This page contains a Flash digital edition of a book.
CYBER WATCH

burden on networks to distribute signa- tures and also on platforms to perform scanning. Scanning each and every file is neither feasible nor effective. In July 2009, Robert Vamosi of CNET

reported that Norton will also follow a risk- based approach in 2009 with their prod- ucts, creating a trust index that will be used to judge how often files are scanned. Blacklisting only has a future as a primary security defence if we can actually find ways to do less of it and still retain a low false-positive rate. But this sounds like squaring

the circle. Rather than at-

tempting to determine if an arbitrary file (e.g., executable) is malicious based on signatures or other criteria, whitelisting creates approved copies of software and simply checks whether the current copy of a binary is the same as its approved copy. Software not on the approved list is blocked from running, period. The point of whitelisting is not to prevent insecure software from being unintention- ally loaded onto desktops through an au-

thorized software distribution process, but to prevent software (whether secure or no) from being loaded on your desktop in an unauthorized manner. Whitelisting makes sure the assumed good software stays good, and keeps out the unknown and po- tentially malicious software. In essence, whitelisting is about maintaining a known software state, and implementing author- ized change from one known state to an- other. Whitelisting, therefore, requires a repository of trusted software.

So while blacklists require a signature

database and other contextual information for assessing potential malware, whitelisting also requires a repository for proper func- tioning. The difference is that whitelisting mainly performs comparisons between software to be executed and its respective repository image (a simple check), while the blacklisting database is used to scan and assess the security of the software in question (a more difficult operation). The size of the whitelist repository grows as a function of the software base sup-

ported, while the blacklist database grows in proportion to the amount of known mal- ware. The major vendors agree that we will require blacklisting in some form, but whitelisting may become the new leading actor. Bit9 (a whitelist provider) and Kaspersky (a blacklist provider) have teamed up to provide a hybrid consumer solution, where software is scanned only when it is not present on a whitelist. This is not quite whitelisting as in- tended, but it represents the first step in a gradual integration, and more importantly, a way to preserve the blacklisting revenue model. One way or another, whitelists will be coming to a desktop near you soon.

Brent MacLean is the founder and CEO of J.B. MacLean

Consulting

(www.jbm.net) and Cana- dian Intelligence Solutions. He has more than 22 years

of experience in network, security, and in- frastructure design and troubleshooting.

WWW.SECURITYMATTERSMAG.COM

MAY/JUNE 2010 • SECURITY MATTERS 11 Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42
Produced with Yudu - www.yudu.com