Re: What's wrong with application whitelisting?

[Jimi Schwar <schwarj () MAIL MONTCLAIR EDU>]

I see nothing wrong with application whitelisting, I'm actually a huge
fan of it.  We have been using Bit9 Parity software in our computing
labs for the last 2 years and this greatly reduced any issues with the
machines.  We have yet to see a piece of malware actually infect a box,
nor have students been able to find a way around the software.

The software approval process is usually easy, though I have run into a
few pieces of software that have taken a decent amount of time to get
fully approved.  But the amount of time of approving the software is
nothing compared to the amount of time that would be required
disinfecting/reimaging these machines.

Jim Schwar

On 4/6/10 11:14 AM, Calcutt, Andrew wrote:
> I have been testing out the whitelisting product bit9 recently and I
> think I will work great in our environment.
>
>  
>
> Bit 9 offers 3 main modes
>
> ·         Monitor mode – tracks file changes on the computer, any new
> installation creates a group and keeps track of associated files
>
> ·         Block and Ask – This mode prompts the user if they are
> installing something that is not on the approved list. The user is
> presented with a message and the option to allow or block the file from
> running. The action the user takes is logged on the server
> (Computer/User/File that was appoved or blocked)
>
> ·         Lockdown – Only allows installation of allowed software
>
>  
>
> Approvals can be done a few ways
>
> -          Trusted Publishers/Trusted Updaters (Digital Certificates)
>
> -          File Hash
>
> -          Trusted Directory
>
> -          Directory Policy – Approve based on filename/path
>
> -          Local Approval – Only approve a file for a single machine
>
>  
>
> I have approved updates from our SCCM server by trusting the
> Distribution point on the server, this means anything distributed
> through SCCM will automatically be approved. I have approved McAfee as a
> Trusted updater, so updates can be run without being affected. I have a
> directory policy for my domain controllers so logon/logoff scripts are
> automatically approved
>
>  
>
> When the bit9 agent is put onto a computer it Locally approves the files
> and programs already on the system. It also pulls the applications with
> Digital Signatures into the Bit9 console so I can approve them for the
> rest of the campus.
>
>  
>
> I would say the best thing about bit9 is the reporting. I can easily
> look to see what’s been blocked/Approved in a certain period of time,
> and approve the files for the campus. It keeps track of what was added
> to the system after bit9 was installed (drift) and gives a risk rating
> based on that information. If a file is spreading across the network, It
> will give a propagation alert. If a computer does become infected, I can
> go back and look at the computers history, see what was approved, and
> see what files are associated with the thing that got installed. If
> there is a user repeatedly getting infected then they can be put into
> lockdown mode, which is kind of like remove admin rights, but on a more
> granular basis (they could still run their apps that don’t behave
> properly and need admin rights, but still not install anything unapproved)
>
>  
>
>  
>
> My test so far have gone well. It does take some work to get your
> initial approval list created, but once you do that it really doesn’t
> require a lot.
>
>  
>
> -Andrew Calcutt
>
> Information Technologies
>
> Worcester State College
>
>  
>
>  
>
>  
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Watkins, Lewis
> *Sent:* Monday, April 05, 2010 2:23 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] What's wrong with application whitelisting?
>
>  
>
> Colleagues,  Please help me understand something, that I have been
> trying to make sense of for awhile and just don’t get.   What’s wrong
> with “application whitelisting”?   As best I can tell, application
> whitelisting has very low penetration in higher education, and I simply
> do not understand this.   There must be issues and dynamics of which I
> am unaware to explain this.   My confusion is based on the following:
>
>  
>
> -  Security professionals seem to agree that anti-virus software is no
> longer working.   No single product does the job, and it is not feasible
> to run multiple products on each device.
>
> -  Any executable that anti-virus software will stop should also be
> stopped by a whitelist, since the application would not be on the
> approved list.
>
> -  Zero-day attacks are a major threat.   Anti-virus is particularly bad
> at stopping zero-day attacks.   Application whitelists are particularly
> good at stopping zero-day attacks.
>
> -  Universities use whitelisting on firewalls (i.e. we don’t shut down
> just the ports that prove themselves to be bad – we open only those that
> are needed. )
>
> -  Universities use whitelisting for people (i.e. we don’t let everyone
> in the world have an account until they prove to be bad.  We maintain a
> list of approved users.)
>
> -  However, universities use blacklisting for applications.   We tend to
> allow any application that can find its way onto our desktop computers
> to run.   When a program proves to be bad, we spend lots of labor and
> effort re-imaging the computer – then we do it again later.    To the
> extent that application whitelisting would help prevent this, costs
> would be reduced and IT could concentrate more on value added efforts.
>
> -  We have many bots and Trojans infecting computers and do not seem to
> have solid solutions for _preventing_ these infections.   If using
> whitelisting, even if a rogue program finds its way onto a person’s
> computer, it will not execute.    I’ve seen improved network monitoring
> proposed as a strategy so infections will be identified and stopped more
> quickly based on traffic analysis.  This is good, but would it not be
> better just to prevent the malware from executing to begin with?
>
> -  Much of the malware that finds its way onto our computers does so
> without the user’s knowledge.   A whitelist would prevent these from
> executing – thus protecting the user from doing harm without intent or
> knowledge.  This could prevent us from attacking our neighbors at the
> next desk and other universities and institutions.
>
>  
>
> There is no doubt that we in higher education have improved
> significantly over the past decade in the area of information security. 
> However it seems the stakes are higher than ever and our threats and
> adversaries are evolving very rapidly.   We need new some strategies.   
>
>  
>
> Thanks – I appreciate your insights, comments, and thoughts.   Also,
> please let me know if the base assumptions above are incorrect.   This
> is something I really do want to understand.
>
>  
>
>     Lewis Watkins, CISO – University of Texas System
>
>     lwatkins () utsystem edu
>
>  
>
>  
>
>  
>
>  
>
> ___________________________________________­__
>
> * *
>
> ***** CONFIDENTIALITY STATEMENT *****
> The information in this message may be confidential.
>
> If you received the message in error, please notify
>
> me and delete the message.  Further dissemination
>
> is prohibited. Thank you.
>
> _____________________________________________
>
>  
>
> Lewis Watkins, Chief Information Security Officer
>
> The University of Texas System
>
> 201 W. 7th Street, CLB 3
>
> Austin, Texas 78701
>
> Ph:  (512) 499-4540  Fax: (512) 579-5085
>
> _____________________________________________
>
>

Attachment: signature.asc
Description: OpenPGP digital signature