Whitelisting explained: How it works and where it fits in a security program (2023)

Feature

Whitelisting locks down computers so only approved applications can run. Is the security worth the administrative hassle?

By Josh Fruhlinger

Contributing writer, CSO |

(Video) 26. Security Testing (Basics) - Blacklisting versus Whitelisting (Input Validation)

Whitelist meaning and defininition

Whitelisting is a cybersecurity strategy under which a user can only take actions on their computer that an administrator has explicitly allowed in advance. Instead of trying to keep one step ahead of cyberattackers to identify and block malicious code, IT staff instead compiles a list of approved applications that a computer or mobile device can access. In essence, the user has access to only a limited set of functionality, and what they can access has been deemed safe by the administrator.

Whitelisting is a fairly extreme lockdown measure that, if implemented properly, can keep many cybersecurity problems at bay. However, it can be quite inconvenient and frustrating for end-users, requires careful implementation and proper ongoing administration, and isn't a foolproof barrier to attacks.

Whitelist vs. blacklist

A blacklist is a slightly more familiar concept — a list of things that are dangerous and need to be blocked from the machines you're trying to protect. Many antivirus and anti-malware programs are, essentially, blacklists: they include a list of known malicious code, and automatically leap into action when those programs are detected on the protected computer. Blacklists have a fairly obvious disadvantage in that they need to be constantly updated to stay ahead of the latest attacks. By definition, antivirus software can't protect you against a zero-day attack.

A whitelist is the inversion of a blacklist. If you've implemented a whitelist, you've essentially blacklisted everything out there in the universe except the stuff that's on your list. At first blush, this seems to make security a snap: you don't have to worry about new malicious code emerging as a threat to your infrastructure because the only things your machines can access are things you already know are safe.

(Video) Application Whitelisting - Steven Grubb, Red Hat

But there are drawbacks to whitelisting too that should be pretty obvious. For one thing, it restricts the users' freedom to use their machines the way they want (and generally people think of their work computers as "their" machines, since they sit in front of them eight hours a day). There's also quite a bit of work that needs to be put into building a whitelist; after all, while a blacklist of known malware and attack sites can be put together by a vendor for widespread use, every organization's whitelist of the programs they need to use will probably be unique. And there are of course ways that wily attackers can "put themselves on the list."

Application whitelisting

In general, the kind of whitelisting we've been talking about so far is application whitelisting — that is, only allowing a certain set of applications to run on the protected computer. (The term has a somewhat different meaning when it comes to email or IP addresses, which we'll discuss at the end of the article.) The National Institute of Standards and Technology (NIST) has a guide to application whitelisting, and while it's a few years old at this point, it's still a great introduction to the topic. It goes in great depth on a number of topics; we'll touch on the basics here.

What threats does whitelisting fight? Application whitelisting is a great defender against two different kinds of security threats. The most obvious is malware: malicious software payloads like keyloggers or ransomware won't be able to execute if they're not on the whitelist. But that's not the only benefit; whitelisting can also be a tool to fight "shadow IT." End users or individual departments may try to install programs on their computers that are insecure or aren't properly licensed. If those apps aren't whitelisted, the rogue departments are stopped in their tracks, and IT will be informed about the attempt.

How do you create an application whitelist? There are two different approaches here. The first is to use a standard list, supplied by your whitelist software vendor, of applications typical for your type of environment, which can then be customized to fit. The other is to have a system that you know is clear of malware and other unwanted software, and scan it to use as a model for a number of other machines. The second method is a good fit for kiosks or other public-facing devices, which run a limited set of applications and don't require much by way of customization.

How does whitelisting software distinguish between unapproved and approved applications? The NIST guide breaks down the various attributes that can be used for this purpose:

  • The file name
  • The file path
  • The file size
  • A digital signature by the software's publisher
  • A cryptographic hash

Which attributes should be used and how much weight should be given to each is key to the art of whitelisting. For instance, if your whitelisting software allows any application with a specified file name or in a specified folder to execute, then all a hacker has to do bypass that protection is to place malware with that file name in the permitted location. Specifying a precise file size or requiring a check against a cryptographic hash makes it harder to trick the whitelisting software, but this information would have to be updated in the whitelist every time the application file changes — whenever it's patched, for instance. And if patching is deferred because it potentially interferes with the whitelisting software, that can itself open up security holes.

