Squad Stories

Whitelisting vs Blacklisting: What’s the difference & why it matters.

Written by Alesha Chapman | Mar 17, 2021 12:00:00 PM

Whitelisting and Blacklisting are two main approaches to protecting your network from dangerous downloads and both are effective tools in a comprehensive IT Security strategy. Depending on who you ask, you will hear a preference for one, but IT specialists are often torn when they must choose between the two for maximum security for an organization. We will look at both whitelisting and blacklisting, their pros and cons, so that you can decide which is the best fit for you. 

Before we delve too deeply into the IT jargon, let’s first start with an analogy to see how whitelisting, blacklisting, and, yep, you guessed it, graylisting work.  Many office buildings station a security guard at their entrance to ensure that only employees with a valid ID are allowed inside. A person walks in, either shows or scans their ID, and they are let inside. This is whitelisting. Everyone coming inside is validated against an existing list of approved people.

In the same vein, there may be employees who have been fired or even people who have been put on a banned list.  These people will be denied entry.  This is blacklisting. Bad guys and people that might be dangerous are put on a list and denied entry. 

But what about that guy who delivers sandwiches or the woman coming for a job interview? These people fall into the graylist. As they are not on the approved list nor the banned list, the security guard will then make a decision about the person’s entry based upon the authenticity of the person’s credentials or reason for entry.  

So how does this translate into IT security? 

Blacklisting 

Blacklisting is the practice of blocking potentially unwanted or malicious software and other entities on your computer or network.  You can also blacklist programs, websites, e-mails, and IP addresses. For example, a blacklist for emails would be comprised of IP addresses that are believed to be spam or phishing scams and emails from these addresses are either blocked or routed to your spam folder.  

One of the pros of blacklisting is its simplicity. Admins or your organization’s IT team can easily block known malicious software and run everything else. Users have access to all that they need, and it reduces the number of tickets put in and essential programs being blocked. Blacklisting is an approach that is more relaxed towards application control.  

However, due to the rise of malware and other bad actors, simply blacklisting may not be enough for full IT Security. With new viruses and malware being produced every day, it is almost impossible for an admin to keep a comprehensive and up to date list of malicious applications. Additionally, it may not cover your organization against targeted attacks. 

Whitelisting 

Whitelisting is the opposite of blacklisting.  This is the practice of allowing trusted applications, websites, e-mails and/or IP addresses on your pc or network. Whitelisting is considered to be more secure than mere blacklisting protocols. Whitelisting only allows a limited number of applications to run, effectively minimizing the attack surface. In other words, the less applications allowed to run, the less opportunity for an attack. Furthermore, building a list of trusted applications is easier as the number of trusted applications would be definitely lower in comparison to the number of distrusted applications. Businesses that must conform to strict regulatory compliance, such as healthcare organizations, benefit from whitelisting.  

As expedient as whitelists can be, there are also drawbacks. Building a list of trusted applications and emails may seem easy enough, but one inadvertent move and suddenly you’re inundated with requests for access to applications from your team and the inability to access certain essential apps could slow down work. This means that sometimes administrators create overly vague whitelisting rules, and this can put networks in jeopardy. Another disadvantage to whitelisting is that, while blacklisting can be fully automated to an extent by using antivirus software, whitelisting needs human intervention to work well.  

Whitelisting is considered “better” as it is assumed that everything is blocked (blacklisted) until it is proven that it is not harmful and then it is whitelisted.  Whitelisting is seen as the more “secure” approach. 

What do we recommend? 

MPWRSource's trusted IT sidekick, pim, recommends a pragmatic approach that utilizes the best of both blacklisting and whitelisting. White/Blacklisting can be accomplished through pim's Sophos platform.  From the Sophos Firewalls to the Sophos MTR Advanced Endpoints installed on Desktops, Laptops, MacBook’s, and some Tablets (Microsoft Surface) and Sophos wireless access points as well.