Application Whitelisting is one of the top Cyber Intrusion Mitigation Strategies. AWL Implementation lowers Cryptolocker and other Ransomware infection possibility to almost zero.
7. A surprising number of administrators consider
simply installing antivirus software to be enough to
provide reliable protection from a malware.
Unfortunately, defenses such as antivirus programs are
often ineffective because of “blacklisting” technology used.
7
8. In fact, Blacklisting and Whitelisting are both
designed to prevent malware from running
Blacklisting
Considers everything is allowed to
be launched by default
Only prevents known threats to be
launched
Example: Antivirus Software
Whitelisting
Considers everything is prevented
from launching by default
Only permits launching previously
approved software
Example: AppLocker Policies
8
9. Application Whitelisting
Configuration Example
Everything from Windows folder is
permitted for launching
Everything from Program Files is
permitted for launching
Everything signed by Microsoft or
Adobe is permitted for launching
Three Line-Of-Business Application
hashes are permitted for launching
Everything else is prohibited
9
10. What Application Whitelisting really is
and what it is not?
It prevents viruses and trojans from being launched from hard disk or
USB flash drives, but neither stops you from saving virus to a disk, nor
searches for or removes viruses from it;
It prevents viral modules from launching automatically from a user
profile, but does not prevent exploiting scripts from within the legitimate
software, such as Microsoft Excel;
It prevents exploits from being launched from a disk, but does not stop
an attacker from exploiting unpatched flaws in your system;
It prevents unlisted software from running, but does not stop you from
manually adding malware to a whitelist;
It prevents unwanted software from being launched by a user, but does
not stop him from downloading it.
10
12. Challenge #1: Cultural Readiness
Management Engagement. The senior leaders must see the value of AWL
as a core doctrine, not an additional security restriction;
Many companies do not restrict individuals from installing software. AWL
limits who can install programs. Be ready for complaints and requests for
exclusions from users;
Many companies do not limit what software can be installed. Not all the
software that users find useful or convenient will be allowed. Many of
users may want to keep their status quo because of that;
In most cases, AWL represents a cultural shift and new operational
realities for IT workforce. AWL requires a particular level of discipline for
IT enforced.
12
13. Challenge #2: Process Readiness
Company is required to maintain a reasonably accurate software
inventory, and have a knowledge of specialized applications, network
processes and operational requirements;
A standardized application authoring procedure should be established.
Then, existing OS image and application distribution framework may get
involved;
AWL requires an ability and experience to implement and rollback
changes incrementally across the enterprise;
Clear communication mechanisms between users, IT support and AWL
project managers must be established.
13
14. Challenge #3: Technical Readiness
A company must have enough resources to manage project
implementation in a timely manner. AWL requires skilled IT Pro
workforce availability;
Seamless AWL implementation requires preparation such as reasonably
long auditing of currently used applications, especially ones which are
rarely executed;
An appropriate AWL methodology must be chosen taking into account
supported OSs and application feature requirements;
Additional licensing costs for third-party solutions may be applied.
14
18. 18 Addendum: PowerShell Scripts
Download PowerShell Scripts and other files used in this
presentation from the following sources:
http://blog.windowsnt.lv or https://srp.windowsnt.lv
peter@optimalsolutions.lv or peter@windowsnt.lv
Send AWL-related questions or comments to: