Level 2


Description:

The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup.  [SP 800-67] provides guidance on application whitelisting.  


Priority: High 


Domain: CONFIGURATION MANAGEMENT (CM) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM), AWS Security Groups, AWS Systems Manager


Services Associated with Azure:

  • Azure Application Control
  • Azure Security Center
  • Azure Defender for Servers
  • Azure Defender for App Service
  • Azure Defender for Kubernetes
  • Azure Defender for SQL
  • Azure Defender for Storage
  • Azure Defender for Key Vault
  • Azure Defender for DNS
  • Azure Defender for Resource Manager


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of "blacklisting solution" software configuration 


Possible Technology Considerations:

  • Blacklisting  Solution
  • Secure Baseline Configurations (SBC)
  • Privileged Access Management (PAM) 


What needs to be answered:

Is the system configured to only allow authorized software to run and disallow unauthorized software? Is there a defined list of software allowed documented? Is this reviewed at least annually?  


Checks for AWS

  • Apply Deny-by-Exception Policy for Unauthorized Software
    Description: This check ensures that organizations apply a deny-by-exception (blacklisting) policy to prevent the use of unauthorized software within their systems. Unauthorized software refers to programs that are not approved or permitted by the organization. The blacklisting policy identifies and blocks the execution of unauthorized software, helping to mitigate the risks associated with untrusted or malicious programs.
  • Apply Deny-All, Permit-by-Exception Policy for Authorized Software
    Description: This check verifies that organizations apply a deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software within their systems. Authorized software refers to programs that are explicitly approved and permitted by the organization. The whitelisting policy restricts the execution of software to only authorized programs, enhancing security by preventing the execution of unapproved or potentially malicious software.
     


Checks for Azure

  • Implement Application Whitelisting
    Description: This check ensures that organizations in Azure implement application whitelisting as a policy to only allow authorized software to run on their systems. Application whitelisting involves creating a defined list of approved software programs that are permitted to execute, while disallowing any unauthorized software from running. This policy helps mitigate the risks associated with untrusted or malicious software by ensuring that only authorized applications are allowed to execute.
  • Regularly Review and Update Authorized Software List
    Description: This check emphasizes the importance of regularly reviewing and updating the list of authorized software programs in Azure. The organization should maintain a documented list of approved software and review it at least annually. Regular reviews ensure that the list remains up to date, reflecting any changes in authorized software and removing any outdated or unauthorized programs. By conducting regular reviews, the organization ensures that only approved software is allowed to run, reducing the risk of unauthorized or malicious software execution.


More Details: Changes to the system must be reviewed and implemented by IT support staff prior to execution.