How to create an application whitelisting policy
If you’re reading this article, you probably have cybersecurity on your mind. Protection against malicious code (malware) is becoming a high priority for many Australian businesses, and rightly so. Not keeping your organisation secure from a technology standpoint can have a catastrophic impact.
This is the second blog in a five-part series on the Australian Signals Directorate (ASD)’s Eight Essential strategies to address cybersecurity risks and keep attackers at bay. We will answer some common questions about the ASD Essential 8, as well as provide some tips to help you create and implement a security policy that can work for your business.
What is application whitelisting?
What is application whitelisting?
Application whitelisting involves designing rules to prevent unauthorised applications and code from executing on systems. It’s so important that it’s number one on the ASD list. Malware attacks can occur as easily as an employee accidentally clicking on a link that is malicious or accessing an application that is not secure. Whitelisting sets specific rules about which applications can be executed on your devices, thus strengthening your device security.
Why should I have a whitelisting policy for my applications?
A whitelisting policy is an essential control if a business is to provide a safe, secure environment in which their employees can operate. If you implement your policy correctly, you’ll be able to ensure that only the applications that you and your team authorise will be executed. Not having a whitelisting policy can mean your employees can install and access any application at any time, regardless of its threat to your organisation’s cybersecurity.
Reasons to use application control
Using application control as part of a comprehensive risk management strategy provides five key benefits to your organisation:
- Take a Zero Trust approach to security across your endpoints and servers by only allowing "known good" applications to run
- Eliminate unknown and unwanted applications in your network
- Reduce the risk of system compromise by a malicious threat actor
- Make it harder for a malicious threat actor to move between devices
- Empower users to do just what they need for their job roles without inhibiting productivity
One way to improve your endpoint security while maintaining ease of access to important applications is by creating an application whitelist. While this can be done manually, it's much easier to use an application whitelisting software.
How application whitelisting works
Application whitelisting requires the compilation of a list of approved applications a device can access. The user will only have access to a limited set of applications that have been vetted and deemed safe.
Whitelisting is a form of endpoint security, and keeps any unapproved application from running on a device, network or system that has a policy and rules in place.
Application whitelisting technology allows whitelisting processes to be almost fully automated. Every time a user tries to access an application from a network-connected device, software running on the system can intercept the request to make sure the application is whitelisted.
If it isn't, the software can run checks on the application and compare it to your policy rules to determine if it can be safely whitelisted, should be quarantined for human review, or should be blacklisted.
Choosing what applications to whitelist
How do you know whether to whitelist or blacklist an application? Developing your policy should take into account what level of security is required and what kind of access and functionality your end-users require, as well as why, when and from where they are trying to access applications.
How do whitelisting and blacklisting differ?
While blacklisting may look to be the easy option to the uninitiated, as it entails continually maintaining a list of applications that cannot be accessed on your network. Each unauthorised application must be added to your blacklist. Keeping track of applications to blacklist can be an incredibly time-intensive process and one that requires more involved upkeep in the long term than you are willing to commit to.
Whitelisting, on the other hand, allows organisations to define a specific list of applications, including full sets from approved publishers or sources, that can execute within their systems, therefore creating a more secure environment to limit the chances of a malware or ransomware to execute on a company system. As your business needs evolve, it’s possible to add or remove applications from your whitelist.
How application whitelisting improves security
You can set a high level of security by developing a policy that has clear parameters for approving applications. Common ways to authenticate the validity and safety of applications are by using software that can verify the application publisher's signature or requiring a cryptographic hash to identify safe applications.
As application whitelisting allows only authorized software to execute on your servers and endpoints, this prevents most malware from executing on your systems and at the same time also makes it harder for a malicious threat actor to execute commands on a device should he/she manage to obtain access
Tips for creating a robust application whitelisting policy
We recommend that you do your research before commencing with policy creation. Depending on the size of your business, this may involve creating a working group to understand the needs of your organisation.
This will allow legacy software to be removed before whitelisting commences and planning to be included in your roadmap. Knowing what is coming up will make the addition of new setup rules for applications easier to plan in advance if software restrictions will be implemented.
Examples of types of applications that should be considered for whitelisting include:
- Software libraries
- Scripts
- Installers
- Executors
There may be some applications you choose to allow that will complement business applications, such as messaging applications, web-based email and social media sites. These may not need to be used by all employees to do their job (although they can increase productivity significantly.) However, giving your team some freedom of choice will likely produce a happier, more productive workforce.
Applications that do not make the list will likely be some of the favourites of your employees, but that’s an easy argument to make if it means protecting the overall business by limiting the number of non-essential applications that are installed.
Developing rules is vital if you want to ensure only whitelisted applications are accessed. Our team of security experts are here to help if this is something that is outside of your wheelhouse.
What threats does whitelisting fight?
Whitelisting offers an excellent form of protection against a malicious application or virus. It can also offer a safety net in case employees get caught out by a social engineering attack and happen to click on something they shouldn't have.
A remote workforce using their own devices increases the number of endpoints, and thus increases risk. By implementing a policy that whitelists as many functional applications as possible while restricting access to problematic ones, you can reduce the chances of a breach and improve your overall cybersecurity.
Is application whitelisting a replacement for antivirus and other security software?
No, it's definitely not. The Australian Signals Directorate recommends that you don't replace antivirus, anti-ransomware or any other security software that is already running. Using multiple points of protection will ensure a higher level of security is maintained and the potential for compromise reduced.
We recommend running your new whitelisting solution in audit mode for a period of time initially to gain an understanding of applications being executed in order to help create a policy tailored to your environment.
Don't forget to include a schedule for testing. After all the effort that goes into setting up your application whitelisting, it makes sense to regularly check to ensure the process is still working as scoped. The implementation of event logs that note any failed attempts to execute should also be listed as part of your policy.
A properly designed, documented and delivered whitelisting solution is essential to a successful handover and continued adoption of the solution.
Choosing an application whitelisting software
Your application whitelisting solution shouldn't cause more problems than it solves. That means you need a policy that is designed to facilitate worker satisfaction and ensure network and system security at the same time.
When choosing an application whitelisting tool, ask, "How usable is the solution for both users and administrators?" If you implement a policy and install a solution only to find out work productivity plummets in reaction, your time and money will have been wasted.
The right tool will be able to provide robust endpoint security while supporting remote access, and allow your workforce to be productive while safeguarding your company and client data.
We can help you get the most out of existing whitelisting capabilities within your system or set up a different method if needed. Whitelisting policy definition is often considered one of the most challenging security activities (even by experienced security professionals).
Speak to our team to learn how The Missing Link can assist you in your whitelisting journey, especially if it is not something you have done before. There are different processes for Mac vs PC, and many organisations run both systems, so it may not be as simple as a one-size-fits-all approach.
Make application whitelisting work for you. Contact us today for help creating a policy that ensures security for your business. Our cybersecurity experts are ready to help.
Author
The Missing Link