Whitelisting – or putting computer applications and e-mail messages on a virtual VIP list – is an effective security approach that Canadian small businesses and consumers need help with, according to the Public Interest Advocacy Group (PIAC).
The Ottawa-based group of lawyers released a report yesterday titled “Whitelisting for cyber security: what it means for consumers.” It says in short that the method of pre-approving applications, Web sites and e-mail messages for end-user access is a needed security approach that makes up for the shortcomings of current antivirus technology. But the technical requirements and time demands to setup and manage whitelists puts it beyond the capability of those not in an enterprise-grade company.
Antivirus software and services mostly rely on blacklist methods of blocking malware, PIAC notes in its report. But as hackers have become more sophisticated in recent years, the lists of Trojans, viruses, and worms has grown exponentially – to the point that in 2008, security vendor Symantec Corp. added more anti-virus signatures than it had in its entire 17-year history.
It seems logical to flip that equation, and instead, create a list of good software that end-users want to use and block everything else, says Janet Lo, legal counsel with PIAC. It is working well in areas that need to be 100 per cent secure.
“It works best where there is IT staff that is able to monitor that whitelisting is being set up properly and complied with,” she says. “As cyber-threats become increasingly complex, we think it will be one layer of defence that will help protect end-system resources.”
Security providers specializing in whitelist creation and management currently serve the enterprise space, Lo says. There’s a void to fill for consumers and small businesses that could also benefit from the added security of the method.
Existing enterprise solutions include Bit Nine’s Parity, which gives IT administrators a tool to automatically discriminate between whitelist compliant programs and non-compliant threats. Faronics’ Anti-Executable creates a whitelist by scanning a workstation’s hard drive and using the installed programs as a starting template.
But there’s a lack of more consumer-friendly whitelisting products, Lo says.
Small businesses don’t have any options when it comes to whitelisting options, agrees Robert Beggs, founder of Digital Defence, a Burlington, Ont.-based security firm. Even though most programming languages have a built-in capability to allow whitelisting, developers often neglect to take advantage of that because they aren’t asked to do it by their clients and they aren’t taught to do it at school.
“If you review the curriculum at most Canadian universities, security isn’t taught,” he says.
Common attacks such as cross-site scripting and SQL injection could be prevented with whitelisting techniques, Beggs says. Hackers conduct such hacks by returning pieces of code to a Web server through a blank field in a form. But if the form was programmed to reject anything except for legitimate values for the field (for example, “male” or “female” for gender) then it wouldn’t be an issue.
One example of a whitelist-inspired approach to consumer and small business security is Symantec Corp.’s reputation-based detection technology. It’s a hybrid approach that uses both blacklisting and whitelisitng, judging a file not just on its contents but on other users’ experience with that file and its origin. The technology is currently used in products including Norton Internet Security 2010 and Symantec Hosted End-Point Protection.
The reputation engine is powered by Symantec’s 30 million-plus Community Watch users, and according to Gerry Egan, director of product management at Symantec Corp., it’s psychic.
“Imagine you were super-telepathic and you could envisage every file on the planet, and you knew how many copies of that file there were,” he explains. “We try to assign a rating of good or bad to every file we know about.”
Symantec’s database now has 1.7 billion files listed, and are painted in shades of grey on the spectrum between black and white. The new approach has helped Symantec’s software stop about 4 million attack attempts per month that would have slipped by otherwise, Egan says.
“We use reputation to decide what restaurants we eat at,” he says. “There’s no reason we shouldn’t use some similar concepts in these files we allow to access our machines.”
Symantec is already rolling the technology into its enterprise-grade products, he adds.
While PIAC’s report is positive about whitelisting’s security usefulness, it recognizes it is not a magic bullet for the security industry. Its design can’t cope well with the grey area of ad-ware or spy-ware, for example. There’s also censorship concerns should a major internet service provider ever try to implement a centralized whitelist without good transparency into how it’s going about doing so.
“That could trigger a concern for net neutrality,” Lo says. “There’s some larger policy concerns for the Internet.”
No current use of whitelists concerned PIAC, she adds.
Canadians need help in protecting against a growing mass of online threats, PIAC says in its report. The government’s Cyber Security Strategy announcement Oct. 3 was a good first step in doing that.
Now PIAC will watch and see if the government is sufficiently technical in its advice on how to secure devices from home computers to small business networks, Lo says.