The whitelisting questions you should be ask

As I work my way around from customer to customer, many of whom have seen or been slapped in the head with the ASD Top 4, I am constantly asked, “how do we implement whitelisting and what’s it all about?”

This following should equip you with some questions that will help make decisions that fit your company’s needs, not the vendor who is banging on your door. Considering I work for a vendor this may sound weird but after nearly 30 years in IT I’ve learned that if your solution doesn’t fit the customer’s need you may get a short term win, but lose a long term customer.

In my experience simple is good for security – simple to maintain, simple to update etc. So, quite simply, “whitelisting is all about your backup rule”.

The principle of whitelisting is simple – here is a list of things you can run – no more no less. The challenge comes when we try and keep that list up to date, and protect our rule from a crafty user or someone who would like to bypass the rules.

Here’s your basic options:
1. Use specific paths and rely on file level security to prevent file copies or over-writes.
2. Use digital signatures or hashing for each allowed file to prevent changes.
3. Use certificates or other credentials from trusted vendors
4. Use online database of signatures for allowed files
5. File ownership – keep a list of trusted owners who can update files.

Each of these options has their market leaders and vendors claiming their way is the best way. Really it’s about what best suits the customer.

If our world never changed then things would be easy, but updates to allowed files happen all the time, and this is where the real cost of whitelisting comes in:

  1. If we change or update a whitelisted file, how much management is involved in making sure users can run the new version?
  2. If we want to add a file to the whitelist, how much work is required to make sure the authorised users can run this new file?

It’s here that other questions can be raised. One discussion I’ve had many times with customers is, “do you want a whitelisting solution, or do you just want to make sure user can only run authorised files?”

While they may sound the same, the technologies involved—and therefore the solution and ongoing maintenance—can vary widely.

Read more: Oz watchdog eyes whitelisting as “reasonable” privacy measure

I urge you to ask your team, your vendor, your management two questions:

  1. Do we need really whitelisting or are we just after better protection?
  2. If we do choose whitelisting, what is our backup rule, and how do we keep things current?

One last thing I’d urge you to do, test any solution in your environment, with your endpoints. Confirm any vendor claims are real before parting with your hard earned cash.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags whitelisting"ASD Top4"

More about CSOEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Shane Wescott

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place