Forget Antivirus Protection: Why You Should Focus on Whitelisting

Media Division | April 10, 2017

Whitelisting has been around since the days of dial-up, but you might not be using it.  It’s the answer to your antivirus prayers: effective protection efficiently delivered.

Here’s the 411 on whitelisting, and why you should forget that antivirus protection.

Whitelisting 101

In case the term is new to you, here are the basics:  Blacklists are the known no-no’s, your known foes, and whitelists are known, friends.

The majority of your business transactions are likely done specific vendors, customers, clients and/or suppliers.  You use the same software, which performs the same functions, nearly every day.  Though there are variations by department, they have known histories that can be made into lists. Creating a list of known allies would not only be done fairly quickly, it’s probably already done: your contacts lists and logs contain the written record of the fabric of your commerce.

Whereas antivirus software must depend on known assailants (blacklists) or specific modes of attack that have already happened, whitelists give a free pass to communicate with your business to the friendlies.

Whitelists can also catch human error: a hacker-created site might have only one letter or an extension that differs from a legitimate site.  With a quick glance, it looks to you as though you are visiting the genuine site, when, in fact, it is malicious.  Hackers fake sites all the time.  Recently, a Gmail login page spoofing scam banked on human error.

Similarly, as much as you tell employees not to click on executable extensions and unexpected attachments, mistakes still happen.  With the right protection on your system, that file would not be permitted to download unless it was on the whitelist.

A whitelist protects against human error.

Three Experiences You Know

Chances are, you have experienced whitelisting, or at least heard of it.

  • Your email can be set to only receive messages from known contacts. If you email someone or they are part of your network, they join your whitelist.  Everyone else gets sent to the spam folder.
  • Facebook Messenger uses whitelisting, where contacts and Facebook friends can send you a message, everyone else ends up in a “Message Requests” folder where you can choose to accept or decline filtered requests.
  • Some publicly available computers, such as at the county library, have child-friendly whitelists. Anything ending in .gov is automatically on the whitelist, and filters blacklist keywords such as those contained on adult entertainment sites.

Whitelists such as these offer broad protection.  Just as you check through your spam folder with semi-regularity, blocked messages can be scanned through and whitelists updated.

Antivirus Protection, the Dinosaur in the Room

Antivirus protection essentially uses blacklists: known malware, adware, spyware, etc. is stored in the database.  As new malware emerges, databases are updated and the antivirus program can newly search your system for similar signatures to identify infectious code.

Darren Bilby, senior security engineer at Google analogized that to “a canary in a coal mine.” “It is worse than that,” he said at the Kiwicon hacking conference in New Zealand last fall.  “It’s like we are standing around the dead canary saying, ‘Thank god it inhaled all the poisonous gas.”

But the little canary that is antivirus protection can’t possibly inhale all of the gas.  Malware, ransomware, irritating adware and more get through.  Teams of coders work to update that canary’s programming constantly.  It’s an inefficient process, but it serves a small purpose.

Investing time in whitelist updating is much more efficient than the time spent on intrusion detection, plus you are not “absorbing the first punch” before a strike.

A Complete Analysis Package

Whitelists do have some limitations.  You want the list to be accurate.  There’s also some small risk in that the software on your whitelist itself could get hacked, and then access your system.  It’s not common, but it has happened, such as when Bit9’s corporate networks were breached by a cyber attack.

Bit9 specializes in whitelists themselves, but in writing to Brian Krebs of Krebs on Security they said, “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network.”  Their product itself was not compromised, but their digital certificate was on some malicious malware that went out as a result.  That certificate put them on an automatic whitelist.

Limitations such as these are not widespread, but they do further illustrate the need for complete cyber threat assessments (CTA).

A complete analysis includes a risk assessment of your particular operations, including an eye toward specific trends in your field, reputation threats, user operations, geographic location and cultural climate, in addition to assessment of potential loss of data or data breaches.

Tools such as whitelisting make your operations proactive, instead of reactive.  Call 813-434-0922 for a free threat report.  You’ll be glad you did.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.