Positive Security: Worth The Work?

New approach requires in-depth systems knowledge, but the payoff is substantial.

Jordan Wiens

September 17, 2008

8 Min Read
Network Computing logo

Think Positive

>> Bit9's Parity is backed by a vast database that allows quick rule creation with a variety of application categories

>> CoreTrace's Bouncer whitelisting offering is based on a centralized management appliance

>> Faronics' Deep Freeze allows software modifications to be undone on reboot; its Anti-Executable blocks unapproved apps at the outset

>> Lumension's Sanctuary Application Control offers whitelisting and script and macro protection

>> Savant Protection's End Point Security Software has a distributed approach that lets it function without a centralized server and database

Positive security, in which it whitelists everything from entire applications down to specific functions before allowing access, sounds extreme. But unfortunately, the desktop environments we know and love prioritize ease of use over security, and we're all feeling the pain: More than half of respondents to our 2008 InformationWeek Analytics Strategic Security poll have been hit by a virus this year, and nearly 30% have been attacked through OS vulnerabilities.

Two forms of positive security worth exploring are application whitelisting and mandatory access control, or MAC.

Instead of letting every program run on a computer by default and trying to stop bad ones after they've caused trouble, whitelisting allows only approved applications to run. The concept can be applied not just to software, but also to the functions that applications are allowed to perform. It's complex and won't stop everything, but with more threats coming online every day, it's an option worth exploring.

MAC, meanwhile, allows much more powerful and granular control compared with the discretionary access control (DAC) methods commonly used to secure today's desktop operating systems. MAC also is more complex than DAC, which is best summarized as allowing or denying access based on identity. A user is either logged in to a privileged account or isn't, and is either a member of a particular group or isn't.

In a MAC environment, a user account may have full control over the user's files, but a mail client run by the same user may have a reduced set of permissions, such as restrictions on which directories it may read or write to. Think about it this way: If your Web browser needs only to execute some libraries or plug-ins, save files to a download folder, and create network connections, why should it have the ability to execute any other binary or access the memory of other running applications?

Configuring and maintaining a positive security model is more expensive than traditional laissez-faire methods, but the benefits of MAC and application whitelisting are beginning to outweigh implementation costs, and the trend toward positive security features and policies is growing, not only in third-party security products, but also in operating systems. In our Strategic Security poll, the practice of reducing software features to essentials made our list of the top half-dozen most effective vulnerability management practices.

InformationWeek Reports

Vendors also are taking small steps: Kaspersky Lab has added application whitelisting vendor Bit9's database into its product. Kaspersky uses this whitelist as an initial check to speed up scanning--not a true positive security model, but it's a start. Among large antivirus vendors, Symantec has been vocal about its desire to migrate to a positive security model, and has started to implement features similar to Kaspersky, including a lockdown mode that prohibits new programs. The application whitelisting market also is expanding (see vendor list, above).

There are problems positive security can't solve, as well as common deployment inhibitors. First, although some mechanisms use positive security models to combat insider threats, the majority of such systems require trusted endpoints, and a sufficiently clued local user can subvert such a system. In addition, positive security models aren't proof against approved applications that have vulnerabilities. These models can help prevent most malicious software from running and limit the scope of a compromise, but malware can still leverage a software vulnerability to infect a system.

The thing to remember is that the vast majority of current threats will fail in an environment with application whitelisting or MAC. A strategy need not be perfect to be worthwhile.

The biggest barrier to positive security is the management cost. In sites with just a few standard desktop builds and relatively static application sets, a positive security strategy makes good sense. Servers, in particular, tend to perform a few specific functions and have access to more critical resources than endpoints. Conversely, it's difficult to implement a positive security program when users can install their own software or require a constantly changing set of apps.



Find out how to make your security dollars go further with our 2008 Strategic Security Study.lurb

Download this InformationWeek Report

>> See all our Reports <<

Note, too, that neither blacklists nor whitelists are static. Blacklists are lists of negative behaviors or objects, typically used as a component of a negative security model, also known as "default-allow," "default-permit," and "the state of the antivirus industry for most of the last two decades." A negative security model blocks only known bad behaviors or objects. The advantage is that new, good objects require no modification to the system. However, blocking new bad objects requires frequent updates.

Conversely, a whitelist is not necessarily synonymous with a positive security model, though the two terms are sometimes used interchangeably.

For example, a whitelist in an antivirus application may refer to specific known-good applications that should always be allowed to run, but that does not necessarily mean the antivirus product uses a default-deny policy. Just because an application employs a whitelist does not mean it uses a positive security model, which specifies a list of good behaviors or objects and blocks all else by default.

Currently, IT departments have three options: They can wait for products from major antivirus players--which are in various stages of integrating positive security; they can purchase stand-alone software with a specific focus; or they can build their own. For many scenarios, positive security requires only the tools built in to commodity operating systems.

Implementing a positive security model on Linux also is easier than you might expect. The most popular mechanism is via the SELinux and AppArmor projects. The latest releases of Ubuntu, Debian, Fedora, and OpenSUSE all support one or the other right out of the box. SELinux and AppArmor offer different mechanisms for implementing MAC, and supporters extol the virtues of each. The deciding factor for most environments will be which is the default in their distribution of choice. Both are more than capable of implementing either a pure application whitelist or additional MAC security features.

The protection offered by broadly deploying one of these projects comes at increased management cost; developing appropriate whitelist policies is a time-consuming process at best, and in locations without strong change controls and with large numbers of base configurations, it might be untenable. Single-function servers (think DNS, DHCP, SMTP) are most easily profiled and protected, and should be the first targets for AppArmor or SELinux.

Windows XP has fewer built-in features for positive security than recent Linux distributions, but XP does provide mechanisms for stronger access control. For example, NTFS offers more granular control over files compared with traditional Unix permissions, and Software Restriction Policies) can enable a default-deny policy for running binaries or libraries. Exceptions may be specified by path, which is less secure; by MD5 hashes; or by specifying approved application publisher digital certificates.

Adding on to these base features from XP, Vista offers Mandatory Integrity Control. This feature underpins the new Protected Mode in Internet Explorer.

With Mac OS X Leopard, Apple introduced mandatory access control features based on the TrustedBSD MAC framework. Unfortunately, we've found the initial deployment better suited for internal testing than for any serious use. Most of the important modules from the original TrustedBSD design are missing, and the policies included for built-in applications are minimal, at best.

Still, the framework has been put in place, and hopefully, future releases will apply more powerful policies, and the interface itself will be made public to third-party developers.

It won't happen overnight, but positive models will play a prominent role in the future of information security. While initial efforts to enumerate positive security models--whether for application behavior or approved applications--meant higher costs, the budget hit will decrease as more products aim to ease the process. In addition, the failure of negative security methods will continue to drive IT groups to demand more robust tools to protect their networks.

And the benefits of positive models go beyond just security. Controlling what software can run on workstations can effectively enforce a wide variety of IT policies. It's time to think positive.

Impact Assessment: Positive Security Models

(click image for larger view)Continue to the sidebar:
NIST Hash Lists Give A Boost To Positive Security On Windows

About the Author(s)

Jordan Wiens

Contributing Technology Editor

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights