Beruflich Dokumente
Kultur Dokumente
the unwanted software like malware. It works to keep the malware as well as other unwanted malicious
software from functioning on a computer system. NIST Special Publication 800-167, called Guide to
Application Whitelisting includes the basics of application whitelisting as well as its planning &
implementation. With the aim of making the organization which wants to stop threats, understanding
these essential concepts, here we presented a quick summary of the same.
An application whitelist is defined as the set of applications as well as application components, which are
authorized to apply in an enterprise. This technology uses whitelists to decide which applications are
allowed to execute on the host. Thereby it prevents the execution of unlicensed software, malware, and
other unauthorized software.
Application whitelisting can be available according to the variability of files and folder attributes that are
listed below:
File Path
Application whitelisting based on this attribute permits the entire applications presented within a certain
file path. Here, the path requires being prevented by some strict access control otherwise there would be
a chance to allow any malicious files presented in the directory to be executed.
File Name
The application or application components are permitted based on their File Name. If a file becomes
infected or replaced, there would not be a change in the file name. Similarly, hackers could find a way to
place the malicious file with the accepted file name format. Hence, it is recommended to use this attribute
complied with other attributes.
File Size
Accepting application based on the file size includes the assumption that malicious files have different
file size as compared to the original. However, attackers can make the infected files to appear in same file
size as their benign matching part. Therefore, this attribute is generally paired with other attributes like a
file name.
Application whitelisting are based on the digital signature provided by the publisher or the identity of the
publisher.
Cryptographic Hash
Whitelisting applications based on the strong cryptographic algorithm associated with the hash function
is almost accurate regardless of the file path, file name and its digital signature until the file is updated.
2. Application resources
Method 1: Consider the vendor provided details on the known applications characteristics along with
organization generated details on the organization specific applications characteristics.
Method 2: Scanning the files on the clean host in order to form a good known reference point.
Both methods are effective on their own until the application is updated or any new application gets
installed.
1.Audit Mode
This mode allows whole items including those, which are not listed on the whitelist & logs their execution.
It offers data in the process of continuous monitoring and analyses.
2. Enforcement Mode
This mode automatically permits and blocks the execution of whitelisted items and blacklisted items
respectively.
Whitelist Enforcement Block the execution of entire items excepts the whitelisted items.
User Prompting Depends on the user or administrators command to accept or reject the files,
which are not whitelisted or blacklisted.
Blacklist Enforcement Allows the execution of entire items excepts the blacklisted items.
In addition to the offering application access control, application whitelisting technologies can be
employed in other purposes such as:
Software Inventory This technology can maintain an inventory of the applications as well as
application versions that is installed on each host. Useful in identifying unlicensed applications,
prohibited applications, wrong version software, modified applications, malware, unknown
applications, and unauthorized applications.
File Integrity Monitoring Application whitelisting technologies perform continuous or frequent
monitoring of attempted changes to the files. Useful in preventing files changes or report file
changes.
Incident Response Whitelisting technologies check the files on the host with the characteristics
of malicious files captured after responding to an incident in order to find that they have been
compromised or not.
Data Storage Access control - Permits only the encrypted device or devices with a certain serial
number. Thereby restricts the file read, write & execution on the removable media.
Memory Protection Prevents the attacks that affect the files in the memory.
Software Reputation Services Reviews the software that the application is bundled with, in
order to analyze for substantial security risk.
Anti-malware Technology Integration Integrate with other malware analysis product to identify
the malicious content.
When it comes on selecting & deploying application whitelisting, it is essential to consider the important
differences in the operational environment. They are as follows:
3. Test the perspective whitelisting technology in the monitoring mode to understand how it behaves
For a successful planning as well as implementation of the application whitelisting, it is important to follow
the step-by-step phased approached presented below:
Initiation
The initiation phase involves to determining the current as well as future requirements for the application
whitelisting. It also aims to determine how those requirements can best be satisfied. The requirements
need to consider are:
External Requirements The enterprise may be subject to review by another enterprise, which
requires application whitelisting.
System & Network Requirements It is essential to understand the nature of these requirements
to choose compatible solutions with the vital functionality. Factors to consider are:
o Characteristics of devices, which require application whitelisting
o Technical attributes of interface systems
Requirement Analysis Outcomes
Design
Once the requirements have been determined and the suitable technologies have been chosen, then the
next action to focus on is designing a solution, which meets those requirements. It is vital to make
accurate design decision to prevent the application whitelisting implementation to be susceptible to
compromise / failed. Major design factor to focus on are as follows:
Cryptography - It should be applied in three ways for the technologies. They are:
1. To create & verify cryptographic hashes for files & other application components
3. To protect the confidentiality & integrity of communication among the individual hosts & centralized
management.
Solution Architecture - Involves the selection of software and devices to offer application
whitelisting services & the centralized element placements within the available network
infrastructure.
Whitelist Management - Involves the establishment of trusted publishers, updaters, users, etc.
Implementation
Once the solution is designed, the consequent step is implementation & test of a design prototype.
Initially, the action of implementation and testing should be performed on the test devices or lab. Only
the application whitelisting solution in the final stage should be allowed to implement on the production
devices. The factors of the prototype solution that need evaluation comprise the following:
Deployment
The next phase that comes after testing and resolving any issues is, deployment. An enterprise should
follow gradual deployment from a small number of hosts. This will help to avoid several issues includes
loss of availability. Most of the issues that happen are possibly happen on multiple hosts; hence, it is useful
to determine such issues at the time of the testing process deploying the 1st hosts; hence those issues
can be concentrated before widespread deployment.
Management
The final stage is to ensure the long lasting. Managing an application whitelisting solution involves
functioning the deployed solution & maintaining the architecture, software, policies and other solution
components of the application whitelisting.
This article almost covers the basics of the application whitelisting and overview of the planning and
implementation of the application whitelisting which are examined in the NIST Guide.
Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security
programs viz Training, Certification (PearsonVUE) and Services across Information Security domains
aligned with Industry Security requirements and Best practices. Connect with us to explore more.