Is Whitelisting the Answer To the Rise In Data Breaches?

MojoKid writes "It doesn't take a rocket scientist to figure out that cyber criminals are quickly getting more sophisticated than current security, intrusion detection and prevention technology can defend against. And you have to wonder if the computer security industry as a whole is willing to take the disruptive measures required to address the issue head-on. One way to tackle the surging data breach epidemic is with a technology called "whitelisting." It's not going to sound too sexy to the average end user and frankly, even CIOs may find it unfashionable but in short, whitelisting is a method of locking-down a machine such that only trusted executables, DLLs and other necessary system and application components are allowed to run – everything else is denied. A few start-up security companies are beginning to appear in this space. The idea is to start with a known, clean system installation and then lock it down in that state so absolutely nothing can be changed. If you follow system security, regardless of your opinion on the concept of whitelisting, it's pretty clear the traditional conventions of AV, anti-malware, intrusion detection and prevention are no longer working."

Seriously?

[gman003]

Why the flying fuck does anybody think Slashdot readers need to have "whitelisting" defined for them, let alone think they can pass it off as a "new technology"? Did Dice start putting those retarded SlashBI articles in main Slashdot now?

Re:Seriously?

[TheReaperD]

Though most, if not all of us, know what whitelisting is, I do prefer they explain it rather than assuming we know it. I've ran across too many articles in the past that assumed I knew some piece of information when I didn't. Sure, I can look it up but, that's annoying when your just trying to read "news." Though this is a site for "nerds", that is a broad term. There's computer nerds, science nerds, comic nerds, etc. Now, the passing it off as new... I've got nothing; that's just lame.

Re:Seriously?

Uh, yeah. The sort of dumbfuck managers who might conceivably read slashbi are the exact audience the beta design (fuck beta, BTW) is meant to appeal to.

The big idea, though unspoken, is clear: to keep the slashdot name, but shift in both content and presentation from a discussion site seeded with news for nerds to a straight-up news site (with discussion as an afterthought) for PHBs. SlashBI doesn't work because that name is not (and has never been) perceived to carry an aura of technical knowledge -- but PHBs have been hearing about this slashdot thing for a decade now. Rolling out a PHB-friendly site under the "slashdot" brand will help PHBs play one of their favorite games, namely indulging in the fantasy of deep technical knowledge without the inconvenience of learning -- and that means Dice makes big bucks placing ads in front of this "decision maker"-heavy audience. (This new audience is not only worth more to advertisers, they're also substantially less likely to use ad blockers than the old /. community.)

Re:Seriously?

[Arrogant-Bastard]

The inferior people at Dice -- you know, the same ones trying to shove their shitty Beta site down our throats -- are actually not clueful enough to realize that this is a very old idea. Whitelisting OS resources, applications, networks, IP addresses, etc. has long been an effective security measure, and I've deployed everywhere I've been for the past 15 years or so.

It appears that the Dicedroids think everyone is as stupid and clueless as they are.

Re:"whitelisting"

[Z00L00K]

Most data breaches have occurred within a company, and the only way around it is to segment the networks and servers so that only select computers have access to financial data, others have access to HR data and yet others have access to strategic documents. Then it depends on company type if yet more segments are needed. In most cases the software development can go in one segment - the majority of the software developed is bread&butter. But in other cases special projects may need their own segment. Also make sure that all printers have their own sub-segment of each segment to make sure that any printer that has been hacked isn't going to have access to all the data, just the print data.

Of course - this goes against the strategy of installing everything in one huge server running virtual servers.

Whenever there is a need to exchange data it has to require manual action between individuals in both segments.

And for browsing the internet - run a sandbox solution to isolate any browsing from the remaining network. It may mean that the web browser is on a special server. If that server is contaminated it's not a big problem to rebuild it.

We're adopting this at work...

[Dr_Barnowl]

While I admit that as a programmer I will inevitably have a skewed point of view, I view it as ill-advised.

