Educause Security Discussion mailing list archives
Re: What's wrong with application whitelisting?
From: Jimi Schwar <schwarj () MAIL MONTCLAIR EDU>
Date: Wed, 7 Apr 2010 10:21:55 -0400
I see nothing wrong with application whitelisting, I'm actually a huge fan of it. We have been using Bit9 Parity software in our computing labs for the last 2 years and this greatly reduced any issues with the machines. We have yet to see a piece of malware actually infect a box, nor have students been able to find a way around the software. The software approval process is usually easy, though I have run into a few pieces of software that have taken a decent amount of time to get fully approved. But the amount of time of approving the software is nothing compared to the amount of time that would be required disinfecting/reimaging these machines. Jim Schwar On 4/6/10 11:14 AM, Calcutt, Andrew wrote:
I have been testing out the whitelisting product bit9 recently and I think I will work great in our environment. Bit 9 offers 3 main modes · Monitor mode – tracks file changes on the computer, any new installation creates a group and keeps track of associated files · Block and Ask – This mode prompts the user if they are installing something that is not on the approved list. The user is presented with a message and the option to allow or block the file from running. The action the user takes is logged on the server (Computer/User/File that was appoved or blocked) · Lockdown – Only allows installation of allowed software Approvals can be done a few ways - Trusted Publishers/Trusted Updaters (Digital Certificates) - File Hash - Trusted Directory - Directory Policy – Approve based on filename/path - Local Approval – Only approve a file for a single machine I have approved updates from our SCCM server by trusting the Distribution point on the server, this means anything distributed through SCCM will automatically be approved. I have approved McAfee as a Trusted updater, so updates can be run without being affected. I have a directory policy for my domain controllers so logon/logoff scripts are automatically approved When the bit9 agent is put onto a computer it Locally approves the files and programs already on the system. It also pulls the applications with Digital Signatures into the Bit9 console so I can approve them for the rest of the campus. I would say the best thing about bit9 is the reporting. I can easily look to see what’s been blocked/Approved in a certain period of time, and approve the files for the campus. It keeps track of what was added to the system after bit9 was installed (drift) and gives a risk rating based on that information. If a file is spreading across the network, It will give a propagation alert. If a computer does become infected, I can go back and look at the computers history, see what was approved, and see what files are associated with the thing that got installed. If there is a user repeatedly getting infected then they can be put into lockdown mode, which is kind of like remove admin rights, but on a more granular basis (they could still run their apps that don’t behave properly and need admin rights, but still not install anything unapproved) My test so far have gone well. It does take some work to get your initial approval list created, but once you do that it really doesn’t require a lot. -Andrew Calcutt Information Technologies Worcester State College *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Watkins, Lewis *Sent:* Monday, April 05, 2010 2:23 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] What's wrong with application whitelisting? Colleagues, Please help me understand something, that I have been trying to make sense of for awhile and just don’t get. What’s wrong with “application whitelisting”? As best I can tell, application whitelisting has very low penetration in higher education, and I simply do not understand this. There must be issues and dynamics of which I am unaware to explain this. My confusion is based on the following: - Security professionals seem to agree that anti-virus software is no longer working. No single product does the job, and it is not feasible to run multiple products on each device. - Any executable that anti-virus software will stop should also be stopped by a whitelist, since the application would not be on the approved list. - Zero-day attacks are a major threat. Anti-virus is particularly bad at stopping zero-day attacks. Application whitelists are particularly good at stopping zero-day attacks. - Universities use whitelisting on firewalls (i.e. we don’t shut down just the ports that prove themselves to be bad – we open only those that are needed. ) - Universities use whitelisting for people (i.e. we don’t let everyone in the world have an account until they prove to be bad. We maintain a list of approved users.) - However, universities use blacklisting for applications. We tend to allow any application that can find its way onto our desktop computers to run. When a program proves to be bad, we spend lots of labor and effort re-imaging the computer – then we do it again later. To the extent that application whitelisting would help prevent this, costs would be reduced and IT could concentrate more on value added efforts. - We have many bots and Trojans infecting computers and do not seem to have solid solutions for _preventing_ these infections. If using whitelisting, even if a rogue program finds its way onto a person’s computer, it will not execute. I’ve seen improved network monitoring proposed as a strategy so infections will be identified and stopped more quickly based on traffic analysis. This is good, but would it not be better just to prevent the malware from executing to begin with? - Much of the malware that finds its way onto our computers does so without the user’s knowledge. A whitelist would prevent these from executing – thus protecting the user from doing harm without intent or knowledge. This could prevent us from attacking our neighbors at the next desk and other universities and institutions. There is no doubt that we in higher education have improved significantly over the past decade in the area of information security. However it seems the stakes are higher than ever and our threats and adversaries are evolving very rapidly. We need new some strategies. Thanks – I appreciate your insights, comments, and thoughts. Also, please let me know if the base assumptions above are incorrect. This is something I really do want to understand. Lewis Watkins, CISO – University of Texas System lwatkins () utsystem edu _____________________________________________ * * ***** CONFIDENTIALITY STATEMENT ***** The information in this message may be confidential. If you received the message in error, please notify me and delete the message. Further dissemination is prohibited. Thank you. _____________________________________________ Lewis Watkins, Chief Information Security Officer The University of Texas System 201 W. 7th Street, CLB 3 Austin, Texas 78701 Ph: (512) 499-4540 Fax: (512) 579-5085 _____________________________________________
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: What's wrong with application whitelisting?, (continued)
- Re: What's wrong with application whitelisting? Gibson, Nathan J. (HSC) (Apr 05)
- Re: What's wrong with application whitelisting? John Ladwig (Apr 05)
- Re: What's wrong with application whitelisting? Basgen, Brian (Apr 05)
- Re: What's wrong with application whitelisting? Joel Rosenblatt (Apr 05)
- Re: What's wrong with application whitelisting? Russell Fulton (Apr 05)
- Re: What's wrong with application whitelisting? Eric Case (Apr 05)
- Re: What's wrong with application whitelisting? Brad Judy (Apr 06)
- Re: What's wrong with application whitelisting? Howe, Joe (Apr 06)
- Re: What's wrong with application whitelisting? Calcutt, Andrew (Apr 06)
- Re: What's wrong with application whitelisting? Russell Fulton (Apr 06)
- Re: What's wrong with application whitelisting? Jimi Schwar (Apr 07)
- Re: What's wrong with application whitelisting? Watkins, Lewis (Apr 20)
- Re: What's wrong with application whitelisting? Gene Spafford (Apr 20)
- Re: What's wrong with application whitelisting? Leo Song (May 13)
- Re: What's wrong with application whitelisting? Everett, Alex D (May 13)