“The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.”

This is an important step forward for organizations who must meet PCI Data Security Standards (DSS) to prevent malware on their endpoints. Many recent attacks that have led to card holder data theft have involved a wide blend of techniques that featured placing malware on servers and other endpoints. This was certainly the case in the recent data breach involving the Heartland data breach where a variety of malware, backdoors, and packet sniffers were placed on key systems and resulted in the loss of over 130 million credit card numbers.

Application whitelisting would have gone far to thwart these types of threat. By restricting applications that are authorized on a given system, it removes the threat of a hacker using an unpatched vulnerability to place malicious code on the system because that code will not be allowed to run.

We applaud the PCI Security Standards Council for taking this step and moved their standard officially forward to address the serious threat of malware on endpoints. This is something that standards like NERC-CIP have also embraced and will certainly be more prevalent in the future. We are happy to see that our call to action in our recent post “Time For an Update of PCI Anti-Virus Requirements: Take a lesson from NERC CIP” has come to pass so quickly.

The webinar, sponsored by CoreTrace, will be held on October 27th at 2:00 p.m. EDT/11:00 a.m. PDT.

Click here to Register.

Abstract:

The shortcomings of blacklist-based antivirus solutions are well known and are no longer disputed (for one view of the situation, please read “Dimensional Research Antivirus/Anti-Malware Survey of IT Professionals”). As a result, innovative IT teams are looking into the promising new approach to stopping malware: application whitelisting.

But these teams are discovering that security is not the only benefit of application whitelisting. In fact, some are arguing that the solution’s operational and compliance benefits may even surpass the security ones.

As a former writer/editor at leading publications like InfoWorld and eWEEK, and current leading analyst at The 451 Group, Paul is the perfect expert to facilitate this discussion—and to do it a different way than a simple, one-way webinar. Please join Paul for an interactive “roundtable” discussion on the technology, promises, potential shortcomings, and ultimate benefits.

Event Information:

• Title: The 451 Group Webinar & Roundtable: “What Are The Real Benefits of Application Whitelisting: Security, Operations, Compliance?”

• Date: Tuesday, October 27, 2009

• Time: 2:00 p.m. EDT/11:00 a.m. PDT

This week, I want to speak more specifically about using application whitelisting to both meet the letter and the spirit of NERC CIP-007 compliance requirements. This is an area where application whitelisting is gaining significant momentum as a supplement or alternative to traditional blacklist antivirus. There are many reasons why the energy industry is ahead of the general curve in adopting whitelisting technologies.

• The government has mandated protection of critical infrastructure against malware and other cyber attacks
• The outcome from a failure of these critical systems could be catastrophic
• It is recognized that not only does traditional anti-virus fail to stop the threat, but its performance impact is significant enough to cause other problems
• Continual updating and patching of security systems is unfeasible for many control systems that are connected to the Internet

Our many customers in the energy industry recognize the ability of application whitelisting to not only address the deficiencies of antivirus, but also to provide security to their critical infrastructure significantly beyond checkbox NERC CIP compliance requirements.

Contributing to industry awareness are recent papers released by industry thought leaders. Paul J. Feldman, Chairman of the Midwest ISO Independent Director of Western Electricity Reliability Council (WECC), followed a recent paper titled “5 Questions the Board Should Ask About NERC CIP Plans” with a new whitepaper he co-authored with Matthew E. Luallen, 
Co-Founder, Encari, “Malicious Software Prevention for Complying with NERC CIP-007 Requirements”.

The first paper addresses key considerations for companies moving to comply with NERC requirements and how they can meet the intent of the regulation and calls out the purpose behind the regulation.

Presidential (US) directive PDD-63 of May 1998 set up a national program of Critical Infrastructure Protection (CIP). The Bulk Electric System is part of the critical national infrastructure. The NERC CIP Standards relate to the national effort, and the traditional efforts of energy companies to protect assets from cascading large scale failures.

The second deals specifically with how application whitelisting meets CIP-007-R3, Security Patch Management, and CIP-007-R4, Malicious Software Prevention compliance requirements and how it assists in meeting CIP-003-R6 and CIP-007-R6. The conclusions are compelling.

Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than maintaining an exponentially enlarging blacklist of known malicious software, this new and powerful technology enforces a relatively small whitelist of the authorized applications for each computer. By ensuring that only approved applications can execute, application whitelisting automatically eliminates all unauthorized applications – including even unknown malware. This approach meets the actual intention of the NERC CIP requirements: preventing all unauthorized applications from executing on Critical Cyber Assets.

If you are responsible for NERC CIP compliance you should be giving serious consideration to application whitelisting to meet many of the key requirements of the regulation.

The culprit? Unauthorized code on their servers resulted in the exposure of the credit card data. Despite the protections employed to protect the card data on servers, they were done in by simple malware on a system in their infrastructure.

The exposure experienced by Network Solutions is not unique. One of the greatest threats to any company connected to the Internet is the prevalence of malware and the number of systems that belong to botnets. We recently blogged about two botnets formed by the new clampi trojan and the older conficker malware. Unfortunately, traditional blacklist antivirus technology is no longer capable of preventing infection and standards that target the protection of critical assets ought to take that into account.

To that extent, I would like to contrast the two requirements mandating system security in PCI DSS relative to those in NERC CIP. NERC CIP requirements calls for security that can detect, prevent, deter, and mitigate malware. The actual R4 requirement from NERC-CIP 007 is shown here:

• R4. Malicious Software Prevention – The Responsible Entity shall use antivirus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
• R4.1. The Responsible Entity shall document and implement antivirus and malware prevention tools. In the case where antivirus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
• R4.2. The Responsible Entity shall document and implement a process for the update of antivirus and malware prevention “signatures.” The process must address testing and installing the signatures.

PCI on the other hand does not have this granularity and focuses instead solely on the use of antivirus. Here is the relevant PCI requirement mandating the use of antivirus:

• 5.1. Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
• 5.1.1. Ensure that all antivirus programs are capable of detecting, removing, and protecting against all known types of malicious software.
• 5.2. Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs.

The security of the systems in an organization’s IT infrastructure remains one of the greatest challenges to providing strong security. Application whitelisting’s purpose in life is to prevent unauthorized code from residing on critical assets. It’s time for organizations to start thinking about how they can proactively protect these devices instead of simply providing a checkbox for antivirus. Let us know what you think in the poll above.