Does the Anti-virus industry have "The wrong end of the stick"?
My previous blogs have brought up an interesting debate about white-listing vs. black-listing. To recap, white-listing is the process of explicitly listing what is good and assuming everything else is not. Black-listing is the process of explicitly listing what is bad, and assuming everything else is good.
The Group Policy article concludes that white-listing is the better approach in the case of Software Restriction Policies, and if you have developer background then the Least Privilege design principle also suggests white-listing is better.
The principle also applies "in the real world" where you require a passport before you can pass through airport security (although often countries also operate a black-list of passports they do not trust)
White-listing examples
·
Passports/Driving License/ID Cards
·
Security clearance for MOD/DOD
·
Software restriction policies
·
Credit
·
Firewalls
·
Operating System File Security
Black-listing examples
·
Anti-virus
·
Most Website filtering software
·
Passports (again)
·
Night-club/Bar security
·
Police records
·
Software restriction policies (again)
·
Society in general (innocent until proven guilty)
·
Countries
What I want to understand is, fundamentally, are there any criteria to consider before deciding on a white or black listing policy for any given need?
I think so, I think it comes down to
·
Average trustworthiness
·
Complexity to implement a black listing policy
·
Complexity to implement a white listing policy
·
Consequences of misplaced trust
Take driving licenses for example
·
How much would you trust the average person with a automobile?
·
How difficult would it be to implement a black-listing policy for drivers who cause accidents?
·
How difficult would it be to implement a white-listing policy, which requires training and a test in order to obtain a license?
·
What happens if we don't train and test people before letting them drive?
My answers would be,
·
not very much
·
very difficult
·
even more difficult
·
people may not be able to drive at all and may cause fatal accidents.
Given the first and last answers, driving licenses (a white-listing policy) makes sense and overcome the inherent difficulties of a white-listing policy.
Anti-virus and Website Filtering software work on the assumption its good unless the vendor has black-listed the site.
Spam filtering software is an interesting one, typically spam filtering has been a black-listing process, but as spam spiraled out of control there were a number of initiatives (some by Microsoft) to move to a white-listing system. Although ultimately the spam problem is about lack of accountability, and out of the scope of this article, most spam filtering is a mixture of black-listing and heuristics.
Perhaps there should be an anti-virus product for lockdown environments that works on a white-listing principle - for the uber security conscious.
Here is a call for comments- why don't Anti-Virus companies work in reverse and publish a list of known good software. I suggest that, by using the criteria above, there is a case for a white-listing anti-virus product -
1. Average trustworthiness of software is good
2. Difficulty to maintain a black-listing policy - black-listing is a reactive process for anti-virus. As viri come out, the anti-virus vendors must respond, they have no control over the process.
3. White-listing could be managed proactively, scheduled submission dates for testing. The AV vendors do not expose their customers to risk if they don't create a virus definition quickly enough.
4. The consequence of not catching a virus quickly enough, or failing to produce a virus definition update or the customer failing to download the update means the customer could be exposed to malicious code.
This makes a strong case for a white-listing solution, only point 1 defends the existing model.
In addition, consider the following -
·
Bad guys don't want their software found. Good guys want everyone to get hold of their programs (usually for commercial reasons).
·
IT administrators can simply integrate the list of known good software with their software restriction policy.
·
It finally brings anti-virus in line with other white-listing IT security technologies, such as firewalls.
Anti-virus is potentially hit and miss, as there could be a delay between a virus being released into the wild and each anti-virus vendor publishing an update. This is akin to a goal-keeper in soccer (Football to us Brits), if your lucky the goal-keeper will stop the ball (virus), if not the other guys score.
I suggest the industry needs an all-encompassing solution that works using technologies from software restriction policy, anti-virus and Authenticode to provide a white-listing solution. As more and more businesses and governments run their processes on computers - the risk of malicious software running on some computer systems is just too high for a "goal-keeper" approach to defense.
