Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software

Is Whitelisting the Answer To the Rise In Data Breaches? 195

Posted by timothy from the none-shall-pass dept.
MojoKid writes "It doesn't take a rocket scientist to figure out that cyber criminals are quickly getting more sophisticated than current security, intrusion detection and prevention technology can defend against. And you have to wonder if the computer security industry as a whole is willing to take the disruptive measures required to address the issue head-on. One way to tackle the surging data breach epidemic is with a technology called "whitelisting." It's not going to sound too sexy to the average end user and frankly, even CIOs may find it unfashionable but in short, whitelisting is a method of locking-down a machine such that only trusted executables, DLLs and other necessary system and application components are allowed to run – everything else is denied. A few start-up security companies are beginning to appear in this space. The idea is to start with a known, clean system installation and then lock it down in that state so absolutely nothing can be changed. If you follow system security, regardless of your opinion on the concept of whitelisting, it's pretty clear the traditional conventions of AV, anti-malware, intrusion detection and prevention are no longer working."
This discussion has been archived. No new comments can be posted.

Is Whitelisting the Answer To the Rise In Data Breaches? More

Is Whitelisting the Answer To the Rise In Data Breaches?

Comments Filter:

  • Licensing and Cert Costs (Score:3, Interesting)

    by Anonymous Coward on Sunday February 09, 2014 @05:30AM (#46201291)
    It's too expensive. If you operate in a Windows environment then you have to use Windows Enterprise to access the functionality (which is expensive) and since code-signing certs are expensive not many devs (including driver devs) use them, meaning, you have to go back to file hashes for individual versions for files that aren't signed. We use these mechanism at my work for high risk workstations and the workload of maintaining them is quite tedious. We just aren't there yet as an industry.

  • Already Possible (Score:5, Interesting)

    by EmperorArthur ( 1113223 ) on Sunday February 09, 2014 @05:41AM (#46201329)

    Newer versions of Linux can already do this. Using the integrity measurement architecture, module signing, and Secure Boot it's possible to have a system where almost any change is detected. I'm currently trying to get it all working on my machine right now, but it's slow going. Here's hoping that distros start shipping with this set up by default. http://lwn.net/Articles/488906... [lwn.net]

    A shorter term security measure that more users/Distributions should take is making the root partition read only. I know Android already does this, but it really does help. Something that I would really like to see is an easy to use per application firewall. Cgroups mean that I don't even have to worry about it just spawning a child process. Yes, I want to play this game in wine. No, I don't want it to access the internet. No, wine refuses to run it as a different user, much less one with lower privileges.

  • Re:Better idea (Score:4, Interesting)

    by Tom ( 822 ) on Sunday February 09, 2014 @06:37AM (#46201511) Homepage Journal

    Because their productivity will higher with a computer, even a restricted one, than pen-and-paper. And if you are talking typical office workers, you would be surprised how few applications they actually need. Most of the office workers in the world spend 99% of their time in

    • an office suite
    • a mail program
    • a browser
    • a single-digit number of job-specific applications (e.g. the accounting software)
    • and maybe a single-digit number of company-specific applications (e.g. the time registration app or the intra-company chat software, etc.)

  • Re:Do it in ROM (Score:5, Interesting)

    by donaldm ( 919619 ) on Sunday February 09, 2014 @07:42AM (#46201711)
    You should always set-up your file-systems in such a way that the OS part is completely separate from user data such that it should be a simple matter to recover or even install and update just the system file-systems. Unix and now Linux has always recommenced this type of layout although you can even do something like this for Microsoft Windows.

    I have Fedora 20 running on my PC's and I make sure I document my system layout, application requirements, customisations and of course my security files which I save. If on the off my system gets compromised I can easily 1) Do a system recovery or 2) Do a fresh install and update without compromising my /home or archive data.

    The fresh install takes me approximately 1 hour then 15 minutes for customisations then about 1 hour for the update although during this time I can fully use the machine. It must be noted that a recovery from backup would most likely take me about 20 minutes for 10 GB to be recovered (over 2000 packages), however if you have been compromised it is usually safer to do a fresh install.

    It is possible to have a read-only system file-system for a Unix/Linux but this would be a stupid idea since you have /var which contain logs and update information that is required to be read/write. Even / (/ and /usr) needs read/write on occasion. The same is true for a Microsoft OS. The best you can do is have a tested disaster recovery plan and surprisingly it need not be that elaborate but you do need to cover most what if's.

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Sunday February 09, 2014 @07:54AM (#46201741)
    Comment removed based on user account deletion

Slashdot Top Deals

One man's constant is another man's variable. -- A.J. Perlis

Close