Application whitelisting. Raises the bar against certain threats but no silver bullet
Publish date: 2012-07-04
Report number: FOI-R--3434--SE
Pages: 25
Written in: English
Keywords:
- whitelisting
- SCADA
- antivirus
- malware
- patching
Abstract
Whitelisting has been suggested as a solution to some of the special security problems faced by SCADA (Supervisory Control and Data Acquisition) systems. For various reasons, such systems can be hard to patch and it can also be problematic to run and keep antivirus software up-to-date on them. Whitelisting is mainly about the protection against unintended execution of files which may contain malware. Specific whitelisting products may also contain other security features - for example protection against buffer overruns. Such features must not be expected though, since they are not part of whitelisting itself. Sometimes whitelisting itself will protect against other kinds of attacks too, but that is no more than a positive side-effect, and nothing to be relied upon. There is also a consensus expectancy of default deny in whitelisting. However, this study shows that default deny is a very simplified picture of reality. A consequence of this is that we should expect future malware to sometimes contain circumvention functionality which exploits vulnerabilities in the whitelisting products themselves. Whitelisting should be regarded as a useful complement to other security solutions. The kind of protection offered by whitelisting is not enough to replace software patching and antivirus software though. It is no silver bullet capable of replacing other security solutions.