12 Sep Security and Compliance – What Your Company Needs to Know Part 1: Whitelisting
Security in the 21st century is a complicated game. The good guys are always playing catch up with the bad guys. Security is particularly important for medtech companies due to their specific compliance needs. Banking and fintech likewise have a high bar for security compliance. Cloud services create far more points of contact than ever before — each a potential point of entry for malware.
An antivirus and security suite is just the beginning. Your company requires further solutions as well. One such additional solution is whitelisting, which isn’t reliant upon an ever-expanding database of malware to work properly. Whitelisting allows you to select the specific files you want to run on your system. Anything else just won’t run. This is more secure than blacklisting, which prohibits specific applications from running. It will even work on headless and unmanaged systems.
The problem with blacklisting is that you don’t know what every malicious application is or might be. However, you do know every application that should be running on your company machines. Whitelisting lets you identify files using directory paths, file hashes, application publisher and signed certificates. It also prevents unwanted, third-party changes to your system, configuration and application files
Some environments, such as production, scream out for whitelisting as a must in an overall security plan. And whitelisting isn’t just for your internal network. It’s all increasingly important for your products, especially if they’re connected themselves. Petya malware is an excellent example of something that whitelisting could have prevented. This jumped from system to system, installing malicious programs and particularly targeted small- and medium-sized business. However, with whitelisting it doesn’t matter what gets installed on your system. If it doesn’t have permission, it just won’t run. The installation itself would be blocked, requiring a portable application or something in memory to run.
Whitelisting isn’t necessarily easy, however. It’s a very fine line you’ll have to walk between whitelisting what you need without whitelisting anything that you don’t. Unneeded software can run because you think it’s required to support another application. The converse risk is that you fail to allow a necessary application because you’re not aware that other applications are relying upon it. So while you might be convinced of the need for whitelisting, deploying it across a complicated system is another matter.
While whitelisting is somewhat labor intensive to get started, it’s a godsend once you get it running. And again, you can package this as value added for your clients. The same process allowing you to whitelist your own software allows you to create whitelists for your products. You’re also making your design and engineering team’s work easier by removing malware woes from their plate. This can, for example, secure a self-service medical kiosk application, making it so that users can only access the application, with no permission to change the backend operating system. This makes the device more secure as well as protects intellectual property.
Whitelisting is vulnerable to zero day attacks that specifically attack the whitelisting software you’re using. It’s important for your security team and your team overall to remain vigilant in the face of emerging threats.
Complementary antivirus suites exist and should be deployed anywhere they make sense. Generally speaking, the more non-redundant solutions you have working to secure your system, the better. For instance, pairing whitelisting with Microsoft Baseline Security Analyzer (MBSA), can be highly effective because they each address entirely separate and important security risks. MBSA is provided free of charge with all Windows machines by Microsoft, and we will discuss it in detail in our next blog. Make sure to subscribe through the footer to be notified when our MBSA blog comes out.
To learn more about security, specifically as it applies to innovations in Smart Medical Devices, read our latest white paper, Navigating Compliance and Cyber Security Concerns in Smart Medical Device.