Inexpensive, Effective Whitelisting

Monday, February 20, 2012 @ 03:02 PM gHale

In a different use of application whitelisting, military computers soon will undergo configuration to execute only administrator-approved software applications in certain areas of a computer, Pentagon officials said.

Whitelisting is a recommended best practice, but DoD and industry have lagged in adoption because of the staffing involved in adding and removing applications from the list, National Security Agency (NSA) officials said.

New Software Cuts Costs, Risk
Struggle to Secure Mobile Devices
All Mobile Devices Victimized
Trojan Acts like Carrier IQ Tool

The Defense Department’s (DoD) version of “application whitelisting” focuses on where downloads can launch in a system. Officials think that will end up being an inexpensive protection against downloads that antivirus programs fail to flag as threats.

“You can download it, but you can’t install it,” said Paul Bartock, a technical director for the Information Assurance Directorate at NSA, who helped develop the technique.

One weakness with even the best antivirus programs is they blacklist software only after determining it is malicious. Unknown worms do not get blocked. And hackers continuously tweak their code so it remains unknown.

However, NSA’s approach blocks every application from executing until a network administrator has approved, or whitelisted, it.

To save time, NSA created a way to grant applications access based on where they are trying to open in a system — for example, certain disk drives or directories. With typical whitelisting, an administrator has to change the list every time a developer releases a new patch or program update. Under NSA’s approach, administrators are able to focus their attention on fewer potential entry points for viruses, thus reducing the time involved in installing new applications.

Now, NSA is arranging for the baseline configurations of all new Defense computers to employ the tactic, said Eric Chudow, who works in the Information Assurance Directorate at NSA.

This method already has thwarted one type of worm that antivirus programs failed to catch.

“An email tried to install malware,” Chudow said. “On the newer baseline computers, the administrators could see this was malware,” but on the older models, “the antivirus wasn’t able to protect against it yet. Two weeks later, the antivirus vendors issued a signature for that particular piece of malware.”

Commercial whitelisting software can cost hundreds of thousands of dollars and require three full-time employees to change the list for every patch and upgrade. NSA officials were able to do the job without licensing special software. They used software-restriction features that come with most operating systems, along with an existing intrusion detection system, and then wrote some special permissions, officials said.

The project required monitoring the agency’s network about 20 hours a week for three months to make sure the new configuration was not obstructing important applications, officials added. For ongoing upkeep, they only needed an hour of attention per week.

Almost anyone, including home computer users and health technicians, can try the technique as this white paper shows.

Leave a Reply

You must be logged in to post a comment.