Graham Greene believed that human nature is not black and white, but black and grey.
In every organization and firm experts use blacklists, but do they also use whitelists and graylists effectively?
A whitelist is a list of discrete entities, such as hosts, email addresses, network port numbers, runtime processes, or applications that are authorized to be present or active on a system according to a well-defined baseline.
A blacklist is a list of discrete entities that have been previously determined to be associated with malicious activity.
A graylist is a list of discrete entities that have not yet been established as benign or malicious; more information is needed to move graylist items onto a whitelist or a blacklist.
Whitelists, blacklists, and graylists are primarily used as a form of access control: permitting activity corresponding to the whitelist and not permitting activity corresponding to the blacklist.
Graylist treatment depends on the type of entities it contains.
An example of how a graylist might be handled is prompting the user to make a decision or notifying an administrator that the entity needs to have its security evaluated before use.
An application whitelist is a list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline.
The technologies used to enforce application whitelists—to control which applications are permitted to be installed or executed on a host—are called whitelisting programs, application control programs, or application whitelisting technologies.
Application whitelisting technologies are intended to stop the execution of malware and other unauthorized software.
Unlike security technologies such as antivirus software, which use blacklists to block known bad activity and permit all other, application whitelisting technologies are designed to permit known good activity and block all other.
Application whitelisting software prevents installation and/or execution of any application that is not specifically authorized for use on a particular host.
This mitigates multiple categories of threats, including malware and other unauthorized software.
Many of today’s threats are malware-based, attempting to infect hosts (install their malicious code) and execute on those hosts to steal their data or perform other harmful activities.
When properly configured, application whitelisting technologies can stop most malware from being executed (and often from being installed in the first place).
Application whitelisting technologies can be significantly more effective at stopping unknown malware threats than conventional antivirus software and other traditional antimalware security controls.
This is important because today’s malware threats are increasingly customized and targeted, making traditional detection technologies largely ineffective.
The other major category of threats that application whitelisting technology can mitigate is other unauthorized software (unauthorized software besides malware).
This software can pose multiple problems.
For example, it can introduce unmanaged vulnerable software into the environment, which can then be used by attackers to exploit hosts and further compromise them.
There can also be legal issues with the installation of unauthorized software, such as violations of licensing agreements.
Application whitelisting is most readily used to stop threats on managed hosts where users are not able to install or run applications without authorization.
An example is a kiosk workstation where users are limited to running a web browser; installation and execution of all applications other than the selected web browser and authorized application-based security controls (such as antivirus software) would be prohibited.
In every organization and firm experts use blacklists, but do they also use whitelists and graylists effectively?
A whitelist is a list of discrete entities, such as hosts, email addresses, network port numbers, runtime processes, or applications that are authorized to be present or active on a system according to a well-defined baseline.
A blacklist is a list of discrete entities that have been previously determined to be associated with malicious activity.
A graylist is a list of discrete entities that have not yet been established as benign or malicious; more information is needed to move graylist items onto a whitelist or a blacklist.
Whitelists, blacklists, and graylists are primarily used as a form of access control: permitting activity corresponding to the whitelist and not permitting activity corresponding to the blacklist.
Graylist treatment depends on the type of entities it contains.
An example of how a graylist might be handled is prompting the user to make a decision or notifying an administrator that the entity needs to have its security evaluated before use.
An application whitelist is a list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline.
The technologies used to enforce application whitelists—to control which applications are permitted to be installed or executed on a host—are called whitelisting programs, application control programs, or application whitelisting technologies.
Application whitelisting technologies are intended to stop the execution of malware and other unauthorized software.
Unlike security technologies such as antivirus software, which use blacklists to block known bad activity and permit all other, application whitelisting technologies are designed to permit known good activity and block all other.
Application whitelisting software prevents installation and/or execution of any application that is not specifically authorized for use on a particular host.
This mitigates multiple categories of threats, including malware and other unauthorized software.
Many of today’s threats are malware-based, attempting to infect hosts (install their malicious code) and execute on those hosts to steal their data or perform other harmful activities.
When properly configured, application whitelisting technologies can stop most malware from being executed (and often from being installed in the first place).
Application whitelisting technologies can be significantly more effective at stopping unknown malware threats than conventional antivirus software and other traditional antimalware security controls.
This is important because today’s malware threats are increasingly customized and targeted, making traditional detection technologies largely ineffective.
The other major category of threats that application whitelisting technology can mitigate is other unauthorized software (unauthorized software besides malware).
This software can pose multiple problems.
For example, it can introduce unmanaged vulnerable software into the environment, which can then be used by attackers to exploit hosts and further compromise them.
There can also be legal issues with the installation of unauthorized software, such as violations of licensing agreements.
Application whitelisting is most readily used to stop threats on managed hosts where users are not able to install or run applications without authorization.
An example is a kiosk workstation where users are limited to running a web browser; installation and execution of all applications other than the selected web browser and authorized application-based security controls (such as antivirus software) would be prohibited.
