The phone rings, displaying "Potential Spam," warning of the possible downfall of accepting the call. We also have the option to set specific ringtones for the special people in our lives, so we audibly know immediately who’s calling. For other callers, like the once-a-year important call from our insurance or investment rep, we'll at least add their names so we can see when they ring. And, of course, there are the numbers that we have blocked.
We all have our own personal and individual ways of blocking or allowing callers. Businesses do the same thing, not only with phone numbers but also with assets such as applications and devices.
These are the practices of allowlisting and blocklisting.
What are they?
Allowlisting refers to the practice of creating a list of approved entities, e.g., IP addresses, domains, and applications, that are allowed to access a particular resource or perform a specific action. For example, an organization might create an application allowlist that only permits preapproved applications and processes to run, granting access only to pre-identified files required by those applications.
Blocklisting involves creating a list of entities that are denied access to particular resources or actions. For this example, consider an organization that creates a blocklist of known malicious IP addresses, prohibiting them from accessing its network. Similarly, email addresses associated with spam or phishing attempts would also be blocked from sending messages to a specific email account.
Both allowlisting and blocklisting are effective tools for maintaining security and controlling access to resources. However, it's important to note that neither technique is foolproof, and there are potential drawbacks and limitations to both approaches.
Allowlisting in real Life
Years ago, a major city’s government computers were targeted by sophisticated malware. The malware bypassed the city's existing antimalware and infiltrated the network, potentially stealing sensitive data and compromising critical infrastructure.
The city's IT department implemented a security strategy that included the use of allowlisting by creating a comprehensive list of all the applications and programs allowed to run on the city's computers, blocking everything else.
With this application control strategy, the city prevented the malware from executing on the affected computers, effectively neutralizing the malware, and protecting the city's computers and networks from further attacks.
By taking a proactive approach to security and only allowing approved applications to run, organizations can significantly reduce their risk of cyberattacks and protect critical infrastructure and sensitive data.
Allowlisting does not guarantee 100% prevention. As an example of a potential bypass, Hacking Articles shares that blocklisting can be evaded by tools such as Privesccheck, which “is suitable to be used in the environments where AppLocker or any other Application Whitelisting is enforced.”
Think of a bouncer at a nightclub. Just as a bouncer prevents unwanted guests from entering a nightclub, blocklisting prevents unwanted entities from accessing systems or networks.
Also, just like a bouncer, blocklisting is not foolproof and can be circumvented by determined attackers. However, when used in combination with other security measures, blocklisting can be an effective tool for protecting against known threats, keeping systems and networks secure.
Where does it fit in the security schema?
Something I’ve used and adapted as needed is a puzzle to demonstrate the various pieces involved in information security. It’s more illustrative than exhaustive because the puzzle could easily turn from an 8-piece puzzle into 1,000 pieces. Allowlisting and blocklisting are included in the software restrictions and are part of securing assets such as applications and firewalls.
Allowlists and blocklists play a part in preventing system intrusion and privilege misuse.
For those who use the Center for Internet Security Risk Assessment Method (CIS RAM), these two actions can be cross-referenced to the NIST Cybersecurity Framework (CSF) “Protect” class, where Allowlist Authorized Software, Libraries, and Scripts are noted.
Another example of NIST compliance for allowlists and blocklists is shown in Azure’s built-in NIST SP 800-171 mapping, where is states, “Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run.”
some drawbacks and limitations of allowlisting
While allowlisting can be an effective tool for access control, there are some drawbacks and limitations to consider:
1. Maintenance – One of the biggest challenges with allowlisting is maintaining the list of approved entities. New resources and entities may need to be manually added, an activity that can be time-consuming and requires significant effort.
2. False negatives – Another potential issue with allowlisting is false negatives. Entities that should be allowed access but are not on the allowlist may be denied access, leading to frustration, and potentially impacting productivity.
3. Limited protection against new threats – Allowlisting is a reactive security approach since it only protects against entities that are explicitly approved. This can be limiting in situations where new threats emerge if it takes too much time to identify and approve new entities that need access.
4. Complexity – Allowlisting can be difficult to implement effectively. For example, complex networks make it challenging to create a comprehensive and accurate allowlist that covers all the necessary entities.
Some drawbacks and limitations of blocklisting
1. False positives – One of the biggest challenges of blocklisting is the potential for false positives, which occurs when legitimate entities are mistakenly blocked because they have characteristics that are similar to known threats on the blocklist.
2. Limited effectiveness – Blocklisting can be an effective tool for deflecting known threats, but it’s not always effective against more sophisticated threats. Advanced threats, such as zero-day vulnerabilities, may not be detected.
3. Over-reliance on signatures – Blocklisting often relies on signatures or patterns to identify threats. However, sophisticated threats can easily bypass these signatures by changing their code or behavior.
4. Complexity – As with allowlisting, blocklisting can be complex and difficult to implement effectively, and for the same reasons.
Defense in Depth
When considering their limitations and challenges – and including them with other layers of protection, such as continuous monitoring, risk assessments, and segmentation – allowlisting and blocklisting are highly effective tools for keeping organizations safe.
About the Author:
Ross Moore is the Cyber Security Support Analyst with Passageways. He has experience with ISO 27001 and SOC 2 Type 2 implementation and maintenance. Over the course of his 20+ years of IT and Security, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP along with CompTIA’s Pentest+ and Security+ certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Twitter Handle: @rossamoore
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.