A computer is useful primarily because it is NOT a special purpose tool, but a general purpose one.

Whitelisting cripples your computer. If you can't run software without it being on a whitelist, you can't even write a shell script, or a VBA macro. Your computer stops being useful as a general purpose tool - only the software that has been approved remains useful.

Yes, I get that most users are numpties and probably do need to be kept from hurting themselves. But this kind of policy cuts down the tall poppies - the ones who actually can make their computer work for them, instead of just working at their computer, and removes the possibility that any more will arise - no-one will voluntarily seek the rights they need to approve of their own software, because they'll be singled out as potential hackers and troublemakers, and any data breaches that do occur will be attributed to them.

As applied within our organization, it's also soul-crushingly annoying to programmers. We'll have the rights to approve of any software we want to run, but we have to click through an approval dialog for each... new..... file... which of course, means that every time we rebuild our code we face a clickfest just to debug it, or run unit tests on it, etc.... most of us have shied away from being "upgraded" to Windows 7 because of this. Several of us just wish we could change to Linux, being Java programmers.

Indeed, many of our internal teams are also getting the self-approval rights, which just trains them to click "Approve" and you're all the way back to UAC again, no extra security, just extra hassle, reduced performance of the computer (which is now hashing every file you access on the drive to see if it's on the whitelist), and more money diverted into the coffers of the kind of company that sponsored this story in the first place.

No.

[gweihir]

As usual with this type of headline, this is not a solution. In fact, it is not a solution at all. Just think of the most common way to compromise an executable: Buffer overflow. In that case, code is put somewhere in the memory area of the running process and then the process is coerced to execute it. This means the attack code runs in the context of the already running process afterwards and white-listing has zero impact. The only effect it has is that it gets harder for the attacker to start additional processes.

As for code-injection attacks, these are usually done with interpreted code, and white-listing does not even apply to that.

This is another technology that at best makes it harder for script-kiddies to break into a system, but has basically no impact on competent attackers.

Incidentally, techniques like SELinux allow far more than a simplistic "white-listing", and have done so for quite a while.

Re:"whitelisting"

[anubi]

A LOT of us are doing a form of whitelisting for exactly the same reason.

How many of us are running programs similar to NOSCRIPT mostly because of hostile code and inattentive webmasters unwittingly distributing malicious code wrapped in advertisements?

I learned about NOSCRIPT right here on Slashdot ( Thanks, guys!!! ) in response to one of my posts where I was whining ( loudly ) about not being to be on the net for more than a few hours before I had to reboot Windows to try to get my system back.

There is a lot of nasty stuff out there, and it seems most of it comes riding in on scripting or coaxing me to run their attachment. Often I have seen them try to piggyback on the trust I have for a business - a business that places that trust at risk if the business insists I enable javascript for his site, then the bad guy uses that coercion of the business model to his own advantage.

I think that is what a lot of the clamor here has been all about. We see wealthy investor type men taking control from the techie base and may force us to "drop our defenses" in order to communicate, and we are collectively screaming "NO" as loud as we can to the deaf ears of the businessman.

I think we have all seen the suit people take down a business, and we don't want it happening here.

Re:Trusted program, untrusted use

[Tom]

Oh please do you REALLY think that is the cause of Windows infections?

Your reply was misplaced by the comment system, it seems, because it doesn't seem to refer to anything I actually said.

The social engineering angle is how you get users to execute crap they got sent by mail. The (old) idea under discussion here is a system that would make that execution impossible, even if you get the user to click the link.

That said, the user is not the weakest link. That's a cop-out by IT people who don't want to look beyond technical solutions into cognitive sciences, for example. There's been a bit of research into these areas in the past 10 or so years, but the conferences on the topic are still very small and mostly academic.

There's quite a lot you can do to prevent or at least make these kinds of attacks more difficult. But most of it is outside the techie comfort zone, and it means actually having to talk to users and understand them instead of labeling them "lusers" and stuff.