Whitelist vs Blacklist

According to Bruce Schneier, there is an argument going on that has raged for years.  “The whitelist/blacklist debate is far older than computers…”  He goes no to talk about physical security, casinos, borders, and finally computers to make his point.

I believe that there really is NO argument, or at least no argument among those who understand that BOTH have their place in a modern network and computer configuration.  Historical arguments aside, what matters to me most as a security practitioner is the presence, availability and suitability to task of the tools required to implement effective security controls. 

Blacklisting is an exclusive technology, listing the people, entities, code, or what have you, that are not permitted beyond the security perimeter.  It requires that the qualifying characteristics (name, description, byte count, checksum, etc.) that will be measured for exclusion are known in advance, and can be checked effectively to deter or prevent access to the restricted zone.  Blacklisting applications by name is a very poor security control.  I’m pretty sure that anyone with half a gram of grey matter can figure out how to by-pass a control that only checks the name of an executable in order to make a security decision.

Whitelisting works on the reverse premise, being inclusive, it involves measuring the characteristics of something that you have on hand, and excludes all other things that do not match.  This makes it simpler to implement in a computer/network scenario, in most cases.  List the entities and characteristics that ARE allowed within the perimeter, and exclude all else. 

The usual implementation involves creating a unique hash value calculated against executable, and allowing those executables whose hashed values match to be present on other systems.  Less abstract, I could create a “model” system, consisting of hashed values for each of the Operating System files, application executable files, DLL’s and any other common files that make up a standard corporate image.  I can also create a hash value calculation for that complete system as well, summarizing its components.  Then, if all of my systems are identically configured, I can compare their system hash values periodically, and look for deviations.  Any deviations from that hash value mean that something has changed, there is some other software component present on that system.  If an investigation shows that the deviant software turns is acceptable to the organization, I can have a hash value for it, and it can be added to the allowed software whitelist. 

When would you want to use one over the other?  Whenever the associated list of possible entries is shorter is the general rule.  If there are 1 million malware entries, and the organization only uses 50 applications, whitelisting 50 applications, even with 3 potential variants, is a shorter list to go through and make alerting decisions on.  The shorter the time needed to make a decision, the less likely the user will become frustrated and attempt to circumvent the control.

When would you want to use both?  In the case of malicious sites and malware, I make use of blacklists by using a web-content-filtering technology.  A vendor keeps a database of all known, reported and confirmed websites that host or distribute malicious content.  If a link or process takes me to one of these sites, I will either get a warning, a confirmation message, or a blocked site message in my browser.  If the site is not known and not in the database, my anti-virus software uses a blacklist of MD5 hashes, executable characteristics, and other details to blacklist known malware.  If a piece of malware code is so new that even this list fails to catch it, I have another control, a file integrity checker, that keeps a whitelist of all of the executable and supporting DLL files on my computer.  Should one of these files suddenly change and then attempt to load into memory, the program will pop up a warning.  If I didn’t just finish an update to that file, I can refuse to allow it to load.

Argument?  What argument?  Use the available tools to their best advantage.