Why blacklists are important to every administrator

Published Nov. 2, 2018, 12:48 p.m. by stoos

This post will try to ease you step by step into blacklists and their importance no just within the IT security realm but also on what effects they can have on your company’s operations and sales.

What are blacklists?

You have probably heard this in a movie before, maybe even in person from one of those weirder friends that everyone seems to have at least one of in their circle. Some person is not allowed to fly on an airplane because they got “blacklisted”. This means they did something right while at the airport or maybe even earlier that led authorities to believe this person could pose a threat to the air traffic’s safety in any way. To avoid this danger that person is no longer allowed entrance to airplanes or airports’ boarding areas.

Their personal information was written into a registry, that’s the blacklist. A list that authorities and security personal at airports use as part of their passenger screening process to guarantee air traffic’s and airports’ safety.

Pretty much the same thing exists for the internet as well. There they are also called blacklists. And just like at every airport, they should be part of IT security and network screening processes in every organization or company.

Certain organizations or individuals maintain blacklists, that list IP addresses or domains that in the past have shown (or in the future are expected to show) malicious or abusive behavior. These systems therefore can pose threats to certain systems or parts of networks and maybe should be isolated, blocked or otherwise taken care of to guarantee smooth and secure operations.

There are hundreds of blacklists out there. Each one’s entries list different IP addresses or domains based on different kinds of threat patterns. Some emphasize on at first glance for operations irrelevant criteria like for example SPAM. Others list rather dangerous patterns like ddos botnets or bruteforce attempts.

Blacklists can therefor not only help the internet as a network to stay safe and operational, but can also help companies to improve their IT security and even to improve their sales numbers.

Why you should care about blacklists

Whether you belong to the security nerds (like me) or to the people whose mouths start drooling by reading about improved sales numbers, blacklists are an important building brick in today’s enterprise networks.

Let’s start with the IT security perspective.

Bruteforcing used to be and to date still is a serious threat to the integrity of systems. Bruteforcing means relentlessly trying every possible combination of characters and symbols to crack a password or cypher used for access to a system or used for encryption of data or traffic. Malicious attackers often connect to previously compromised systems to launch their attacks onto their primary target.

If a previously unknown system, or rather an IP address or domain, repeatedly launches unauthorized and unsuccessful attempts at login, like for example via SSH, it is a strong indicator for a compromised system and a malicious hacker using it to bruteforce attack another system.

 IP addresses or even entire domains that exhibit this kind of behavior are being published on blacklists which can be used by IT security administrators to block any future connection attempts and therefore mitigating the chance of a successful attempt at compromising their systems.

Similarly the same can be said about botnets that are being used for ddos attacks or spam mail distribution. Security administrators can block compromised domains in advance and therefore massively dampen the effects of a ddos attack or the flood of spam mails received by other systems.

Although these previously explained scenarios are all good arguments to implement blacklists into a company’s security stack, they are all looked at from the victim’s perspective where one uses blacklists to protect their system from the bad things out there. But, like in society, no one thinks of themselves as being the problem. 

The number of highly skilled malicious attackers isn’t in the billions, but just one determined and capable bad hacker is enough. These guys compromise systems and use them completely under the radar. So the average system administrator will look at the cpu, ram and network usage of their systems, maybe even run an antivirus check and all results will point towards a healthy system. Never even suspecting their system having been blacklisted days, weeks or even months ago for suspicious behavior.

But the very same blacklists that list their systems as threats to the world can help system administrators to find unknown infections and therefore help them increase their company network’s safety. Maybe just by listing their domain, but maybe even by listing a specific IP address pointing to a system. The type of blacklist can help the administrator further in zeroing in on what kind of issue or threat is being posed by their system. Maybe their system is being used to attack another system, or to send spam.

Many companies only found out about their systems being compromised through the use of blacklists.

Let’s take a quick look at the other perspective previously mentioned. Sales.

Like already explained, to avoid a connection to IP addresses or domains on blacklists and therefore avoiding an infection or mitigating the chances of attacks, often blacklisted systems will only be connected to with warning messages or get blocked completely.

Now let’s say a company has a website (much wow, much hightech, the future is now). Imagine sales numbers dropping lower and lower over time. Sales department is getting frustrated and has no idea what advertisement strategy to apply.

Unsurprisingly the website traffic curve looks similar to the sales curve and has been decreasing over time.

So the sales department starts brainstorming and the sysadmin starts investigating.

Is the design unpleasant? Is the Javascript not working properly? Is the DNS resolution working properly? Design is nice, Javascript works fine and DNS entries are not corrupted. So what’s the problem?

Maybe the system has been blacklisted. That’s the problem. And that’s the solution.

By removing the system’s IP address of the blacklists (←make this a link) its listed on website traffic and therefore sales start to go up again.

And the systems administrator becomes the companies best sales person. 

This example focuses not on the IT security point and on it’s future implications, but rather on the immediate effects blacklists can have for a company’s finances.

By having an IP address or domain blocked potential customers have no access to it and are forced to do business elsewhere. The blacklist entries also lead to a bad reputation (in a IT sense) and therefore blacklisted websites and domains are being avoided. Either way leading to a, sometimes substantial, loss in visitors and sales. 

The scenario of losses in sales can also originate in connection with spam mail blacklists. Yes, like I explained previously, malicious attackers can abuse systems to send spam and therefore have that system blacklisted. But now look at it from a different perspective.

Many companies have newsletters. Like grocery stores used to print newsletters in paper, many online stores offer good deals or special products only for a limited amount of time and send their newsletter via email. Maybe they are trying to sell a new product and try to tell their customers about their new offering or maybe they are trying to get rid of their inventory to make room for the next season’s products. Either way they need to inform their loyal customers and advertise to other people to win new customers. 

But since their system is blacklisted their legitimate newsletters are being blocked or categorized as spam and therefore never get coverage. Which once again can lead to a massive loss in revenue and sales. Essentially destroying all the hard work the sales department put into catchy advertisement. 

Summary

As you can see, blacklists can help any company to improve operations. Whether it is for IT security reasons to fight abusive hackers using their systems or to raise sales and revenue and offer higher coverage, any company not considering blacklists as part of their IT infrastructure is deliberately risking its safety and sales numbers.