User Agent Security Robustness Discussion

1
User Agent SecurityRobustness Discussion
2
Security RobustnessEnd User

• For end user, Security Robustness is based on
  manual processes, 3rd party apps, stand-alone
  capabilities and diligence
• General Security Management
• Patch management User Agent, OS, and plug-ins
  managed by user
• GUI presentation that is subject to errors
• Patch management again GUI application errors
• Poorly designed IU that can be used to confuse
  user leading to compromise of credentials of
  privacy information
• Third party support apps
• AV, firewalls, spybot removal are add on programs
  help user maintain a reasonable security posture

3
Security RobustnessUser Agent

• For User Agent, Security Robustness is TBD and up
  for discussion
• GUI presentation that is subject to spoofing
• Faults in Network, OS, User Agent, Plug-ins
• Limitations because User Agent exists to support
  features and functionality first, security is
  second.

4
Tiger Teams
In information security circles a tiger team is a
specialized group to find and exploit
vulnerabilities and test / verify counter measures

• Red team, stage attacks
• Search for vulnerabilities
• Exploit weaknesses
• Present Corrupted or confusing details to confuse
  user and User Agent
• Blue team, test capabilities and response to
  attacks
• Ability to Detect attack, limit exposure and
  retain or regain secure posture
• WSC can use blue teaming to determine consistency
  of information presented to the end user
• Determine if recommendations and changes to user
  agent reduce risk

5
Red Team Exploiting Vulnerabilities

• WSC must decide on how to tackle the
  vulnerability issue. Vulnerabilities due to
  Network, OS, User Agent and plug-ins are out of
  scope. Security context provided to the end user
  is in scope.
• Although the actual vulnerability can be out of
  scope, the manifestation of the vulnerability and
  presentation of inconsistent security information
  to the end-user may be considered in scope.
  Example, DNS can be poisoned, even though the
  ability to poison the cache may be due to a patch
  issue, providing incorrect security context to
  the end user may be considered in scope.

6
Blue TeamTest User Agent Security Capabilities
Test the ability for the User to make a risk
assessment using information provided by User
Agent

• Determine if user agent presents user with
  consistent and usable security information even
  in a hostile environment
• Errors in Cert, can user determine how to
  proceed?
• Spoofed Site, is the site the actual intended
  site?
• Is the session and privacy information protected
  with integrity and confidentiality controls?
• Is the information provided by User Agent to user
  useful to maintain a secure posture

7
Some Useful LinksTo create a test environment
User Agent Testing finding an environment that
can be exploited PC flank http//www.pcflank.com/
Browser Hawk http//www.cyscape.com/showbrow.asp
x Scanit Browser Security test
http//bcheck.scanit.be/bcheck// GUI based
exploit and testing tools Metasploit
http//www.metasploit.com/
Note listed on the shared bookmarks page