Under control: How application whitelisting minimizes security risks
Vulnerabilities and security holes in applications are often exploited to introduce malware, take over IT systems, or steal data. Application whitelisting can help minimize these risks by restricting executable applications to a positive list. However, defining and maintaining such a whitelist presents new challenges for IT teams.
Software vulnerabilities are one of the biggest IT risks for organizations. In 2023, application vulnerabilities will be the third most common cause of successful cyberattacks after credential theft and phishing attacks. The CVE (Common Vulnerabilities and Exposures) database, which tracks all known software vulnerabilities, recorded nearly 30,000 new entries in the last year. Zero-day exploits where hackers exploit new vulnerabilities that have not yet been patched, can also lead to serious security risks. One of the most prominent recent examples is the Log4Shell Vulnerability in the widely used Java framework Log4j, which has been categorized as extremely critical by the German Federal Office for Information Security (BSI) in 2021.
Cybercriminals often don’t even need a software vulnerability to take over systems. They use phishing emails and social engineering to trick their victims into clicking on dangerous links, downloading malicious code, and launching dangerous programs. According to the World Economic Forum’s (WEF) Global Risks Report 2022 95 percent of all cybersecurity incidents can be linked to human error.
Implementing Software Security
Over the past decades, IT security experts have developed several strategies and methods to minimize software risks. One of the most important is patch management. Ideally, it closes vulnerabilities as soon as security updates are available. What sounds good in theory is anything but easy to implement in practice. The IT team often lacks insight into what applications are being used, who is using what version, and who has what rights. Staffing shortages in IT can also mean that applications are not patched with the necessary speed and care. As a result, it is not uncommon for vulnerabilities that have long been known and that are actually closed to be exploited. For example, in February 2023, cybercriminals were able to exploit a vulnerability in Microsoft Exchange for cryptominer attacks for which a security update has been available since 2021.
The second indispensable line of defense in any cybersecurity strategy is a virus scanner, typically deployed today as part of an endpoint detection and response (EDR) solution. To detect malware, it uses signature databases and heuristic processes that look for certain conspicuous behaviors. Artificial intelligence (AI) is also increasingly being used to detect malware. AI can detect suspicious behavior more reliably than traditional statistical methods. AI-based tools also produce significantly fewer false positives.
Thanks to intelligent behavioral analysis, next-generation AI-based AV solutions also provide a level of protection against zero-day exploits and human error. However, companies should not be fooled into a false sense of security, as cybercriminals and IT security experts are engaged in a constant game of cat and mouse. For example, attackers have long used AI to recognize whether their malware is running automatically in an isolated test environment (sandbox) or is actually being used by a human user. If a sandbox is detected, the malware behaves inconspicuously and only becomes active when it is on a production system.
Enhance security with application whitelisting
Application whitelisting (AWL) is a good way to minimize the attack surface for malware. The company defines a catalog of approved, tested software that is considered safe. Users can only install and run applications that are in this catalog and have been approved for them. Approval can be individual, role-based, or enterprise-wide. Attempts to trick users into running malicious software through phishing or social engineering will fail because the user will not be able to run the unlisted program. Previously unknown malware that enters the corporate network through vulnerabilities can also be blocked in this way.
Application whitelisting also relieves the IT team in terms of application administration and patch management, as they only have to deal with a very limited number of applications. Fewer applications also require less storage space and system resources, which can have a positive impact on IT system performance. Finally, application whitelisting can have a positive impact on compliance and data protection by preventing non-compliant applications from being installed or run.
Application whitelisting with built-in resources
Microsoft offers two solutions for application whitelisting: Windows Defender Application Control (WDAC) and AppLocker. WDAC policies are device-based and therefore apply to all users of a device. Administrators can use group policies to specify that only applications that are code-signed, have specific metadata or hash values, or are rated as reputable by the Microsoft Intelligent Security Graph (ISG) can be started. The installation and launch of applications can be restricted to specific installers and paths.
AppLocker rules can be set on a per-device or per-user basis. Rules are defined based on code-signing certificates, attributes of an application’s binaries, or the path from which the application is launched. Microsoft no longer develops AppLocker, but provides security updates. The vendor only recommends its use in certain cases and encourages customers to use WDAC.
Apple’s MacOS offers the ability to restrict application usage via the “Security & Privacy” and “Screen Time” system settings. However, the open source tool Google Santa is more suitable for professional use. It consists of a system extension that monitors the execution of programs, a daemon that allows or denies applications based on a local database, a GUI agent that displays a message when a program is blocked, and a command line editor that can be used to manage the system.
On Linux systems, the file access policy daemon (fapolicyd) can be used. The fapolicyd framework is based on the concept of trustworthiness. An application is considered trustworthy if it has been properly installed by the package manager and is registered in the system. A plugin registers each system update and notifies the fapolicyd daemon of changes in the database. If an administrator wants to add applications that are not registered, he must authorize them via custom rules and restart the fapolicyd service. The tool can check the integrity of a file based on file size, SHA-256 hash value, or via an Integrity Measurement Architecture (IMA) subsystem. However, by default, fapolicyd does not perform an integrity check.
Administrative expenses
Although application whitelisting with built-in tools provides good protection against malicious applications, it also has drawbacks. Users must contact administrators every time they want to install or launch an unlisted application. If these requests cannot be answered quickly, productivity and user satisfaction suffer. IT can be overwhelmed with requests and the need to assess the trustworthiness of countless applications. In addition, the existing whitelist must be continuously maintained.
Commercial AWL solutions therefore aim to minimize this administrative effort. Here are a few examples:
Application Allowlisting from ThreatLocker, for example, provides an agent that first registers and catalogs all applications used on the system and their dependencies in learning mode. Administrators can review this catalog and remove applications they deem irrelevant or unauthorized. If an application is blocked, the user is notified and can request that it be unblocked at the touch of a button. ThreatLocker promises to scan and authorize in as little as 60 seconds.
Application Control Plus from ManageEngine is based on the principle of least privilege. Applications are automatically whitelisted or blacklisted, approved applications are granted only the rights needed to run, and local accounts with administrative privileges are largely eliminated. If a task requires elevated privileges, they are automatically and temporarily assigned at the application level, not the user level. This should reduce user requests and minimize security risks from privileged accounts.
The German AWL Specialist Seculution also offers a learning mode for initial whitelist creation. The whitelist itself is hosted centrally on the customer’s servers. Customers receive a local copy of the whitelist for offline use, which is periodically synchronized. Synchronization takes place live with the customer’s central whitelist. If the hash value of an application is not known there, it is checked against a cloud-based database that is continuously maintained by the vendor. According to the vendor, 99 percent of all requests can be processed without additional administrative effort. Seculution also guarantees that customers will not be infected with malware while using the solution.
Conclusion: Application whitelisting, an important step towards greater IT security
Application whitelisting can significantly increase security and reduce the risk of malware attacks. However, adoption of AWL depends on its ease of use by both administrators and users. When choosing an AWL solution, companies should ensure that it minimizes administrative effort and provides a good balance between security and user satisfaction.
