Security threats Toolkit

Story: Downadup virus hits PCs at five Sheffield hospitals

• 
• 

What whitelisting can really do for you today!!

Whitelisting is the best way to prevent direct harm to computers from viruses and malware, but comprehensive application whitelisting – like Lumension Security Endpoint Protection Solution that does run on XP systems – offers many more benefits to organisations and the IT environment:
* Increased performance and stability. When only authorised applications can run on a computer, there is far less chance that inappropriately installed programs or hardware drivers will corrupt an operating system. Combined with Lumension Security Vulnerability Management Solution, patches and updates are rolled out in a uniform and approved manner, ensuring that all computers operate on the same release level.

* Control of computer and network utilisation. Computers have an unfortunate tendency to become cluttered with junkware, games, and web software that consume computing resources and
network bandwidth. Whitelisting offers a way to keep such programs from interfering with business operations.

* Decreased IT support costs. With no viral attacks to thwart, malware to hunt down, or incompatible applications to invoke the blue screen of death, IT can spend more time and resources on improving operations instead of constantly fixing computers.

* Increased data security and compliance with privacy laws.

Preventing programs not on the whitelist from running on any computer obviates the chance for spyware, keyloggers, and
sniffers to steal passwords, address books, customer files, or other sensitive data from otherwise physically secure computers. Combined with Lumension Security Data Protection Solution, which
prevents sensitive information from leaking out through lost or stolen storage devices, a whitelist creates a strong infrastructure that makes it possible to comply with privacy regulations.

A further benefit to application whitelisting is the ability – and the opportunity – to better understand your IT environment. What applications are your people really running? Which are necessary to your operations? Are you buying more bandwidth than you really need to conduct business? Getting an accurate view of IT usage is the first step in controlling your information and your business.

If a CIO were to dream up a perfect IT environment, it would no doubt be very different from what most organisations have today. It would be a controlled environment with consistent change-control systems. Updates and operating system patches would be rolled out uniformly across a homogenous network. Every computer would have a specific set of applications preinstalled. Users would have no local authority to install, update, or delete applications, drivers, or web plug-ins. Only approved storage devices and media could be used to copy and transport data. In such a tightly regulated computing environment, anti-virus and whitelisting programs might not be needed.

BUT this scenario represents an environment seldom found in the real world – albeit perhaps one that is not as desirable as it may first seem.

A totally locked down computing environment is not only rare – it is unlikely to best meet business needs. A system with complete top-down control loses the flexibility to quickly add and upgrade applications and business systems. In organisations where communication and creativity fly fast and furious, locked-down systems can frustrate and stifle the flow of business. And while such a setup may at first seem convenient for the CIO’s department, it ultimately adds labour-intensive work for system administrators and
help-desk operators.

So, what do you live with today? Organisations that start out small, with even smaller IT teams, often by default give users local administrative control of individual PCs. Though such a choice lessens the initial burden on IT, as a company grows those few savvy users are joined by well-meaning users installing rogue applications – sometimes incorrectly – corrupting files and registries in the process.
Or maybe your organisation has inherited an infrastructure with a history of uneven change control, resulting in a mishmash of service packs and application versions, sometimes running on the same computer. Unauthorised applications and preloaded junkware clog hard drives and networks. Malware and viruses continuously creep in through downloads and website visits. The anti-virus software you installed can’t keep up, and you are constantly rebuilding corrupted PCs. Sudden spikes in unauthorised application-generated traffic overload the network at critical times, forcing you to contract for more bandwidth than you really need.

Is this a snapshot of your world? Though your scenario may be slightly better, or worse, the general situation remains the same. You need a way to categorise all the applications on all the computers on your network, and then decide which should be allowed to run.

Whitelisting simply means defining what is “good,” then allowing only good programs and processes to load and execute in memory. Everything not on the whitelist – the virtual blacklist – cannot run. To increase flexibility, especially in the beginning, you can extend the concept of trusted change by implementing a graylist. This permits safe but potentially undesirable programs to run until you decide whether they are really needed.

Whitelisted applications run. Graylisted applications can launch with logging that notifies you when and where they are running. Anything else cannot run at all. Even corrupted or hacked applications on the
whitelist are recognised as altered, and prevented from running. Zero-day attacks through malware, worms, and Trojans are automatically prevented from running because they are not on the whitelist, and therefore never get the chance to launch and corrupt.

• 
• 

• 
• 
• 

Full Talkback thread