"Application whitelisting is a good idea, because for every environment, there are less items that fall into the "known good" category than bad code that you don't want to run."
This assumption simply isn't true. Data = 1's and 0's = code. There are MORE good files that I want to use than bad that I want to block. If there was some magic bullet that ensured "data" files could never contain executable bits, then I would agree whole heartedly. But, I don't believe such bullet will ever exist. Therefore data = 1's and 0's = code and its up to the whitelisted .exe to interpret them correctly. If there's a chance that said application will make a mistake, then we also need something signature based to block the bad bits. From: Andrew S. Baker [mailto:[email protected]] Sent: Monday, January 31, 2011 12:25 PM To: NT System Admin Issues Subject: Re: Intel developing security 'game-changer' Here are my full thoughts on the subject, as a security mechanism: http://home.asbzone.com/ASB/archive/2010/05/10/it-s-time-to-re-evaluate-host-based-security.aspx No, it is not a panacea, because no security mechanism ever is. Yes, there are drawbacks, but focusing on these technologies will provide a bigger bang for the buck and allow us to mitigate the weaknesses sooner. Either way, your ROI is greater in most scenarios which use whitelisting vs blacklisting. Also, check out the following: http://www.schneier.com/blog/archives/2011/01/whitelisting_vs.html ASB (Find me online via About.Me<http://about.me/Andrew.S.Baker/bio>) Exploiting Technology for Business Advantage... On Mon, Jan 31, 2011 at 12:48 PM, Crawford, Scott <[email protected]<mailto:[email protected]>> wrote: "No one here has suggested panacea" Perhaps not, but that's not my perception. I see lots of statements like "I'm still of the opinion that the only real solution is white-listing. - MBS" Maybe I'm misreading that, but that hints at a panacea and I'm simply saying that it's not. All of your other points - I agree. From: Andrew S. Baker [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, January 26, 2011 4:35 PM To: NT System Admin Issues Subject: Re: Intel developing security 'game-changer' No one here has suggested panacea, but consider how effective it would be in a white-listing environment to add most apps to the list in the event of a zero-day to an EXISTING app. You wouldn't have to do anything for an app that wasn't already allowed in your environment. It is akin to the change in firewall rule-set made in ages gone by from Allowed-by-Default to Denied-by-Default. Likewise, look at all the environments that have moved towards some form of locked down user desktop and see how much of a benefit has resulted. Reducing problems by 50-80% off the bat, with little overhead, is always desirable. ASB (My Bio via About.Me<http://about.me/Andrew.S.Baker/bio>) Exploiting Technology for Business Advantage... On Wed, Jan 26, 2011 at 5:03 PM, Crawford, Scott <[email protected]<mailto:[email protected]>> wrote: My point is that neither signatures, nor white-listing are a panacea. The fact that we've been sig based for so long while malware continues to be effective leads many to think that white-listing would solve all our woes. I'm simply saying that many *current* vulnerabilities circumvent a white-list so it can't be a panacea...unless of course you white-list each individual data file. From: Andrew S. Baker [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, January 26, 2011 1:55 PM To: NT System Admin Issues Subject: Re: Intel developing security 'game-changer' Just as network anomaly detection devices don't eliminate the use of signatures, whitelisting solutions can still make use of several mechanisms for avoiding bad stuff. It is the complete RELIANCE on signatures that is troublesome. Oh, and btw, I try to avoid Adobe Acrobat altogether. There are plenty of viable alternatives at the moment... ASB (My Bio via About.Me<http://about.me/Andrew.S.Baker/bio>) Exploiting Technology for Business Advantage... On Wed, Jan 26, 2011 at 2:51 PM, Crawford, Scott <[email protected]<mailto:[email protected]>> wrote: Unless you're going to white-list every doc/jpg/pdf/mp3 you're going to open, that's not a panacea either. Documents = 1's and 0's = code. The only difference is what layer its executed at. Assume you white-list AdobeReader.exe. The next time a flaw is found that is exploited through a malformed PDF, it will march right through your white-list. From: Michael B. Smith [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, January 26, 2011 1:38 PM To: NT System Admin Issues Subject: RE: Intel developing security 'game-changer' I'm still of the opinion that the only real solution is white-listing. But that raises its own set of issues. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Andrew S. Baker [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, January 26, 2011 2:35 PM To: NT System Admin Issues Subject: Re: Intel developing security 'game-changer' Since a whole lot of allegedly legitimate software acts just like malware, they'd have their work cut out for them. Try installing a host-based IPS on your system in monitoring mode, and look at what it would block -- and why. There are certain classes of zero-day that can be blocked by software or hardware. There are others that cannot be, simply because of what passes for functionality these days. Oh, and I agree with Ben and Jonathan... ASB (My Bio via About.Me<http://about.me/Andrew.S.Baker/bio>) Exploiting Technology for Business Advantage... On Wed, Jan 26, 2011 at 1:47 PM, Sean Martin <[email protected]<mailto:[email protected]>> wrote: Most important statement.... "If Intel has hardware technology that can reliably stop zero-day attacks, that would be a huge win in the war against malware," Olds said. "The key is that it's reliable. It has to have the ability to discern legit software from malware. But if they can pull this off, it would give them quite a competitive advantage vs. AMD<http://www.computerworld.com/s/article/9204580/AMD_could_better_fight_Intel_with_new_CEO_>." - Sean On Wed, Jan 26, 2011 at 9:37 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: What say you, Alex, et all. http://www.computerworld.com/s/article/9206366/Intel_developing_security_game_changer_?taxonomyId=85 Hype? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 503.548.5229 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
