Control Access| Whitelist vs Blacklist

 As the cyberattack are becoming more and more sophisticated is harder and harder to keep up with the attack response. One of the most important ways to do it is by placing restrictions on what can or cannot access the network.
One of the most effective ways to doing is by listing entities on the Firewall. Ether whitelisting which is a list of what is allow on the network, or black listing which is what is not allow. Let's see it a bit more in detail and compare a bit both.

 

Whitelist: 

 The whitelisting approach defines which access should be permitting according to a predefine list and it blocks anything else. It is based on the principle of zero trust, which means that by default it blocks everything unless it is proven to be acceptable. A good example of whitelisting is a firewalls just allowing certain IP addresses to access into a network. 

Because Whitelisting denies by default any item that is not in the list, it is considered the stricter approach to access control. Meaning that the risk of a cybercriminal gaining access to a networks are lower. 

Whitelist is also harder to implement, because it needs to be update constantly with any change make into the organization, otherwise it could reject legit traffic because it doesn't matches with a non update whitelist. Manage this type of list can be more challenging as more complex is the network.

Blacklist:

On the other hand, Blacklisting does the completely opposite, it will allow any type of traffic unless it matches with any malicious entity previously added to the blacklist. This list are daily update with the known malicious software like virus, spyware or trojan.It can also be added IP addresses, email addresses, domains, processes and so on. Blacklists can be compiled manually by organizations or automatically using third parties lists.

Blacklist combined with antivirus, anti-spam and IDS can be considerer the traditional approach to access control. Having its simplicity as one of its best features. It has also a very low maintenance, as in many cases the user's list relies on the one compiled by the security provider. 

This is also its weakest point, as hundreds of thousands of malicious programs are discovered everyday it can be challenging have the blacklist updated. Furthermore,  it is easy to security providers to miss any threats on their list for the volume o new ones that they have to manage. This listing approach is also vulnerable to zero day attacks, as for obvious reasons are not included on the blacklists.

 Why not both?

As we have seen before both have their pros and cons thus, sometimes is hard to decide for one of them.

But what about combine them? many companies use a combination of both. A good approach could be use on blacklist to block well known malware to access the network and then use a whitelist to controls the connection to a more critical area of the network. 

Using this system it would reduced the chances of a mistake on a blacklist would affect the most precious data that your network contains.It also finds a balance between security and use of resources. Normally this approach is known as Graylist.