Security experts look to 'whitelisting' future

Summary:With the existing blacklisting techniques for preventing malware failing to solve the problem, taking the reverse approach may be the answer

The IT security industry has come to a frank realisation that the current approach to preventing malware is simply not working. Is whitelisting, which is the reverse of our current approach, the answer?

Whitelisting is the process by which only pre-approved applications are able to execute on a network, while unknown and unwanted ones are blocked. It is the opposite of today's approach, by which applications are free to run unless an administrator has moved to block them.

Speaking at the AusCERT 2008 security conference, Graham Ingram, general manager of AusCert (Australian Computer Emergency Response Team), said today's blacklisting approach is simply not working. Defences against malware, he said, can be completely undermined "by the click of a mouse or the enter key of a user".

Scott Charney, vice president trustworthy computing group at Microsoft, said "most people who run machines actually don't know what is executing on their machine".

"I think [whitelists] are a natural progression," said Ingram. "I think the realisation [is] that blacklisting only had a limited life and we're getting towards the end of that."

"I am not so sure that we can get to a place of feeling confident in our infrastructure without doing whitelisting," added John Stuart, chief security officer of Cisco Systems.

While most at the conference agreed that whitelisting is the only available option, the model by which the industry goes about implementing it is the subject of debate.

Security vendor Lumension Security (previously called Patchlink) is hopeful that the problem can be addressed at the application layer, so future security software tools will incorporate the principles of whitelisting.

These tools, according to Andrew Clarke, senior vice president of Lumension Security, would ensure that "if someone is introducing a rogue application into an organisation and it's not on the whitelist and it's not a known good, it won't run."

But Microsoft advocates taking the whitelist concept further.

"We really do need an environment where things cannot execute without the user making certain choices," says Microsoft's Charney. "There are some fundamental engineering changes that have to happen."

Security, says Charney, needs to be built into the "trusted stack" — incorporated not just in software but in hardware.

"We have to start rooting trust in the hardware, because it is easier to manipulate software than hardware," he told "You'll see more and more hardware-linked functionality like BitLocker in Vista."

BitLocker is a function within enterprise versions of Windows Vista that encrypts the hard disk and only allows it to work on a specific machine. It can also be...

Topics: Security


Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.