Protecting systems and data from malicious software and the intrusion of unauthorized users and applications is the objective of any cyber-security initiatives. Two of the tools in this arsenal are Blacklisting and Whitelisting. Both of these approaches can be implemented as a perimeter defense technique (through configuration of network security devices to block/allow access to certain listed URLs), can be used to allow or deny applications from being installed or executed and/or can be used to grant or deny access to systems, networks and infrastructure.
Today, we will discuss Blacklisting vs Whitelisting and the differences and benefits of each.
What is Blacklisting?
Blacklisting is implemented by identifying what should be blocked. This could be websites, IP addresses, computer hardware addresses (MAC address), users, applications, software (virus, malware) “signatures”, email addresses, etc. Blacklisting has traditionally been deployed as a key element in anti-virus and security software suites; typically in the form of a “virus database” of known digital signatures, heuristics or behavior characteristics associated with viruses and malware that have been identified in the wild.
It is important to note that blacklisting requires the identification of known or suspected threats. Blacklisting relies on the knowledge of attack vectors, exploits, vulnerabilities, malware, and URL or website “reputations” currently available. Unknown threats such as zero-attacks (which have yet to be discovered and isolated by security professionals) are generally “immune” to blacklisting defense strategies.
Still, blacklisting is a popular strategy and has been for many years, mainly due to its overall effectiveness and relative ease of implementation.
Advantages and disadvantages of Blacklisting
The main advantage of blacklisting is its simplicity. You simply identify known and suspected threats and deny them access. All other traffic or applications are allowed. This is how signature-based anti-virus and anti-malware software works.
Most implementations of blacklists are updated by the vendor (e.g.: virus signatures/databases by the anti-virus software vendor, and malicious or inappropriate URL blocking lists by the firewall/proxy vendor) thereby making blacklists virtually maintenance free.
As this strategy depends on identifying known threats, its effectiveness is dependent on how well and how often the blacklist and its associated responses are refreshed and updated. With the significant volume of new malware each month, keeping a blacklist up to date can be challenging task with the costs of this effort being passed to the customer via licensing and renewals.
What is Whitelisting?
Whitelisting is the converse of blacklisting; in that you identify what you know to be acceptable entities (software applications, email addresses, users, processes, devices, etc.) that are allowed access to a system or network and block everything else. Whitelisting assumes “zero trust” which denies all and allows only what’s necessary.
This can be implemented as Access Control Lists (ACLs) on network equipment, approved application lists (or hash values calculated from application program files) in an application control or access control system, and/or authorized user lists in any number of access control systems. Compiling these lists or databases may require complex analysis of applications’ functionality to ensure all components are approved for access or may be as straight forward as identifying subnets allowed to send traffic across network devices. Whitelisting is also used as a mechanism for implementing spam filters on email applications.
In all cases, whitelists must be kept up to date to ensure that there is no interruption of service. Improperly configured whitelists can lead to a self-inflicted Denial of Service (DoS) “attack”.
Third-party whitelisting services can also be used by those wishing to relieve the burden of administration. These services generally use technology to give ratings to software and network processes based on their age, digital signatures, and rate of occurrence.
Blacklisting vs. Whitelisting
Since blacklists are restricted to known variables and threats and the fact that these threats are rapidly expanding with many being designed circumvent behavior or signature-based methods of detection, many believe that whitelisting is the more effective approach to information security.
It is generally easier and more secure to simply disallow everything and just allow a minimal amount of users/applications, etc. Therefore, if only authorized users are allowed access to a network or its resources, the chances of malicious intrusion are drastically reduced. Likewise, if only approved software and applications are allowed to run, the chances of malware being introduce is also minimized. However, as previously identified, improperly configured or incomplete whitelists can result in one of the threats it is intended to protect against, widespread denial of service.
Whitelisting is the preferred option in environments where working conditions and transactions may be subject to strict regulatory compliance. Strict controls on access and execution are possible in environments where standards and policies need to be periodically reviewed for audit or compliance purposes.
Despite the time, effort and resources which must be spent in compiling, monitoring, and updating whitelists at enterprise level – and the need to guard against the compromise of whitelisted entities, many cybersecurity experts believe whitelisting to be the preferred method of protection. Forrester Research recently published a report on application security that basically condemned blacklisting in favor of whitelisting when dealing with next-gen malware. Further, it can be used as a more effective tool to combat spam and other email-borne threats.
Ready to strengthen your cybersecurity? Founded by a small team of IT specialists, Gold Comet is a leader in secure communications for individuals and corporations. Our patented secure messaging system assigns each encrypted message its own unique key, so you can enjoy the highest level of security. Contact us today to talk about how we can keep your work private and secure.Our motto at Gold Comet is “Total Privacy for your Online Communications“. Gold Comet was established with one thing in mind that is to bring privacy to your online communications. That is why we are constantly updating our cyber security posture. We started with a patented encryption system and built upon that.