Austin, Texas 78701

Ph:  (512) 499-4540  Fax: (512) 579-5085

_____________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: