The world of data filtering relies on two fundamental techniques to segregate information: applying blacklisting or whitelisting. Both methods have advantages and disadvantages and may vary according to the specific case study, deployment, information sensitivity, and other policies that mandate the best course of action.
In This blog, we’ll review the various listings’ techniques, examine commonly used methods for cyber security environments, and explore best practices.
The Dark Side of Blacklist
Blacklist also called Blocklist refers to the method by that specific items listed are not allowed to access a network. For example, an organization can decide that its users can not receive or send executable (*.exe) files as attachments in the corporate email.
Blacklists are used to block pre-defined traffic in various cases, such as host, IP address, web proxy, DNS servers, email server, firewall, application authentication gateways, and more.
Using blacklists for access control has the advantages of being proactive in preventing unauthorized access, effectively blocking known bad actors, and is easy to implement. However, blacklists may not be foolproof, as legitimate sources can be inadvertently blocked, and they require ongoing maintenance to stay up-to-date with new threats. In a scenario when the CISO or IT admin blocks by policy all *.EXE files from incoming traffic, it can be easily bypassed by a simple nesting technique – for example, include an EXE file containing malicious code inside an innocent-looking Microsoft Office file which is archived inside a ZIP. By doing so, the security system scans the first film layer and allows archive files to enter the system by the policy. The user will then open the ZIP file, extract the office file, and can potentially execute the hidden EXE file inside. For such matters, there should be a deeper level of nesting filtering capabilities to avoid such cases to happen.
Whitelisting: An Inclusive Guestlist
Whitelist or Allowlist blocks ALL traffic as default and allows only specific items included in the list. The whitelist is a list of trusted users, devices, file types, or any other parameter that are granted access while blocking all others by default.
Whitelists offer the advantages of being highly selective, providing enhanced security, and effectiveness against new threats. However, managing and updating whitelists can be time-consuming, and there is a potential for false positives if legitimate sources are not included. Overall, the choice between blacklisting and whitelisting depends on the specific needs and requirements of the system being protected.
Graylisting: Exactly One Shade of Gray
Greylisting is a less aggressive approach compared to blacklisting. Items on a greylist are not confirmed as safe or harmful and are temporarily blocked from the system for further analysis. Once their safety status is determined, they are either moved to the blacklist or the whitelist. Greylisting is commonly used in email security to combat spam by temporarily rejecting emails from unrecognized sources. This method effectively filters out most spam while allowing legitimate emails to pass through.
Gradiating list for Microsoft 365
Most security systems designed for Microsoft 365 environments use the black lists method and do not include whitelist capability. Analyzing FileWall’s (odix’s native SaaS security system for Microsoft 365 business applications) traffic demonstrates a clear advantage for implementing whitelisting practices. Threat actors are now using OneNote attachments in phishing emails to distribute remote access malware, which can result in various malicious activities. Unlike Word and Excel, OneNote does not support macros that were previously used by threat actors to install malware. Instead, they are attaching malicious VBS (Visual Basic Script) files to OneNote, which automatically executes the script when double-clicked. OneNote displays a warning when opening attachments, but users often ignore it and click “OK,” leading to malware execution. Implementing effective white/blacklisting practices can be part of a cybersecurity strategy to block or restrict access to known or suspected malicious file formats, including OneNote attachments.
To make the most of your black/white listing strategy, it is recommended to follow these best practices:
- Use built-in application whitelisting technologies in the host operating system for cost-effective and easy management.
- Test prospective application whitelisting technology in monitoring mode before deployment to ensure proper configuration.
- Choose products with sophisticated whitelisting attributes such as digital signature/publisher and cryptographic hash techniques for enhanced effectiveness.
- Consider implementation and operational costs when selecting and managing a whitelist solution for optimal security posture.
FileWall allows three levels of content filtering with whitelist capabilities as part of its File Type Filtering for commonly used files over Microsoft 365 business applications including Exchange Online, Teams, OneDrive, and SharePoint. Sign up for 30 days free trial here.