Whitelists are Better than Blacklists

security.gifAs any retailer knows, there are 12 requirements in the Payment Card Industry (PCI) regulations. Requirement 5 is "use and regularly update anti-virus software." The problem with running anti-virus on registers is that they take precious resources, both CPU cycles and memory. They run constantly, comparing running processes with known viruses. Plus, to be effective they must be updated very regularly, like daily, since viruses can spread quickly.

But my biggest problem with anti-virus software is that its reactive and its an unbounded data set. Its reactive since we must wait for the virus to attack somewhere before the blacklist can be updated. Its unbounded because the size of the blacklist is constantly increasing as more and more viruses are discovered.

Bit9 has solved this by using a whitelist instead of a blacklist. Its not a new idea. Email programs have been using this approach to minimize spam for quite a while, but its new in the PCI space. Since registers should only be running a limited set of software (e.g. POS, browser, software management, monitoring agents), its more efficient to simply list what is allowed to run. Anything not previously cleared should be blocked. While this approach doesn't work well for general PCs (because people want the freedom to load their own applications), its perfect for the store environment.

Now the list is small and unlikely to increase -- that leads to less resource usage, and easier management. This approach is based on comparing a secure hash for anything that executes to validate its allowed. (Think active TripWire.) Then whenever the software is updated by an authenticated source, the hash is updated.

This approach should result in extending the life of existing register hardware (since less resources are required), less bandwidth usage (fewer whitelist updates), and tighter control over what's allowed to run. I think this is a pretty good step toward meeting PCI requirements.

Comments:

There is an advantage to using white listing technology but there is still an overhead burden when dealing with authorized change and updates on POS systems. To minimize PCI scope the Retail in-store networks tend to be very isolated to minimize exposure but connecting to a centralized database for verification of the 'good' inventory list is counter productive . A different approach with 'dynamic white listing' is better suited for these types of situations. A localized inventory is controlled on the device itself with the ability to also control not only whats on disk, but what's in memory and report on real-time change. Think Bit9, Tripwire, and HIPS all rolled into one solution to provide total PCI compliance. With any standard software distribution platform updates can be delivered with one step as dynamic white listing can pre-authorize any changes from the distribution and automatically update the local inventory resulting in a true fix it and forget it protection model.

Kim Singletary,
Director Retail and Embedded Solutions
Solidcore.com

Posted by Kim Singletary, Solidcore on October 31, 2008 at 09:37 AM CDT #

Hello
Great Blog I will definitely bookmark your blog. I am also having a blog related to Retail news (  http://newsonretail.blogspot.com/ ) which gives latest analysis and trends in Retail industry in the present recession period. I would appreciate if you could kindly bookmark my blog too

Posted by guest on April 08, 2009 at 05:29 PM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About


David Dorf, Sr Director Technology Strategy for Oracle Retail, shares news and ideas about the retail industry with a focus on innovation and emerging technologies.


Industry Connect


Stay Connected
Blogroll

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today