The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup.  [SP 800-67] provides guidance on application whitelisting. 

Priority: High   

Category: Baseline Security Configurations 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM), AWS Security Groups, AWS Systems Manager

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of "blacklisting solution" software configuration 

Possible Technology Considerations : 

  • Blacklisting  Solution
  • Secure Baseline Configurations (SBC)
  • Privileged Access Management (PAM) 

What needs to be answered :  

Is the system configured to only allow authorized software to run and disallow unauthorized software? Is there a defined list of software allowed documented? Is this reviewed at least annually?  

  • Apply Deny-by-Exception Policy for Unauthorized Software
    Description: This check ensures that organizations apply a deny-by-exception (blacklisting) policy to prevent the use of unauthorized software within their systems. Unauthorized software refers to programs that are not approved or permitted by the organization. The blacklisting policy identifies and blocks the execution of unauthorized software, helping to mitigate the risks associated with untrusted or malicious programs.
  • Apply Deny-All, Permit-by-Exception Policy for Authorized Software
    Description: This check verifies that organizations apply a deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software within their systems. Authorized software refers to programs that are explicitly approved and permitted by the organization. The whitelisting policy restricts the execution of software to only authorized programs, enhancing security by preventing the execution of unapproved or potentially malicious software.

More Details:   

Changes to the system must be reviewed and implemented by IT support staff prior to execution.