There is an overall philosophy of trust built into the operating system, built into the browser and built into the internet itself. It’s permissive, assuming that everything it finds everywhere is honorably done and deserves access into our system. It mostly does that because we seem to like it that way. People bristle when their computer won’t let them do exactly what they want.
So we developed solutions that block any unwanted content. We call this kind of approach blacklisting. Somebody has to keep the blocked list of things up to date, and in our rapidly expanding world of internet connectivity this is a very big job. There are companies with hundreds of employees doing nothing each day but adding to the blacklist of unacceptable programs, websites, emails and other content and source. Blacklisting can be assisted by clever augmentation like heuristic detection, automatic reputation analysis, peer analysis and other techniques, but it is still hard pressed as a solo solution for network security.
To make a list of only those things you will permit to run is called whitelisting. In a whitelisting approach, you name what you want to run, and nothing else is allowed in. At first this caused some confusion. You might think that you could say “My company only runs these three programs and nothing else” but it’s more complicated than that. A popular word processing program might contain more than one hundred executable files (each a program in it’s own right) that need to be specifically permitted to run. Popular whitelisting programs have contained analysis tools that let you define a particular installation and lock it down. This can actually be used to make you very secure, but unable to keep up with modern computing practices. You are downloading and running new programs (new executable code) every second that you browse the web. You download Java applets and Java script, Active X script, AJAX code, program updates, Upnp (universal plug and play) code, python programs and Druple scripts and other things too numerous to mention. You also need to download and apply patches (which are pretty much always executables in their own right) every time one of your listed products has a security problem of its own. A whitelist solution wrapped tight enough to be effective virtually silences your machine to the world and vice versa. It is kind of an iron fisted approach. There are more open approaches to whitelisting, one manufacturer claiming to have authentication for eighty million approved applications and on that side of the scale one wonders just how secure it can be.
Alternatives to Whitelisting and Blacklisting might include continuous analysis, where each item or place encountered in your network are either analyzed locally or compared to the experience of other similar items. This would ideally done with connectivity to a cloud based service. Also, continuous analysis of behavior inside the network and with the internet will yield real help in securing the enterprise.
Whitelisting is a tool that will surely develop into something over time. Interesting approaches combining whitelisting with blacklisting or with other, more active components are being tried all the time. A whitelisting approach might be a good component for your system’s security, but only one component of many. It’s a hot issue as of this writing, but it is decidedly not the last word in system security. The jury is still out.