And as NIST points out, full-on applications aren't the only potential threat to a computer. Whitelisting software needs to keep on top of various libraries, scripts, macros, browser plug-ins, configuration files, and, on Windows machines, application-related registry entries. Different vendors can deal with these with varying levels of granularity. Some whitelisting software can also whitelist specific behavior from even approved applications, which can come in handy if hackers manage to hijack them. And whitelisting software should also integrate with the permissions structure of your operating system, whitelisting applications for some users (like administrators) but not others.

Whitelisting best practices

How can you make sure to get the most out of whitelisting? Follow these tips:

(Video) Antivirus & Application Whitelisting Are Not Real Prevention - IT Security Explained

  • NIST advises that you roll out whitelisting in phases in your organization to make sure you that you don't disrupt enterprise-wise operations if something goes wrong.
  • Spend time making sure you actually get your whitelist correct. A whitelisting program is only as good as the list itself. Think of it as an opportunity to audit what applications your organization has installed across your IT infrastructure — and which ones it really needs. To figure out what goes on the list, you'll want to come up with a whitelisting policy.
  • And don't neglect the maintenance of your whitelist. IT isn't static; some of your software will fall out of use, some will need to be updated in ways that could cause the whitelist to fail to recognize it, and new software will become necessary for your organization to fulfill its mission. This maintenance requires resources; you'll either need to have staff for whom this is part of their duties, or you'll need to pay your vendor for this service, or some combination of the two.

Where whitelisting fits into a security program

Whitelisting isn't a one-size-fits-all tool, and it may not be an ideal endpoint solution for every computer under your purview. Calyptix Security suggests three scenarios where application whitelisting makes sense:

  • On centrally managed hosts connected to other computers
  • On computers in a high-risk environment
  • On laptops or kiosks where users do not have administrative privileges

The truth is that whitelisting isn't a security panacea, and has to fit into a larger security landscape within your organization. You'll still need anti-malware, endpoint protection, and perimeter defense systems to protect computers for which whitelisting isn't appropriate, or to catch what whitelisting misses.

Best application whitelisting software

Most commercial operating systems have some whitelisting functionality built in, including Windows 10 and macOS. App stores, of the sort used to install applications on iOS and Android devices, can be seen as a form of application whitelisting; they ostensibly only allow applications that are certified to be safe. Most mobile management software allows more granular controls.

But there are third-party vendors who offer more powerful or more granular application whitelisting software, which is often rolled into larger offerings or security suites. Popular examples include:

  • AppLocker, a Microsoft offering for its enterprise OS editions
  • BeyondTrust, which has offerings for Mac and Windows as well as Unix-like OSes
  • PolicyPak, which works on on-prem and remote computers
  • Centrify, which emphasizes zero-trust principles across its product suite
  • Kasperksy Whitelist, a collaborative hosted service

Whitelisting e-mail and IP addresses: Variations on the concept

A last note here on two other contexts where you might see the word "whitelist" used in IT security: e-mail and IP addresses. In these areas, whitelisting doesn't have quite the same meaning as it does with application whitelisting: obviously if you only allowed a narrowly defined list of email addresses to contact you, or computers from a specific list of IP addresses to reach your website, you would lost most of the utility of having a website or using email.

In these contexts, "whitelisting" generally means taking manual steps to ensure that a certain IP address isn't blocked from accessing your site by some automated security process, or ensuring that email from a particular recipient doesn't go into your spam folder. The latter is of course an obsession of email marketers, who are keen to share instructions on how to whitelist email addresses to make sure that their own email doesn't get deemed spam. The former is a product of overzealous firewalls, which can sometime result in people being unable to access their own websites.

(Video) What is an application whitelist / blacklist?

Related:

  • Endpoint Protection
  • Security

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Follow

Copyright © 2020 IDG Communications, Inc.

