NIST Guide On Application Whitelisting A Quick Summarization
Application whitelisting is nothing but a technology that is created to maintain the system secure from the unwanted software like malware. It works to keep the malware as well as other unwanted malicious software from functioning on a computer system. NIST Special Publication 800-167, called Guide to Application Whitelisting includes the basics of application whitelisting as well as its planning & implementation. With the aim of making the organization which wants to stop threats, understanding these essential concepts, here we presented a quick summary of the same.
An application whitelist is defined as the set of applications as well as application components, which are authorized to apply in an enterprise. This technology uses whitelists to decide which applications are allowed to execute on the host. Thereby it prevents the execution of unlicensed software, malware, and other unauthorized software.
Application Whitelisting Basics
Basic definitions as per NIST :
Major Difference Between Application Whitelisting And Security Technologies
Types Of Application Whitelisting
Application whitelisting is based on the following types:
1. Application files and folder attributes, which can be evaluated
2. Application resources handled
3. Whitelist generation techniques
1. Files and Folder Attributes
Application whitelisting can be available according to the variability of files and folder attributes that are listed below:
- File Path
Application whitelisting based on this attribute permits the entire applications presented within a certain file path. Here, the path requires being prevented by some strict access control otherwise there would be a chance to allow any malicious files presented in the directory to be executed.
- File Name
The application or application components are permitted based on their File Name. If a file becomes infected or replaced, there would not be a change in the file name. Similarly, hackers could find a way to place the malicious file with the accepted file name format. Hence, it is recommended to use this attribute complied with other attributes.
- File Size
Accepting application based on the file size includes the assumption that malicious files have different file size as compared to the original. However, attackers can make the infected files to appear in same file size as their benign matching part. Therefore, this attribute is generally paired with other attributes like a file name.
- Digital Signature Or Publisher
Application whitelisting are based on the digital signature provided by the publisher or the identity of the publisher.
- Cryptographic Hash
Whitelisting applications based on the strong cryptographic algorithm associated with the hash function is almost accurate regardless of the file path, file name and its digital signature until the file is updated.
2. Application resources
Application whitelisting is often permitted or restricted based on monitoring executable. In addition, most of these technologies also include the capability to monitor some other kinds of application associated files like scripts, libraries, browser-plugins, macros, configuration files and application-associated registry entries.
3. Whitelist Generation Techniques
Whitelist generation comes in two primary methods:
Method 1: Consider the vendor provided details on the known application’s characteristics along with organization generated details on the organization specific application’s characteristics.
Method 2: Scanning the files on the clean host in order to form a good known reference point.
Both methods are effective on their own until the application is updated or any new application gets installed.
Application Whitelisting Modes
Most of the application whitelisting come in two operational runtime modes:
This mode allows whole items including those, which are not listed on the whitelist & logs their execution. It offers data in the process of continuous monitoring and analyses.
2. Enforcement Mode
This mode automatically permits and blocks the execution of whitelisted items and blacklisted items respectively.
Different Forms Of Enforcement Mode Are:
- Whitelist Enforcement – Block the execution of entire items excepts the whitelisted items.
- User Prompting – Depends on the user or administrators command to accept or reject the files, which are not whitelisted or blacklisted.
- Blacklist Enforcement – Allows the execution of entire items excepts the blacklisted items.
Application Whitelisting Technologies Uses
In addition to the offering application access control, application whitelisting technologies can be employed in other purposes such as:
- Software Inventory – This technology can maintain an inventory of the applications as well as application versions that is installed on each host. Useful in identifying unlicensed applications, prohibited applications, wrong version software, modified applications, malware, unknown applications, and unauthorized applications.
- File Integrity Monitoring – Application whitelisting technologies perform continuous or frequent monitoring of attempted changes to the files. Useful in preventing files changes or report file changes.
- Incident Response – Whitelisting technologies check the files on the host with the characteristics of malicious files captured after responding to an incident in order to find that they have been compromised or not.
- Data Storage Access control - Permits only the encrypted device or devices with a certain serial number. Thereby restricts the file read, write & execution on the removable media.
