Whitelists are Better than Blacklists
By David Dorf on Oct 31, 2008
As any retailer knows, there are 12 requirements in the Payment Card Industry (PCI) regulations. Requirement 5 is "use and regularly update anti-virus software." The problem with running anti-virus on registers is that they take precious resources, both CPU cycles and memory. They run constantly, comparing running processes with known viruses. Plus, to be effective they must be updated very regularly, like daily, since viruses can spread quickly.
But my biggest problem with anti-virus software is that its reactive and its an unbounded data set. Its reactive since we must wait for the virus to attack somewhere before the blacklist can be updated. Its unbounded because the size of the blacklist is constantly increasing as more and more viruses are discovered.
Bit9 has solved this by using a whitelist instead of a blacklist. Its not a new idea. Email programs have been using this approach to minimize spam for quite a while, but its new in the PCI space. Since registers should only be running a limited set of software (e.g. POS, browser, software management, monitoring agents), its more efficient to simply list what is allowed to run. Anything not previously cleared should be blocked. While this approach doesn't work well for general PCs (because people want the freedom to load their own applications), its perfect for the store environment.
Now the list is small and unlikely to increase -- that leads to less resource usage, and easier management. This approach is based on comparing a secure hash for anything that executes to validate its allowed. (Think active TripWire.) Then whenever the software is updated by an authenticated source, the hash is updated.
This approach should result in extending the life of existing register hardware (since less resources are required), less bandwidth usage (fewer whitelist updates), and tighter control over what's allowed to run. I think this is a pretty good step toward meeting PCI requirements.