Cisco Study Shows the Basic Flaw in Whitelisting Solutions
November 10, 2010 2 Comments
Some days you wake up and the world hands you a completely unexpected gift. This morning I found an article on the SC Magazine site that provided statistics from a Cisco survey about employees and IT security policies. Some stats from the article:
- 24% of employees are unaware that IT policies exist.
- 10% said that IT policies are never communicated.
- 32% of employees said that the policy was only communicated once per year.
- 35% of employees that are aware of IT policy said IT does not provide an explanation or rationale for why it exists.
- 20% of employees make a conscious decision to break IT policy because they believe these policies are not enforced.
These statistics do not paint a picture of a well informed user community. Users do not know the policies, don’t understand the policies, or don’t understand why there are policies. The few that seem to understand often choose to willingly ignore them.
The most telling statistic indicated that 40% of the employees break IT policy because “they need restricted programs and applications to get their job done”. In other words, they know they are breaking policy but make the decision to willingly do so and feel justified because they feel it is critical to their jobs.
So why is this study a gift for me? I am frequently asked to contrast and compare Triumfant and our capabilities against whitelisting tools. I have a good answer, and while I normally become extremely animated about the subject and speak in authoritative tones, I did not have hard evidence to fully back up my position. Until now.
You see, whitelisting sounds really smart and effective in explanation, and are often cited as an alternative to signature based tools and falling malware detection rates. There are animated claims about its effectiveness aginst zero day attacks, the advanced persistent threat, rootkits, and the cough due to cold.
If you dig deeply past all of the hype, you will find that whitelisting tools work in three modes:
- Notify mode will notify the appropriate IT staff if a user installs an application not on the white list.
- Warn mode will notify the user that they are installing an unauthorized application and provide them the option to stop the install or proceed.
- Block mode will automatically block the installation of any unauthorized application.
These are not my descriptions – they are from the literature and documentation of the whitelist vendors. They just don’t surface in the sales presentations.
The documentation clearly states that block mode is only available if the environment is locked down. For those environments that have even small degrees of flexibility and some personal use capabilities, whitelist solutions only work in warn mode. Their words, not mine.
Therefore, the efficacy of the whitelist solution now rests in the hands of the user of the machine. Yes – the very same users statistically characterized by the Cisco study. The user who likely made a conscious decision to install the program, has a one in four chance of being completely unaware of IT policies, and, if aware of the policies, either does not understand them or is willing to break them. Hardly sounds like a recipe for closing gaps in endpoint security.
This is not my first rodeo and I have been dealing with the user community since I helped support a quaint old notion called the “Information Center” back in the early 80’s. Since then, every shred of evidence and experience tells me that most users presented with a warning screen from the whitelist tool will blithely blow right past it. Now I have the statistics to back that up.
My contention is that only a small number of organizations are locked down, and therefore implementation of a whitelist tool can only be done in warn mode, therefore putting critical protection decisions into the hands of the general user population. The population that may not know, may not care, and will likely be perturbed that they get a warning screen. These statistics clearly indicate that there will be more than a trivial amount of users that will circumvent the protection either through ignorance, apathy or choice.
So excuse me if I do not jump on the “whitelisting will cure all of your problems” bandwagon. And BTW, the same warning process is employed by the prevalence based technologies such as Symantec Quorum that Symantec and McAfee are touting so highly. The reliance on the user as part of the protection mechanism is equally flawed.
Triumfant does not rely on the user to make evaluations or give them the option to violate policies. We enforce configurations and policies on a daily basis, and it is an informed administrator that evaluates potential malicious activity and makes the decision to remediate such problems.
So now I have some statistics to support my animated hand waving. Amazing what a little gift like some statistics will do for your day.