Showing posts from August, 2017

"It's Not All Black And White" or "Why You Should Switch From Blacklisting To Whitelisting"

I think the title says a lot here: if you want to defend your information systems, you should switch from blacklisting to whitelisting.

But what does that mean?

Most people hear "whitelisting" in terms of CND and think "application whitelisting". But there's so many more places to do it! You already hopefully do outbound whitelisting on your firewall. You aren't really allowing any system to talk out on TCP/3389, right? You do have a DEFAULT:DENY or DENY ANY,ANY down at the bottom of your firewall rules, right?

But have you considered whitelisting outbound web traffic at your proxy as well? Most people think of their web proxy reputation lists as block lists, and for good reason: most of them are incomplete. But did you ever consider that maybe that incompleteness as a defensive measure? If you block unknown websites at your web proxy, you're going to block a huge amount of malicious websites. You're probably thinking to yourself but what about the m…