To whitelist or blacklist: that is the question.
There are two main approaches to application control: application whitelisting and application blacklisting. With no defined guidelines on which is better, IT admins are often torn when they have to choose between the two. Below, we'll look at the pros and cons of both so you can decide which works best in your organization.
Before we begin, let's look at an analogy to understand how whitelisting and blacklisting works along with how greylisting fits into the picture. Some organizations may station a security guard at their entrance to ensure that only employees with a valid ID are allowed access. This is the basic concept behind whitelisting; all entities requesting access will be validated against an already approved list and will be allowed only if they are present in that list.
On the contrary, employees fired for malpractice are often put on a banned list and are denied entry. Blacklisting works similarly: all entities that might be dangerous are usually put into a collective list and are blocked.
Non-employees who try to gain entry, for example, interview candidates, will fall into the greylist, as they don't form a part of the whitelist or the blacklist. The security guard either allows or denies their entry request based on its authenticity. In a network, the admin usually takes up the role of the security guard and has complete control over everything that enters it.
Blacklisting is one of the oldest algorithms in computer security, and it's used by most antivirus software to block unwanted entities. The process of blacklisting applications involves the creation of a list containing all the applications or executables that might pose a threat to the network, either in the form of malware attacks or simply by hampering its state of productivity. Blacklisting can be considered a threat-centric method.
The obvious benefit of blacklisting is, of course, its simplicity. Admins can easily block only known malicious software and run everything else. This way users will have access to all the applications they require, reducing the volume of admin tickets raised or essential applications being blocked. Blacklisting is a good approach for enterprises that are keen on taking a more relaxed approach to application control.
However, simply blocking everything that is distrusted, even though simple and efficient, might not necessarily be the best approach. Around 230,000 samples of malware are produced everyday, making it impossible for an admin to keep a comprehensive and updated and list of malicious applications. And considering that 30 percent of malware tends to target zero-day vulnerabilities, there's potential a security breach could happen before the affected applications are included in the blacklist.
Unfortunately, in the case of zero-day attacks, enterprises will be left vulnerable regardless of the security system they have in place. The recent hike in targeted attacks determined on stealing confidential data from enterprises is also something admins need to worry about. Predicting and preventing these types of attacks using blacklisting would be ineffective.
Just as the name suggests, whitelisting is the opposite of blacklisting, where a list of trusted entities such as applications and websites are created and exclusively allowed to function in the network. Whitelisting takes more of a trust-centric approach and is considered to be more secure. This method of application control can either be based on policies like file name, product, and vendor, or it can be applied on an executable level, where the digital certificate or cryptographic hash of an executable is verified.
Though blacklisting has been popular in the past, the recent exponential growth in malware suggests it's not effective enough. Whitelisting only allows a limited number of applications to run, effectively minimizing the attack surface. Additionally, building a whitelist is much easier, as the number of trusted applications would definitely be lower when comparing it to the number of distrusted ones. Enterprises that conform to strict regulatory compliance practices can benefit from whitelisting.
As advantageous as whitelisting is, it comes with its set of cons. Building a whitelist may seem easy, but one inadvertent move can result in help desk queries piling up on the admin. Inability to access essential applications would put various critical tasks on halt. Furthermore, determining which applications should be allowed to execute is an intensive process in itself.
As a result, administrators in some cases tend to create overly broad whitelisting rules. This misplaced trust could put the entire enterprise in jeopardy. Another disadvantage is that, while blacklisting can be automated to an extent by using antivirus software, whitelisting cannot function seamlessly without human intervention.
Truth be told, the widely debated topic "Whitelisting vs Blacklisting" has no real answer. Infact, with the advancement in technology and development of application control tools, there's no need to just choose one. Our comprehensive application control tool comes with built-in options to enable both application whitelisting and blacklisting. Enterprises can use these features hand in hand to meet their unique requirements, and leverage the benefits of both simultaneously.
Try Application Control Plus, ManageEngine's application control solution, free for 30 days!