Essential Technology: A GCS Blog

In my last posting I promised to explain the concept of Application Whitelisting. But before we get to that there is another reactive aspect of computer security I failed to mention...software vulnerabilities.

Viruses and malware don't just take advantage for trusting users to infect systems. Frequently these programs exploit vulnerabilities in your computer's operating system and applications.  And once infected other vulnerabilities can be used to spread the infection on your network. 

Security researchers work tirelessly to find these flaws and alert the software makers before the bad guys figure out how to use them.  But even if a flaw is discovered and disclosed before an exploit is developed, it takes time for the software vendors to build patches to fix the problem. A patch does not help until it is actually applied which falls on users and IT shops.  Even the best IT shops struggle to keep their systems patched. It is a never ending battle and as this reactive cycle plays out, your computers are left vulnerable.

As the number of bad programs grows, the reactive process of detecting, processing and tracking them becomes more inefficient. So what is an organization to do? Application whitelisting is a change of approach in computer security from the ways of antivirus.  Instead of trying to figure out all the programs in existence you don't want to run on your computer, you specify what programs you DO want to run.  And more advanced whitelisting applications can go a step further and prevent the programs you allow to run from doing things they aren't supposed to when a vulnerability is exploited.

There are many different approaches to tracking what software is approved.

·     Simple whitelisting programs use the file name and/or path to determine if a program is allowed to run. These systems can be bypassed by changing the name of a file or move it to a different directory. 

·     A more advanced method is to use a hash of the file, a string of characters generated by processing the file through a mathematical algorithm. If even a single bit of the file is changed the hash will no longer match. The problem with this method is that if a program is updated the hash must also be updated. 

·     More reputable software vendors now "sign" their programs with digital certificates very similar to those used to secure web pages.  This allows you to verify that the program was actually released by that company. Instead of using one of the above methods to approve of software, you can tell your whitelisting software to approve of any program signed by a particular vendor’s certificate.  Unfortunately not all code is signed.

Frequently a combination of the above methods is required to build a whitelist. Once a whitelist has been created and applied to a computer it will prevent any program not specifically listed will be prevent from executing.  This should prevent any malware from running, but if not done correctly it can also prevent legitimate software from running. The ability to manage a whitelist is almost as important as the ability to enforce it. 

In the next post on this subject I’ll introduce a couple application whitelisting products and explore the differences in how they work.

Running antivirus has become standard practice on home computers and corporate desktops alike. It is required by a number of security certifications and most IT security policies.  Yet I’m willing to bet that almost every company has still seen an increase in the number of computers infected with some form of malware.  And cleaning up the havoc malware reeks is becoming more and more difficult. It would seem antivirus is letting us down when we need it most. This is backed up by recent research that shows that of 10,000 computers infected with a common Trojan virus, 55% were running fully updated, fully functional AV software.  

So, if you are running antivirus why doesn’t that protect your computer?  In my view the problem with antivirus is that it is far too reactive and not proactive.  To explain, let’s look at how antivirus works:

·         Antivirus companies scour the internet looking for new malware. The problem with this is that some poor soul is already infected at this point.

·         The antivirus company then has to build a signature of this particular malware. This takes time during which your computer is potentially vulnerable.

·         The signature is than packaged and pushed out to the antivirus client.  While this is a proactive action, any IT admin will tell you that keep AV signatures up to date is a hassle with the best products out there.

·         Now your computer thinks it knows what to look for. The problem is that if the malware is modified, the signature can become worthless and the process has to react again.

·         Even if you have the right signature, many AV products won’t find an infected file until they perform a scan of your computer. It then tries to quarantine and clean the infection. Again, this is reactive. Real-time scanning might catch some malware before it lands on your computer, but if this method is reliable than why do AV companies still advise full scans on a regular basis.

There was time when user education could do as much to prevent an infection as the best antivirus.  But when high profile, trusted sites become compromised, and drive-by downloads can infect your computer without any user interaction the ability of end-users to protect themselves diminishes greatly.

So, what is the solution? Home users will probably just have to hope for improved antivirus products and fewer vulnerabilities in their software. But to business the pain and expense of dealing with malware infection has made the concept of Application Whitelisting an attractive way to keep computers clean.   In my next post I’ll explain exactly what this is and talk about a few of the options out there.