Why I Have Doubts About Whitelisting – The Reliance on the Carbon Based Lifeform

In 2009, we heard a lot of noise about whitelisting.  Whitelisting vendors and the companies that bought whitelisting products and added then to their suite have positioned whitelisting as the panacea of all of our endpoint protection problems.  The noise got so loud you would have sworn whitelisting would cure world hunger, end male baldness, and single-handedly wipe out the national debt.  Throw in the hoopla over community based prevalence data and it sounded as if we would never have malware on any endpoint again. 

I have been on record as a doubter of these magnificent claims, largely because the tools base a lot of their efficacy on one highly flawed component – the carbon based life form. 

Let me explain.

If you read the vendor’s own materials closely, whitelist and prevalence products cannot block bad things unless you lock down yourr endpoint environment.  I know there are some organizations that have such an environment, but they are certainly not the norm.  So for the rest of the world who are not locked down, these tools can only warn.  And who do they warn you ask?  The end user – the very person who got the machine into trouble in the first place. 

I have a very dear and old friend that told me something that has stuck with me for a very long time:  “remember,” he said with total authority, “half of all people are below average.”  (Note: If you find yourself either thinking too long about that last sentence or find it really insightful, please call your PC support staff and have your admin rights revoked.)  But cynicism is not enough to prove my point.  Luckily, a new study was recently released in the New York Times that provides some real insight into the mind of the end user. 

The article speaks to a study done by software maker Imperva that examined a list of 32 million passwords from RockYou (software for users of social networking sites) that was hacked and subsequently posted on the Web.  Imperva’s research on the data shows that one out of five people use easily hacked passwords such as “123456” and “password”.  I would submit that these types will be the first in line to get to places on the web that are dodgy or fall victim to social engineering.  Gartner analyst John Pescatore has some thoughts about this study from the viewpoint of passwords, but I think the study speaks to the bigger issue of having end users involved with security processes.

I do not think that it is a reach to believe that users who would pay so little mind to their passwords will blithely skate right past any warning from a whitelist or prevalence tool.  Why stop?  I clicked on it, didn’t I? After all, there is a free iPhone waiting on the other side of that warning screen. 

My cynicism is not just genetic – it is founded by years of hard-won experience.  In the 80’s I spent some of my formative years supporting some new wild idea called the Information Center where we placed user friendly (as friendly as any mainframe tool could be) tools into the hands of the end users.  Every Monday morning I spent the first hour of my day resetting scores of passwords of people who simply could not remember their password from the previous Friday.  And I knew easily half had it written on a post-it note on the monitor. 

If you need further proof simply get on any major road during the morning or afternoon commute.  In spite of warnings that texting makes you more dangerous on the road than being intoxicated to twice the legal limit, I spend my drive dodging people who are clearly engaged in critical text conversations.  Shoot, I saw someone this morning with the newspaper opened on their steering wheel.  If these people don’t care about their physical safety, why would we believe that they can be part of the security process on their endpoint computer? 

And there you have my doubts about whitelisting and prevalence tools.  It would be fascinating to do a study on the reaction of users to warnings from such tools to really support my point, and I am confident what the results would show.  After all the proof is all around us every day.  Just ask the 1% of people that use “123456” as their password.