To protect a device or network from potential threats, you need to control access. This requires a well-defined perimeter and ways to defend that perimeter. It also requires you to decide which entities should be allowed access and which should be blocked.
There are two primary approaches used to manage which entities get access to your system — blacklisting and whitelisting. Both methods have their pros and cons, and not everyone agrees on which is the best approach to use. The right choice depends mostly on your organization’s needs and goals, and, often, the ideal tactic is a combination of both. Let’s look at blacklisting and whitelisting in detail and discuss the differences between the two methods.
What Is Blacklisting?
The blacklisting approach involves defining which entities should be blocked. A blacklist is a list of suspicious or malicious entities that should be denied access or running rights on a network or system.
As an example out in the physical world, a border control authority might maintain a blacklist of known or suspected terrorists. A store owner might have a blacklist of shoplifters. In the world of network security, a blacklist often consists of malicious software such as viruses, spyware, Trojans, worms and other kinds of malware. You could also have a blacklist of users, IP addresses, applications, email addresses, domains, processes or organizations. You can apply blacklisting to virtually any aspect of your network.
You might identify suspicious or malicious entities by their digital signatures, heuristics, behaviors or by other means. To blacklist applications, organizations can create their own blacklists and also use lists created by third parties, such as network security service providers. Blacklisting is the traditional approach to access control and has long been used by anti-virus tools, spam filters, intrusion detection systems and other security software programs.
The blacklist approach is threat-centric, and the default is to allow access. Any entity not on the blacklist is granted access, but anything that’s known or expected to be a threat is blocked.
To sum up:
- Blacklisting involves blocking access to suspicious or malicious entities.
- The default is to allow access.
- Blacklisting is threat-centric.
What Are the Pros and Cons of Blacklisting?
One of the biggest pros of the blacklisting approach is its simplicity. It works based on a simple principle — just identify the known and suspected threats, deny them access and let everything else go.
For users, it’s a relatively low maintenance approach. In many cases, your security software or security service provider will handle compiling the list with little need for input from the user.
A blacklist can never be comprehensive, though, since new threats emerge constantly. Every day, the AV-TEST Institute, which researches IT security, registers more than 350,000 new malicious programs and potentially unwanted applications. While keeping up with these threats is challenging, threat information sharing can help make blacklists more effective.
Even with information sharing, it’s easy for security software providers to miss threats simply because there are so many. While blacklisting is effective against known threats, it’s useless against new, unknown threats like zero-day attacks. If your organization is unlucky enough to be the first to be hit with a new kind of attack, blacklisting won’t be able to stop it.
Hackers also sometimes design malware specifically to evade detection by tools that use a blacklist system. They may be able to modify the malware so the blacklist tool does not recognize it as a blacklisted item.
What Is Whitelisting?
Whitelisting tackles the same challenges as blacklisting but uses the opposite approach. Instead of creating a list of threats, you create a list of permitted entities and block everything else. It’s based on trust, and the default is to deny anything new unless it’s proven to be acceptable. This results in a much stricter approach to access control. It’s analogous to denying everyone access to your office building unless they can pass a background check and have the credentials to prove that they did.
If a firewall only allows particular IP addresses to access a network, for instance, it’s using the whitelisting approach. Another example that most people have dealt with is the Apple app store. The company only lets users run apps that Apple has approved and allowed into the app store.
The simplest technique you can use to whitelist applications is to identify them by their file name, size and directory path. The problem with this technique, though, is that hackers could create an app with the same file name and size as the whitelisted app, allowing it to slip into the system. To combat this possibility, you can use a stricter approach, which the U.S. National Institute of Standards and Technology (NIST) recommends. It involves using cryptographic hash techniques and the digital signatures of the manufacturer or developer of each component.
To create a whitelist for the network level, you need to consider all of the tasks that users need to perform and the tools they’ll need to complete them. This network-level whitelist may include network infrastructure, sites, locations, applications, users, contractors, services and ports as well as finer details such as application dependencies, software libraries, plugins, extensions and configuration files. On the user level, a whitelist might include email addresses, files and programs. Using the whitelist approach requires you to consider user activity as well as user privileges.
Organizations can create their own whitelists or work with third parties that typically create reputation-based whitelists and give ratings to software and other items based on their age, digital signatures and other factors.
To sum up:
- Whitelisting involves only allowing access for approved entities.
- The default is to block access.
- Whitelisting is trust-centric.
What Are the Pros and Cons of Whitelisting?
Whitelisting is a much stricter approach to access control than blacklisting, as the default is to deny items and only let in those that are proven to be safe. This means that the risks of someone malicious gaining access to your system are much lower when using the whitelisting approach.
While whitelisting offers stronger security, it can also be more complex to implement. It’s difficult to delegate creating a whitelist to a third party because they need information on the applications you use. Because it requires information specific to each organization, it requires more input from users. Most organizations regularly change the tools they use, which means every time they install a new application or patch an existing one, they need to update their whitelist. Administratively, whitelisting can be more complicated for the user, especially if they have larger, more complex systems.
