The IT security industry has come to a frank realisation that the current approach to preventing malware is simply not working. Is whitelisting, which is the reverse of our current approach, the answer?
Whitelisting is the process by which only pre-approved applications are able to execute on a network, while unknown and unwanted ones are blocked. It is the opposite of today's approach, by which applications are free to run unless an administrator has moved to block them.
Speaking at the AusCERT 2008 security conference, Graham Ingram, general manager of AusCert (Australian Computer Emergency Response Team), said today's blacklisting approach is simply not working. Defences against malware, he said, can be completely undermined "by the click of a mouse or the enter key of a user".
Scott Charney, vice president trustworthy computing group at Microsoft, said "most people who run machines actually don't know what is executing on their machine".
"I think [whitelists] are a natural progression," said Ingram. "I think the realisation [is] that blacklisting only had a limited life and we're getting towards the end of that."
"I am not so sure that we can get to a place of feeling confident in our infrastructure without doing whitelisting," added John Stuart, chief security officer of Cisco Systems.
While most at the conference agreed that whitelisting is the only available option, the model by which the industry goes about implementing it is the subject of debate.
Security vendor Lumension Security (previously called Patchlink) is hopeful that the problem can be addressed at the application layer, so future security software tools will incorporate the principles of whitelisting.
These tools, according to Andrew Clarke, senior vice president of Lumension Security, would ensure that "if someone is introducing a rogue application into an organisation and it's not on the whitelist and it's not a known good, it won't run."
But Microsoft advocates taking the whitelist concept further.
"We really do need an environment where things cannot execute without the user making certain choices," says Microsoft's Charney. "There are some fundamental engineering changes that have to happen."
Security, says Charney, needs to be built into the "trusted stack" — incorporated not just in software but in hardware.
"We have to start rooting trust in the hardware, because it is easier to manipulate software than hardware," he told ZDNet.com.au. "You'll see more and more hardware-linked functionality like BitLocker in Vista."
BitLocker is a function within enterprise versions of Windows Vista that encrypts the hard disk and only allows it to work on a specific machine. It can also be...
