Is Whitelisting a Good Security Practice?

Whitelisting has been for sure a relatively standard and sometimes as a hardening security measure but it depends how we implement and maintain it and where it is initially enforced. 

Whitelisting could be against you if setup at the wrong spot or with inadequate supportive elements. I highly recommend whitelisting behavior rather than whitelisting elements like applications, IP addresses, emails, domains, users… 

One of the most obvious negative usage of whitelisting is where we unintentionally give more opportunity to file-less malware attacks and all sort of insecurities around anything whitelisted among operating system without being supported by enough factors and elements of validation. This is simply when we rather focus on behavior than solely origination of a file for example. 

Blind whitelisting, that what I call when we just filter based on one factor, is highly prone to be defeated. It is vulnerable to forgery and easily bypassed because there is no support. File-less malware heaven is actually a traditional whitelisting approach. 

What is so effective and almost undefeatable is behavioral whitelisting where we filter a set of elements even considering order of execution. For your information, almost all EDR solutions in the market currently either lacking behavioral whitelisting, or they solely rely on traditional one-stop whitelisting which is really dangerous and totally against the nature of an EDR.

Kaveh Mofidi

By Kaveh Mofidi

I find simple solutions for complex problems. While I enjoy working with information security and computers, our challenges extend far beyond securing data. The real task is to discover solutions for unlimited clean energy, drinkable water, and addressing the root causes of hunger, war, and injustice. Our primary goal should be to keep our planet livable; that is the true challenge we face on Earth!