user agent security robustness discussion. security robustness end user for end user, security...
TRANSCRIPT
![Page 1: User Agent Security Robustness Discussion. Security Robustness End User For end user, Security Robustness is based on manual processes, 3 rd party apps,](https://reader035.vdocument.in/reader035/viewer/2022080916/56649e885503460f94b8c8fe/html5/thumbnails/1.jpg)
User Agent SecurityRobustness Discussion
![Page 2: User Agent Security Robustness Discussion. Security Robustness End User For end user, Security Robustness is based on manual processes, 3 rd party apps,](https://reader035.vdocument.in/reader035/viewer/2022080916/56649e885503460f94b8c8fe/html5/thumbnails/2.jpg)
Security RobustnessEnd User
For end user, Security Robustness is based on manual processes, 3rd party apps, stand-alone capabilities and diligence
• General Security Management• Patch management User Agent, OS, and plug-ins managed by
user• GUI presentation that is subject to errors
• Patch management again – GUI application errors• Poorly designed IU that can be used to confuse user leading
to compromise of credentials of privacy information• Third party support apps
• AV, firewalls, spybot removal are add on programs help user maintain a reasonable security posture
![Page 3: User Agent Security Robustness Discussion. Security Robustness End User For end user, Security Robustness is based on manual processes, 3 rd party apps,](https://reader035.vdocument.in/reader035/viewer/2022080916/56649e885503460f94b8c8fe/html5/thumbnails/3.jpg)
Security RobustnessUser Agent
For User Agent, Security Robustness is TBD and up for discussion
• GUI presentation that is subject to spoofing• Faults in Network, OS, User Agent, Plug-ins• Limitations because User Agent exists to
support features and functionality first, security is second.
![Page 4: User Agent Security Robustness Discussion. Security Robustness End User For end user, Security Robustness is based on manual processes, 3 rd party apps,](https://reader035.vdocument.in/reader035/viewer/2022080916/56649e885503460f94b8c8fe/html5/thumbnails/4.jpg)
Tiger Teams
Red team, stage attacks• Search for vulnerabilities• Exploit weaknesses• Present Corrupted or confusing details to confuse user
and User Agent
• Blue team, test capabilities and response to attacks• Ability to Detect attack, limit exposure and retain or regain
secure posture• WSC can use blue teaming to determine consistency of
information presented to the end user• Determine if recommendations and changes to user agent
reduce risk
In information security circles a tiger team is a specialized group to find and exploit vulnerabilities and test / verify counter measures
![Page 5: User Agent Security Robustness Discussion. Security Robustness End User For end user, Security Robustness is based on manual processes, 3 rd party apps,](https://reader035.vdocument.in/reader035/viewer/2022080916/56649e885503460f94b8c8fe/html5/thumbnails/5.jpg)
Red Team Exploiting Vulnerabilities
WSC must decide on how to tackle the vulnerability issue. Vulnerabilities due to Network, OS, User Agent and plug-ins are out of scope. Security context provided to the end user is in scope.
Although the actual vulnerability can be out of scope, the manifestation of the vulnerability and presentation of inconsistent security information to the end-user may be considered in scope. Example, DNS can be poisoned, even though the ability to poison the cache may be due to a patch issue, providing incorrect security context to the end user may be considered in scope.
![Page 6: User Agent Security Robustness Discussion. Security Robustness End User For end user, Security Robustness is based on manual processes, 3 rd party apps,](https://reader035.vdocument.in/reader035/viewer/2022080916/56649e885503460f94b8c8fe/html5/thumbnails/6.jpg)
Blue TeamTest User Agent Security Capabilities
• Determine if user agent presents user with consistent and usable security information even in a hostile environment• Errors in Cert, can user determine how to proceed?• Spoofed Site, is the site the actual intended site?• Is the session and privacy information protected
with integrity and confidentiality controls?
• Is the information provided by User Agent to user useful to maintain a secure posture
Test the ability for the User to make a risk assessment using information provided by User Agent
![Page 7: User Agent Security Robustness Discussion. Security Robustness End User For end user, Security Robustness is based on manual processes, 3 rd party apps,](https://reader035.vdocument.in/reader035/viewer/2022080916/56649e885503460f94b8c8fe/html5/thumbnails/7.jpg)
Some Useful LinksTo create a test environment
User Agent Testing – finding an environment that can be exploited
PC flank http://www.pcflank.com/ Browser Hawk http://www.cyscape.com/showbrow.aspx Scanit Browser Security test http://bcheck.scanit.be/bcheck//
GUI based exploit and testing tools
Metasploit http://www.metasploit.com/
Note: listed on the shared bookmarks page