By Gregory Hale
If you talk to people focused on security, you would think whitelisting is the end all solution that will keep a system safe.
The reality is, yes, whitelisting is a quality security solution. But is it the answer to all security issues that could affect a system? The answer to that question if you listen to Nate Bowman, cyber security researcher with the Department of Homeland Security Program’s Industrial Control System Cyber Emergency Response Team, the answer is a solid maybe.
“It is nice to have whitelisting as a tool in the tool box, but it is not a cure all,” said Bowman during the ISCJWG meeting in Long Beach, CA, Wednesday.
Whitelisting is all about creating a list of applications that are allowable. The concept tries to stop an undesirable action from happening. It has a deny all capability. That compares to blacklisting which is an allow all strategy. Blacklisting tries to fight off the malware once it gets into the system. Whitelisting only allows in what the user wants in.
Bowman gave a small case history of where one company was suffering from an advanced persistent threat (APT) attack. The victim found the threat and saw a PW dump, which is a tool to find user names and passwords. The company was using whitelisting and it found the attempt to find the names and was able to hold off that attack. But, Bowman said, the APT was, in fact, persistent, and it then went into PS exec mode. That is a utility to keep moving forward in the attack to gain more names and passwords. Again, the whitelisting was able to stop that attack. The APT then tried to work around the whitelisting. After repeated attempts the company was able to thwart the attack.
Whitelisting does have benefits where it does reduce risk, increases visibility and helps with compliance issues. It does, however, have some limitations. It is not effective against memory corruption attacks. The higher up the execution stack you go, the more trouble whitelisting has, Bowman said. SQL injections and cross scripting attacks are not as well protected.
Challenges for whitelisting include management. “It is a nightmare to manage whitelisting technology,” Bowman said. “It is easier to include whitelisting in a static environment than it is in a changing environment.”
There is also the idea of a cultural change, he said. “Users will complain about the freedom they will have to give up.”
“Whitelisting works for Industrial Control Systems,” Bowman said. “It is a nice marriage between the two. It works best with static systems and deterministic systems.”