Re: What's wrong with application whitelisting?

["Watkins, Lewis" <LWATKINS () UTSYSTEM EDU>]

Colleagues,

I want to thank all of you who shared your thoughts - pro and con - regarding application whitelisting and its 
suitability for the higher education environment.    In reviewing the responses, I've come to a few personal 
conclusions.

* Application whitelisting - done wrong - can be a real administrative nightmare.  (Not to mention a major disruptive 
to the wellbeing  of the CISO.)
* It is not a cure for all ills.
* The few people in higher education that are using application whitelisting are finding success.
* Deployment is perhaps more about culture and people issues than the technology itself.
* Whitelisting solutions have evolved over the past few years, but collectively we - myself certainly included - are 
relatively uninformed about the state of the art and how this will or will not meet the needs of higher education 
institutions.
*  A most interesting comment was the one about the effect of auditors that went something along the lines of, "though 
anti-virus is not very effective, we will run it anyway, because our auditors require it.    A suggestion - re-lable 
the whitelisting software.  Just call it your anti-virus software.

One last observation on the topic.   I recently returned from the Educause/I2 Security Professionals Conference (great 
conference by the way).   Application whitelisting was a topic that I did not hear mentioned throughout the conference. 
  Given the daunting challenge of preventing execution of today's malware with its capability to capture keystrokes, 
steal research and other data, and  to use our systems to attack other organizations, I was surprised by this.

Again,  thanks to everyone for sharing your comments, successes, and concerns.

    Best Regards,
    Lewis

_____________________________________________

**** CONFIDENTIALITY STATEMENT ****
The information in this message may be confidential.
If you received the message in error, please notify
me and delete the message.  Further dissemination
is prohibited. Thank you.
_____________________________________________

Lewis Watkins, Chief Information Security Officer
The University of Texas System
201 W. 7th Street, CLB 3
Austin, Texas 78701
Ph:  (512) 499-4540  Fax: (512) 579-5085
_____________________________________________

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Watkins, 
Lewis
Sent: Monday, April 05, 2010 1:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] What's wrong with application whitelisting?

Colleagues,  Please help me understand something, that I have been trying to make sense of for awhile and just don't 
get.   What's wrong with "application whitelisting"?   As best I can tell, application whitelisting has very low 
penetration in higher education, and I simply do not understand this.   There must be issues and dynamics of which I am 
unaware to explain this.   My confusion is based on the following:

-  Security professionals seem to agree that anti-virus software is no longer working.   No single product does the 
job, and it is not feasible to run multiple products on each device.
-  Any executable that anti-virus software will stop should also be stopped by a whitelist, since the application would 
not be on the approved list.
-  Zero-day attacks are a major threat.   Anti-virus is particularly bad at stopping zero-day attacks.   Application 
whitelists are particularly good at stopping zero-day attacks.
-  Universities use whitelisting on firewalls (i.e. we don't shut down just the ports that prove themselves to be bad - 
we open only those that are needed. )
-  Universities use whitelisting for people (i.e. we don't let everyone in the world have an account until they prove 
to be bad.  We maintain a list of approved users.)
-  However, universities use blacklisting for applications.   We tend to allow any application that can find its way 
onto our desktop computers to run.   When a program proves to be bad, we spend lots of labor and effort re-imaging the 
computer - then we do it again later.    To the extent that application whitelisting would help prevent this, costs 
would be reduced and IT could concentrate more on value added efforts.
-  We have many bots and Trojans infecting computers and do not seem to have solid solutions for preventing these 
infections.   If using whitelisting, even if a rogue program finds its way onto a person's computer, it will not 
execute.    I've seen improved network monitoring proposed as a strategy so infections will be identified and stopped 
more quickly based on traffic analysis.  This is good, but would it not be better just to prevent the malware from 
executing to begin with?
-  Much of the malware that finds its way onto our computers does so without the user's knowledge.   A whitelist would 
prevent these from executing - thus protecting the user from doing harm without intent or knowledge.  This could 
prevent us from attacking our neighbors at the next desk and other universities and institutions.

There is no doubt that we in higher education have improved significantly over the past decade in the area of 
information security.  However it seems the stakes are higher than ever and our threats and adversaries are evolving 
very rapidly.   We need new some strategies.

Thanks - I appreciate your insights, comments, and thoughts.   Also, please let me know if the base assumptions above 
are incorrect.   This is something I really do want to understand.

    Lewis Watkins, CISO - University of Texas System
    lwatkins () utsystem edu