(Video) Amazon EC2 Security Groups Tutorial

7 hot cybersecurity trends (and 2 going cold)

FAQs

What is whitelist and how does it work? ›

A whitelist (allowlist) is a cybersecurity strategy that approves a list of email addresses, IP addresses, domain names or applications, while denying all others.

What is a whitelisting process? ›

Application whitelisting is the practice of specifying an index of approved software applications or executable files that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications.

What is the function of whitelisting? ›

A whitelist, allowlist, or passlist is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e. it is a list of things allowed when everything is denied by default.

What does it means to be whitelisted? ›

/ˈwaɪt.lɪst/ a list of people or things that are considered by a particular authority or group to be acceptable and that should be trusted. Compare. blacklist noun.

Which one is an example of application whitelisting? ›

A whitelist can also index various components of the approved applications. Some examples, in this case, would be plugins, extensions, software libraries, or configuration files.

What happens when you get whitelisted? ›

Whitelisted users often get priority or guaranteed access to mint NFTs, avoiding the competition, on-chain traffic, and soaring gas fees. For example, a project may allow only its whitelisted users to mint NFTs anytime within a predefined 48-hour period.

What does IT mean to whitelist an application? ›

An application whitelist is a list of applications and application components that are authorized for use in an organization. Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host.

What does IT mean to whitelist a site? ›

Whitelisting is used to allow access to pertinent and safe websites, which may be considered an alternative to the use of anti-malware software. Regarding emails, a whitelist includes email addresses that are considered acceptable and are therefore not filtered out.

What does whitelist content mean? ›

Whitelisting is the process of an influencer granting a brand partner advertising permissions to their social media accounts. This allows brands to use the influencer's handle for their ads.

What is the whitelist on my phone? ›

The whitelist is a list of apps that you can access in Focus Lock mode. For example, you can use Focus Lock mode to lock all of your apps, but still access a variety of apps that you may need to use. With a premium subscription, you may edit your whitelist to include any app you want.

What does IT mean to whitelist an email? ›

To whitelist an email address just means you add them to your approved senders list. This tells your email client that you know this sender and trust them, which will keep emails from this contact at the top of your inbox and out of the junk folder.

What does IT mean to whitelist a website? ›

Whitelisting is used to allow access to pertinent and safe websites, which may be considered an alternative to the use of anti-malware software. Regarding emails, a whitelist includes email addresses that are considered acceptable and are therefore not filtered out.

How do you get whitelisted? ›

Here are some strategies to stay 'active' and get yourself on the whitelist:
  1. Stay engaged. Most projects offer a whitelist spot to supporters who are genuinely interested in the project and add value. ...
  2. Invite people. ...
  3. Make fan art. ...
  4. Participate in giveaways. ...
  5. Get in early.
28 Feb 2022

Videos

1. How whitelisting works with DNSthingy
(DNSthingy aka ADAMnetworks)
2. AWS Organization SCP - Service Control Policy DEMO | Blacklist & Whitelist strategy
(knowledgeindia AWS Azure GCP tutorials)
3. Windows AppLocker basics
(Robert Crane)
4. AWS ALB || Whitelist of Customer IP Range || Implement Whitelist Custom Message || Concept || Demo
(Cloud4DevOps)
5. GPON Technology Fundamentals | Concepts of PON | GPON Architecture and Principles | GPON vs EPON.
(Spectra TEch)
6. [HOW] to configure Layer 3 and Layer 7 Firewall rules in Cisco Meraki Security Appliance MX
(The IT Way)
Top Articles
Latest Posts
Article information

Author: Clemencia Bogisich Ret

Last Updated: 11/08/2022

Views: 5821

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Clemencia Bogisich Ret

Birthday: 2001-07-17

Address: Suite 794 53887 Geri Spring, West Cristentown, KY 54855

Phone: +5934435460663

Job: Central Hospitality Director

Hobby: Yoga, Electronics, Rafting, Lockpicking, Inline skating, Puzzles, scrapbook

Introduction: My name is Clemencia Bogisich Ret, I am a super, outstanding, graceful, friendly, vast, comfortable, agreeable person who loves writing and wants to share my knowledge and understanding with you.