What is Whitelisting?
Whitelisting is a cybersecurity strategy that approves lists of email addresses, IP addresses, applications, and/or domain names, while denying all others, by default. With whitelisting, a user can only take actions on their computer that an administrator has explicitly allowed in advance, because they have deemed those actions to be safe and secure. Whitelisting is the opposite of blacklisting, where administrators block actions that have been identified as malicious. Whitelisting has its drawbacks, as it limits functionality and may frustrate end users whose freedom to use their devices as they wish is extremely diminished. That said, there are some use cases where certain machines and networks may wish to accept these limitations in order to bolster their security. Types of application whitelists include1:
File and folder attributes:
File path. The file path attribute permits all applications contained within a specified path (directory/folder). This type of whitelist requires strict access controls to prevent files from being added or modified.
File name. The file name attribute must be used with other attributes to be secure, as file names could be easily changed.
File size. The file size attribute should also be used with other attributes, as cyberattackers could craft malicious files to match the size of other approved file sizes.
Digital signature or publisher. A digital signature provides a reliable, unique value for an application file that must be verified by the recipient to ensure that the file is legitimate and has not been altered.
Cryptographic hash. A cryptographic hash provides a reliable, unique value for an application file, as long as the cryptography being used is strong and the hash is already known to be associated with a safe file. Cryptographic hashes are accurate no matter where the file is placed, what it is named, or how it is signed. A cryptographic hash that is updated and/or patched will have a differed hash, which will necessitate adding this new hash to the whitelist. The whitelist will need to be continuously updated with new hashes for new updates, or there will be software vulnerabilities.
- Browser plug-ins
- Configuration files
- Application-related registry entries (on Windows hosts)
Whitelists can also be created for email and IP addresses, when administrators want to ensure that emails are only received from authorized senders, and the network is only accessible to select users.
1 NIST, 2015, “Guide to Application Whitelisting”