White Listing and Black Listing Applications – CompTIA Security+ SY0-401: 4.3

One common strategy of managing applications is to set specific restrictions on their use. In this video, you’ll learn about the advantages and disadvantages of white listing and black listing applications.

<< Previous Video: Patch ManagementNext: Trusted OS >>

One of the fundamentals of the security of your host is based around what applications are running on your computer. It’s these running applications that are able to take advantage of buffer overflows or get some type of injection of data onto your system and infect you with malware or spyware or allow somebody access to your resources. Any application can be dangerous. And so a Trojan horse, a piece of malware, or anything else might be hidden inside of these applications.

Since these exploits can only happen if an executable is run, it makes sense for the security administrator to think about ways to control the execution of applications. And there’s two major strategies here. One is to have a whitelisting of applications, and another one is to have a blacklisting of applications.

If you’re going to whitelist applications, that means that nothing can run on a computer unless it is first approved. This is obviously very restrictive, and it probably requires quite a bit of administration, to first have a list of approved applications, and then certainly there will be applications that need to be constantly added to this list. The advantage, of course, is that you know exactly what applications are going to be running on these computers and nobody’s going to be running applications that have not first been checked to make sure that they’re safe for your system.

Blacklisting is the exact opposite. You can run any application on your computer except for these specifically named applications. We see this very often with antivirus software or anti-malware software, which has a set of signatures for certain applications, and it simply will not allow you to run those apps on your computer. This obviously requires a lot less administrative overhead, but it also is opening up your system to run applications that perhaps have not been blacklisted yet. And therefore, you have to stay one step ahead of the bad guys.

When you’re dealing with host security, the decision to run or not run an application is something that’s usually built into the operating system itself. These decisions are usually made based on a blacklist or a whitelist, and they’re configured, set up, and managed by the security administrator. If we’re going to add an application to a whitelist or a blacklist, we’ll need to identify it in some way. And identifying it just based on a file name is not something that’s very secure, since other applications can simply use the same file name and get around that kind of restriction.

Instead, we tend to use something like an application hash. We get a hash value of the contents of that executable, which means that every executable’s going to have a very unique hash identifier. Even if you have two file names that are identical but the executable is different, they will have different hash values.

So you’ll be able to designate what applications are good or bad based on this very unique value. And even if the bad guys are able to modify the executable by embedding their own code, the hash will then be different. And therefore, the executable will not be able to run on that system.

Many application developers and publishers will digitally sign their executables. They use a certificate that everyone has so that everyone can automatically trust this digital signature. Microsoft does this a lot with their executables. So when you run Microsoft Word, that executable has already been digitally signed by Microsoft.

One good example of how to prevent this, obviously, would be to set up a policy that allows digitally signed executables for Microsoft but will restrict any other kind of executable on the system. An application management strategy that is less secure but probably easier to administer is configuring your system to run certain applications from a particular path on your computer. This means that only applications that are on certain folders inside of your computer would be able to execute.

And on Windows systems, you have this concept of a network zone. And if you are in a particular network zone and running a particular application from devices or servers in that network zone, it might be allowed. If you happen to be outside of the building and you’re in an external or different network zone, perhaps you’ll restrict applications from running in those particular unknown or untested zones.