With the internet, in all its glory, playing host to over 1.8 billion websites that can be accessed by virtually anyone in the world, it stands to reason that businesses may not want users accessing some of these websites due to security threats, inappropriateness, or other factors while on their network. How can businesses control what websites their users gain access to? Typically, most organizations have utilized a blacklist, which identifies websites that users are not allowed to access. This method is not very restrictive and can be problematic in that it allows access to everything, and I do mean EVERYTHING, that is not on the blacklist. A whitelist, as you might guess, is the exact opposite of a blacklist, and only grants access to websites explicitly identified on the list. If the site isn’t on the list, then the user isn’t granted access to it. The concept of a whitelist has been around for many years in website filtering but has seldom been implemented. It can also be problematic because, given the breadth and depth of the internet, only a fraction of the available websites would be allowed.
The concepts of blacklists and whitelists have evolved over time to include not just specific websites that users would access on the Internet, but also to an entire nation’s IP block. Why would someone want to do that? In many cases, nation states restrict access to and from other nation(s) they consider adversaries in the world for military and industrial technology. In the commercial world, corporate espionage and data exfiltration of proprietary methods and customer lists are also a real threat. For example, if you worked for an organization whose biggest competitor had its headquarters located in Europe you might want to block access to the entire continent of Europe’s IP block to keep someone from sending proprietary information regarding your products there. Obviously, this is a crude example because you would not want to block access to the entire continent of Europe, or even to a country in Europe, just because a competitor is headquartered there. However, what if you used the list to monitor (watch) access to data flowing to those countries more closely? That is definitely something your organization should consider.
A NEW WHITELIST
While Internet whitelists and blacklists have been around since entities first started connecting to the Internet, a new whitelist concept has emerged as technology has advanced: an application whitelist. An application whitelist is a list of applications, and their attributes, that are allowed to run within an organization; reducing the possibility of malware spreading both internally and externally to their network. In 2015, the U. S. National Institute of Standards and Time (NIST) published a guide recommending that organizations utilize application whitelists. This guide was created for the purposes of “planning and implementation for whitelisting technologies throughout the security deployment lifecycle” and can be downloaded from their website. There is, of course, a downside. Utilizing a whitelist requires IT organizations to perform an application dependency map for each application, and deploy additional security measures, such as cryptographic hashes, for these applications to prevent application spoofing.
Ultimately, the decision to go with an application whitelist is a complex decision and requires careful thought and thorough planning. If you need help making these decisions, Internetwork Engineering (IE) has extensive experience in conducting security risk assessments and can help make the transition much easier. For more information about how IE can help, contact us today.
About the Author
Richard Babb has been active in the information technology industry since graduating from Clemson University in 1993. During that time, he has acquired a vast array of knowledge in network security, server and network operating systems. During his career, he has held certifications in Cisco, Microsoft, CheckPoint, Novell, TANDBERG, and others. He currently works as a Solutions Specialist for Internetwork Engineering.
Adam Sedgewick, Murugiah Souppaya, and Karen Scarfone, NIST Special Publication 800 – 167: Guide to Application Whitelisting