Is it time to blacklist the blacklists? An outdated security method is it more trouble than its worth? ~ Ask The Admin

Tuesday, July 10, 2007

Is it time to blacklist the blacklists? An outdated security method is it more trouble than its worth?

“Blacklists have their place for detecting and identifying malicious content and activity, with the whole signature-based malware detection industry effectively being built around the concept that blacklists are reliable mechanisms.

The only problem is that they aren't.”

Is it time to blacklist the blacklists? I have been preaching this for years about the inefficiency of black lists. I am usually talking about email blacklists that are blocking either a geographic region or groups of subnets from sending emails to your domain. Antivirus and security programs use similar blacklists for virus and malware signatures. If a block of traffic matches the blacklisted signature it is blocked or some other rule kicks into play. This was the only way of stopping threats back in the day but as new methods emerge why are the dinosaurs of rules still in play? Blacklists are great to stop an attack but as a pro-active measure… They SUCK!

So what happens when new threats are released? 0-day threats are a huge issue for your un-patched server or workstation because they walk righ on through your security. According to those programs this 0-Day isn't an issue.

We have to wait for a signature update until we are protected from this new threat. Then when it mutates and changes slightly you might just have to wait again. Are you feeling safer yet? Wouldn’t it be better to prevent the operating system from being attacked all together?

Well this is what some security people are now proposing. Killing off black lists for more efficient ways to keep the evils out of your network as malware creators have smartened up so have the blocking companies so why are blacklists still in play? Its easy to get on a blacklists and almost impossible to get off as the lists propagate.

“When polymorphic malware began to exhibit better software development, the need for heuristic detection engines became more urgent. Most antimalware software now has a combination of blacklisting and heuristics in use to assist in identifying malicious activity (when they aren't busy deleting critical system files or being compromised by their own analysis engines).”

even larger companies have issues with blacklists. Verizon earlier this year blocked all asian in bound email due to misconfigured filtering software. In other words they added an over zealous blacklist that blocked a full continent.

We had to blacklists Korea some time last year when we started getting hit with millions of targeted emails a day. Then when we started doing business with them we had to remove the blacklists and quickly.

Especially as new market paces for hackers to sell their 0 day exploits appear like this eBay for security pros.

Feeling safer?

So hopefully now security measures will evolve further and really protect you and not just give you a false illusion of security.

it is very easy to fall into a blacklist but much harder to get off of it. Do you use black lists? let us know.

“It is time that people became aware that these lists are a small tool of their protection arsenal, and not the major innovation that their creators and maintainers describe them as. It is also time that people became aware of the problems that these lists can cause when improperly developed and maintained (and even when they aren't).”