- Memory Protection – Prevents the attacks that affect the files in the memory.
- Software Reputation Services – Reviews the software that the application is bundled with, in order to analyse for substantial security risk.
- Anti-malware Technology Integration – Integrate with other malware analysis product to identify the malicious content.
Operational Environment Differences
When it comes on selecting & deploying application whitelisting, it is essential to consider the important differences in the operational environment. They are as follows:
- Standalone Or Small Office/Home Office(SOHO) – Small or informal system installation, which is used for business or home purpose. It is, the least secure one.
- Managed or Enterprise – Refers to the large organizational systems along with defined suites of software and hardware configurations, generally comprising of Centrally Managed IT products.
- Specialized Security-Limited Functionality (SSLF) Or Custom – Includes systems in which the degree and functionality of the security don’t fit the Managed or Standalone environments. It is a highly restrictive and secure environment.
Assessing Application Whitelisting Solution
The evaluating process includes the following steps:
1. Analysis of environment in which the hosts or the system will be functioning.
2. Consider whether a built-in application whitelisting or third-party solution are feasible
3. Test the perspective whitelisting technology in the monitoring mode to understand how it behaves
Planning And Implementation Of Application Whitelisting
For a successful planning as well as implementation of the application whitelisting, it is important to follow the step-by-step phased approached presented below:
The initiation phase involves to determining the current as well as future requirements for the application whitelisting. It also aims to determine how those requirements can best be satisfied. The requirements need to consider are:
- External Requirements – The enterprise may be subject to review by another enterprise, which requires application whitelisting.
- System & Network Requirements – It is essential to understand the nature of these requirements to choose compatible solutions with the vital functionality. Factors to consider are:
- Characteristics of devices, which require application whitelisting
- Technical attributes of interface systems
Requirement Analysis Outcomes
- Identification of types of applications / application components.
- Determination of classes of whitelisting application, which should be applied to balance usability, maintainability and security.
- Analysis of requirements documentations including performance requirements, security capabilities, management requirements, usability and maintenance requirements and the security of the technology.
Once the requirements have been determined and the suitable technologies have been chosen, then the next action to focus on is designing a solution, which meets those requirements. It is vital to make accurate design decision to prevent the application whitelisting implementation to be susceptible to compromise / failed. Major design factor to focus on are as follows:
- Cryptography - It should be applied in three ways for the technologies. They are:
1. To create & verify cryptographic hashes for files & other application components.
2. To evaluate digital signature.
3. To protect the confidentiality & integrity of communication among the individual hosts & centralized management.
- Solution Architecture - Involves the selection of software and devices to offer application whitelisting services & the centralized element placements within the available network infrastructure.
- Whitelist Management - Involves the establishment of trusted publishers, updaters, users, etc.
Once the solution is designed, the consequent step is implementation & test of a design prototype. Initially, the action of implementation and testing should be performed on the test devices or lab. Only the application whitelisting solution in the final stage should be allowed to implement on the production devices. The factors of the prototype solution that need evaluation comprise the following:
- Application Control Functionality
- Security of Implementation
The next phase that comes after testing and resolving any issues is, deployment. An enterprise should follow gradual deployment from a small number of hosts. This will help to avoid several issues includes loss of availability. Most of the issues that happen are possibly happen on multiple hosts; hence, it is useful to determine such issues at the time of the testing process deploying the 1st hosts; hence those issues can be concentrated before widespread deployment.
The final stage is to ensure the long lasting. Managing an application whitelisting solution involves functioning the deployed solution & maintaining the architecture, software, policies and other solution components of the application whitelisting.
Some Typical Actions Are As Follows:
- Updating the whitelist in order to add new / updated applications
- Testing & applying patches to the whitelisting software
- Deploying application whitelisting solution for additional platforms
- Doing key management duties
- Adopting policies as per the change in the requirements
- Monitoring components for the security and operational issues
- Regularly performing testing to guarantee that whitelisting is working properly
- Performing regular vulnerability valuations
This article almost covers the basics of the application whitelisting and overview of the planning and implementation of the application whitelisting which are examined in the NIST Guide.
Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security programs viz Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more.