Hi everyone, and welcome to episode three of eight weeks of the essential eight. In this episode we’re going to explore Application control. We’re going to learn what it is, why it’s considered essential, and how to implement application control in a way that achieves maturity level one. Let’s begin!
What is application control?
Application control is a security control method designed to protect against malicious code by ensuring only approved applications and software can be executed. The easiest way to implement application control is by creating an ‘allowlist’ (previously called a whitelist).
You may have heard of blacklists, which are lists of known malicious code. Most antivirus and antimalware software are built on blacklists, and work by blocking access to any applications the software deems unsafe or dangerous. The danger with blacklists is that there may be a chance for cyber-attacks to occur when the antivirus software has not been updated to stay ahead of the latest attacks.
Think of an allow-list as the inverse of a blacklist. Instead of blocking known malicious code, an allow-list blocks all applications except for ones you have explicitly allowed to execute. This may seem harsh, and it does severely restrict the freedom of end users, but it really is one of the safest ways to prevent the installation of unauthorised or possibly dangerous code from executing on your systems.
Blacklists:
- Lists of KNOWN malicious code
- Antivirus/antimalware software are built on blacklists
- Block access to applications deemed unsafe
- Antivirus software must stay ahead of latest attacks to work
Allowlists:
- The inverse of blacklists
- Blocks all applications EXCEPT for those explicitly allowed
- May restrict freedom of end users
- Safest way to prevent unauthorised or dangerous code executing
Why application control and allow-listing?
As I mentioned, correctly implementing application control lowers the risk of malicious code wreaking havoc on your system.
If your end users aren’t well versed in cyber security safety, they can unknowingly download applications or fall for phishing scams that execute malware or ransomware. With application control in place, it would be nearly impossible for them to do so.
Another reason for application control is to protect against the download of unauthorised software, which can lead to licensing agreement violations, inappropriate conduct, or vulnerable applications that can be manipulated by attackers.
Why application control?
- Lowers risk of executing
- Protects against successful phishing scams
- Prevents unauthorised download of software
Implementing Application Control: Maturity Level One
So last week we discussed restricting admin privileges, so once you’ve got those restrictions in place you’ve already got a pretty good steppingstone into application control.
Similar to what we discussed in last week’s episode on admin privileges, Maturity level one for application control is really just telling you that standard users (AKA those with non-privileged accounts) should have restrictions in place restricting them from installing or downloading apps and software on their workstations, and only approved applications should be installed on their devices.
Before setting those restrictions you absolutely need to make sure your users can access any approved applications they may need to complete their jobs.
Enter allowlists. Now it’s not a requirement in maturity level one to apply allowlisting software, but you do still need to create an allowlist. Having a list of approved applications will make your life, or your IT team’s life, a whole lot easier because there’s no guesswork involved.
If a user requests the installation of an application on their device, you can first refer to them to your list of approved applications. If the requested application is not on the list, you can either deny the request or, if the application is necessary for their job and it is a trusted application with minimal security risks, you can add it to the allowlist.
Having an allowlist also makes it easy to setup devices when you onboard new users. When you hire a new employee, all you need to do is download and install the approved applications and their device will be pre-configured and they won’t need to annoy your IT team every time they need to install new apps like Microsoft Word, Excel or Adobe Creative Suite.
And finally, having an allowlist is essential if, or when, you move on to the higher maturity levels, which do generally require the implementation of allowlisting software.
How do you create an allowlist?
There are two methods to creating an allowlist. The first method is to request a standard list that is typical for your work environment from an allowlist vendor. This standard list contains applications and software that are known to be trusted. Once you have this list, you can customise it further to fit your company and the roles of your employees.
Alternatively, you can use a device or system that you know is clear of malware, scan the installed apps and software, and use this as a standard for your other devices.
Method 1:
- Request a standard list from an allowlist vendor
- The standard list contains trusted apps/software
- Can be customised to suit the roles of your employees
Method 2:
- Select a device/workstation that is clear of malware
- Scan installed apps and software
- Use as a standard for other devices
When you create your allowlist you should be aware that not every user account will be using the same apps. For instance, your creative team may need software that is not typical for standard users, like Adobe Creative Cloud, so you should make sure you accommodate your list to include the apps they use.
You should also take the time to audit the applications your users currently have installed on their devices and computers. Determine which are essential and remove applications that provide little or no value.
You should also consider creating an Application Control policy for your employees. This policy should include your list of approved applications, and should express that it is not permissible to download unauthorised software on devices and workstations.
Once you’re armed with your list of approved applications, you’re ready to set up application control.
Tips for creating allowlist:
- Not every account/employee will use the same apps – accommodate your list to include all necessary apps for every job role
- Audit applications currently installed on devices
- Remove apps/software that provide little or no value
- Create an Application Control policy for employees
How to set application control policies
If you don’t have an IT specialist in your organisation, Mobile Device and Desktop Management vendors offer application control solutions that require minimal IT knowledge or capabilities to implement.
Mobile device or desktop management software solutions generally make it quite simple to; apply application control on devices, monitor your user’s app usage, set allowlists, easily deploy new users, and manage your organisation’s devices all within one dashboard or interface.
MDM Solutions:
For Microsoft: Microsoft Intune
For Apple: JAMF
SOPHOS endpoint management
If your organisation is Windows-based and you’re not keen on using an MDM solution, another great (and free) tool is Windows Defender Application Control with Configuration Manager. WDAC with Configuration manager allows you to set application control policies for users on your network. If you want to learn more about WDAC, you can click on the following link:
And that’s it for application control! For further resources on application control you can check out the links at the bottom of this week’s corresponding blog post. And as usual, if you have any questions please feel free to shoot through an email. Until next time!
Implementing Application Control: https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-application-control
Essential Eight Maturity Model: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
JAMF MDM: https://www.jamf.com
MICROSOFT INTUNE MANAGEMENT: https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune
SOPHOS ENDPOINT MANAGEMENT: https://www.sophos.com/en-us.aspx
