• Team Cloke

All about Ransomware: Application Whitelisting

Antivirus and many other security technologies use a blacklist approach. They detect and block malicious programs based on code signatures, behavioural traits, indicators of compromise and other attributes. However, in an era where more malware is being produced than applications, the blacklist approach may not be sufficient anymore.

Back in 2015, the U.S. National Institute of Standards and Technology (NIST) had published a guide on the basics of application whitelisting as well as how to plan and implement whitelisting technologies throughout the security deployment lifecycle. The contents in the guide remains relevant till today.

Here are 4 tips when considering to adopt the application whitelisting approach:

  1. Consider using application whitelisting technologies already built into the host operating system, particularly for centrally managed desktops, laptops, and servers, because of the relative ease in managing these solutions and the minimal additional cost.

  2. Use products that support more sophisticated application whitelisting attributes. Choosing attributes is largely a matter of achieving the right balance of security, maintainability, and usability. Simpler attributes such as file path, filename, and file size should not be used by themselves unless there are strict access controls in place to tightly restrict file activity, and even then there are often significant benefits to pairing them with other attributes. A combination of digital signature/publisher and cryptographic hash techniques generally provides the most accurate and comprehensive application whitelisting capability, but usability and maintainability requirements can put significant burdens on the organisation;

  3. Test prospective application whitelisting technology before deploying. This testing should include a thorough evaluation of how the solution reacts to changes in software, such as installing an update. An application whitelisting technology might be considered unsuitable if, for instance, it had to be disabled in order to install security updates for the operating system or particular applications.

  4. Use a phased approach for deployment to minimise unforeseen issues and identify potential pitfalls early in the process.

© 2020 CLOKE Inc.
One World Trade Center, 285 Fulton Street, Suite 8500, New York NY 10007   |   555 California Street, Suite 4925, San Francisco CA 94104
PRODUCTS
SCANMYPAGE   |   ARWARE   |   THEGRID BEACON   |   WEBALARM   |   CONSULTING SERVICES
GLOBAL
MALAYSIA   |  JAPAN