Whitelisting applications also restrict what users can do with their systems. They can’t install whatever they like, which limits their creativity and the tasks they can perform. There’s also the chance that whitelisting will result in blocking traffic that you want, which is a higher likelihood in some applications than in others.
What Is Graylisting?
Another technique that’s related to blacklisting and whitelisting but less frequently discussed is graylisting, also spelled greylisting. As its name suggests, it’s somewhere in between blacklisting and whitelisting. It’s typically used in tandem with at least one of these two main methods.
A graylist is a list where you can put items which you have not yet confirmed as either benign or malicious. Graylisted items are temporarily banned from accessing your system. After an item ends up in a graylist, you scrutinize it further or gather more information to determine whether it should be allowed or not. Ideally, things do not stay in a graylist for long and quickly move to either a blacklist or whitelist.
How you decide what to do with a graylisted item depends on the kind of entity it is. A security tool might, for instance, prompt the user or a network administrator to make a decision.
One example of the use of graylisting is in email. If a spam filter is unsure of whether to accept a message, it can temporarily block it. If the sender attempts to send the message again within a specified period, then it will be delivered. If not, it will reject the message. The thinking behind this is that most spam comes from applications designed to send spam, not actual users, so they won’t attempt to resend an email if they get a message saying it’s temporarily blocked. A real user, on the other hand, would send the email again.
Which Approach Should You Use?
So, which approach is right for you? Let’s look at when to use each of them and how to use both together.
1. When to Use Blacklisting
Blacklisting is the right choice if you want to make it easy for users to access your systems, and you want to minimize administrative effort. If you value those things more than having the most stringent access control possible, choose blacklisting.
Blacklisting is traditionally the most common approach security teams use largely because when people design systems, they often want as many people as possible to be able to access them. An ecommerce store, for example, would most likely rather risk the occasional fraudulent transaction than block a legitimate customer from making a purchase. If an ecommerce store blocked every customer it didn’t already know, it wouldn’t last very long.
If you want to provide something to the public and maximize the number of people that can use it, blacklisting is typically the best approach.
In short, use blacklisting when:
- You want the public to be able to use a system, such as an ecommerce store.
- You want a less restrictive environment.
- You want to minimize administrative effort.
2. When to Use Whitelisting
If, on the other hand, you want to maximize security and don’t mind the extra administrative effort or limited accessibility, whitelisting is the best choice. Whitelisting is ideal when stringent access control and security are crucial.
Whitelisting works well for systems that aren’t public. If you have an application that only select employees of your company need access to, for example, you could whitelist the IP addresses of their computers and block all other IP addresses from accessing the app.
Additionally, whitelisting can be useful when you want to define what actions an application or service can perform and restrict it from doing anything else. You can accomplish this by whitelisting certain types of behavior. As an example, you might have a computer that you use only to perform one specific task. In a hotel lobby, for instance, you might have a computer that guests can use to log in. You could whitelist the hotel’s website so that it’s the only site guests can access on the device. As another example, you might create a policy that allows a microservice to consume a certain amount of resources or run on a particular host but shuts it down if it tries to use more resources or move to a new host.
It wouldn’t be practical to do this using blacklisting because the number of possible behaviors that you don’t want your application to perform is too high. You can’t predict everything the application might do, but you can define what you want it to do if you only want it to do very specific things.
Use whitelisting when:
- Only a select group of users needs to use a system.
- You want a more controlled environment.
- You don’t mind investing more administrative effort.
3. Using Blacklisting and Whitelisting Together
Often, using blacklisting and whitelisting together is the ideal option. You can use different approaches at different levels of your infrastructure and even use both within the same level.
You might take a blacklist approach, for example, to malware and instruction detection by using security software, but use a whitelist approach to controlling access to the network as a whole. You could also blacklist hosts based on their IP addresses while whitelisting the desired application behavior.
You might also whitelist access to a service based on geographic region by only allowing users from regions where you know real users are located. At the same time, though, you could have a blacklist of malicious users located within those regions. This is an example of using both whitelisting and blacklisting within the same level.
Many organizations use both blacklisting and whitelisting for different parts of their security strategies. For example, controlling access to a computer or an account using a password is whitelisting. Only those with the password are allowed access, and all others can’t get in. Many of those same organizations also run anti-malware programs that use a blacklist of known malware to block harmful programs.
Improve Your Network Security With Consolidated Technologies, Inc.
Controlling access is at the center of network security. Blacklisting and whitelisting are both legitimate approaches to controlling access to your networks and keeping your data secure. The right one for you depends on your organization’s needs and goals.
The experts at Consolodated Technologies, Inc. can help you figure which cybersecurity strategies are best for your organization and provide you with a range of solutions to help you meet your security goals. We offer firewall solutions, network vulnerability assessments, compliance assistance and even comprehensive managed security solutions. To talk with one of our experts about which cybersecurity strategies and solutions are right for you, contact us today.