Could NSA's whitelisting approach to security catch on in government?

This article has been updated to correct a reference to Microsoft's AppLocker.

The National Security Agency aims to improve security on military networks by focusing on allowing approved software applications rather than trying to block malicious apps, NextGov reports.

The practice, application whitelisting, isn’t new, but NSA’s approach is unique in establishing where a downloaded app is allowed to launch, and that it can be launched but not installed, according to NextGov.

In essence, the plan is to require administrator approval before any application can run, and block all others.

Whitelisting has steadily been catching on in security circles — in theory if not always in practice. Its advantage is that it deals with approved apps, rather than trying to blacklist malware that can exploit systems before they’ve been discovered.

The disadvantage is that it can be difficult to manage, requiring admins to spend time on the approval process and sometimes running counter to user expectations of having control over their systems.

But in recent years, whitelisting has made strides. Toney Jennings, president and CEO of CoreTrace, which sells whitelisting services, told GCN in June that, while not a perfect system, it has become easier to manage and could be worth considering for agencies that want to cut down on the 30 percent of threats that blacklisting routinely lets through.

A December 2010 paper by the SANS Institute examined existing commercial whitelisting tools and how they would defend against most known attacks. The report concluded that whitelisting, like any other security step, was not a cure-all, but it represented the best way to significantly reduce malware in systems.

In 2009, InfoWorld tested six enterprise whitelisting programs, as well as Microsoft’s AppLocker, a feature built into Windows 7, and found that all of them performed well.

NSA’s Information Assurance Directorate details how admins would set up the policy in its document, “Application Whitelisting Using Software Restriction Policies."

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Tue, Feb 14, 2012

Someone gave a talk recently at the Shmoocon conference discussing how easily bypassed these tools where. How do they plan to mitigate these new techniques as attack vectors are utilized and new ones are found? The talk was called Raising The White Flag.

Tue, Feb 14, 2012

It's amazing how this is a new concept on Windows managed systems. In Unix, all you have to do is split /home to a separate partition for users, and set 'noexec'

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above