How useful are Application Whitelists when Social-Engineering Risks are Minimal?

[Handsome Recluse]

How useful are application whitelists when social-engineering risks are minimal where you don't download and execute random stuff from the internet especially, path/hash based whitelisting like SRP/Bouncer? It seems some of the top 4 mitigation strategies I found from wherever - namely, application whitelisting and restriction of administrative rights are partly to prevent users from doing whatever they want risking their computers. I'm just curious as to what happens when this is not a threat and you're the one actually making your own decisions instead of trying to prevent others'.

 

[Svoll]

It still serves a purpose while not much on the way you are describing the situation. You never know when something will slip by you and having that whitelist is protection.

I know of a very good Penguin who is awesome at prevention and something malicious manage to pass while he was afk or watching TV. Always a good bet to have some insurance. You don't always need it but it does come in handy when you do.

 

[Handsome Recluse]

@Svoll Wouldn't there be any alternatives to prevent the slipping by from doing anything if it manages to happen? I'm just curious as to the extent application whitelisting/restricting administrative rights can be useful compared to alternatives in cases where I have to make my own decisions and not some other administrator.

 

[Svoll]

I mean there would be ways to prevent such, if a user is careful, he or she doesn't need AV and all the security softwares. We install them for peace of mind. If its what I would call clicking roulette. you are only as safe as what you click.

I am usually careful, but other users of my computer, their USB, their documents, emails might not be.

 

[XhenEd]

Aside from getting infected because of what you install or click, there are cases, real cases, where you don't do anything, but still get infected. Two examples are drive-by downloads and malvertising. In these cases, application whitelisting can be a good protection.

 

[WinXPert]

A kilobyte of prevention is better than a megabyte of cure. Better safe than sorry.

 

[509322]

How useful are application whitelists when social-engineering risks are minimal where you don't download and execute random stuff from the internet especially, path/hash based whitelisting like SRP/Bouncer? It seems some of the top 4 mitigation strategies I found from wherever - namely, application whitelisting and restriction of administrative rights are partly to prevent users from doing whatever they want risking their computers. I'm just curious as to what happens when this is not a threat and you're the one actually making your own decisions instead of trying to prevent others'.

Nothing happens. You just go about your computing life.

One of the ideal features of security software is that it should be unobtrusive - to the point where you will forget that it is even there - except during a protection event.

On a very low-risk system there is this debate over whether or not a security solution is really needed. Well my answer to that is security software is like home owner's insurance - you sure are glad that you had the policy when lightning struck the gargantuan tree only meters from the house, split it down the middle, and both flaming halves fell onto your house.

 

[Zero Knowledge]

For low risk computers in a home environment you really only need a good AV suite.

You won't need anti-exploit, anti-rootkit, anti-exe, artificial-intelligence or white-listing

A security suite from Kaspersky, Norton, Avast, Emsisoft, Eset, or F-secure should be more than enough protection if you are low risk.

Application white-listing is used in the enterprise where you have strict regulations on how data is handled.

It all depends on your threat model really. A bank will have a different threat model than a consumer.

I don't advise home users to mess with stuff like SRP (or white-listing files) because it can break the OS.

 

[509322]

Application white-listing is used in the enterprise where you have strict regulations on how data is handled.

It all depends on your threat model really. A bank will have a different threat model than a consumer.

I don't advise home users to mess with stuff like SRP (or white-listing files) because it can break the OS.

SRP protects data primarily by preventing infections - both in Enterprise and consumer.

AppGuard is one of the few Enterprise-grade solutions made readily available to consumers.

SRP can be dangerous if the user is required to configure all the rules and don't know what they are doing.

Our product has default policies that will not break the OS, while at the same time provide a very high level of physical system security. It doesn't make any sense to put a product into home user hands that will brick their system.

 

[Zero Knowledge]

That's exactly why I don't recommend novices play with SRP. If your not an expert in the rules you will brick your system.

AppGuard is a good product but it still requires some knowledge about security to configure. And it should be that way.

I only wish other next gen Av vendors would allow consumers to buy single licenses.

 

[shmu26]

for savvy home users who don't share their computers with others, the main idea of application whitelisting -- otherwise known as default/deny -- is simply to shake your brain awake when you are about to do something stupid like run a downloaded executable file that you forgot to check out.