User Agent SecurityRobustness Discussion

Security RobustnessEnd User

For end user, Security Robustness is based on manual processes, 3rd party apps, stand-alone capabilities and diligence

• General Security Management• Patch management User Agent, OS, and plug-ins managed by

user• GUI presentation that is subject to errors

• Patch management again – GUI application errors• Poorly designed IU that can be used to confuse user leading

to compromise of credentials of privacy information• Third party support apps

• AV, firewalls, spybot removal are add on programs help user maintain a reasonable security posture

Security RobustnessUser Agent

For User Agent, Security Robustness is TBD and up for discussion

• GUI presentation that is subject to spoofing• Faults in Network, OS, User Agent, Plug-ins• Limitations because User Agent exists to

support features and functionality first, security is second.

Tiger Teams

Red team, stage attacks• Search for vulnerabilities• Exploit weaknesses• Present Corrupted or confusing details to confuse user

and User Agent

• Blue team, test capabilities and response to attacks• Ability to Detect attack, limit exposure and retain or regain

secure posture• WSC can use blue teaming to determine consistency of

information presented to the end user• Determine if recommendations and changes to user agent

reduce risk

In information security circles a tiger team is a specialized group to find and exploit vulnerabilities and test / verify counter measures

Red Team Exploiting Vulnerabilities

WSC must decide on how to tackle the vulnerability issue. Vulnerabilities due to Network, OS, User Agent and plug-ins are out of scope. Security context provided to the end user is in scope.

Although the actual vulnerability can be out of scope, the manifestation of the vulnerability and presentation of inconsistent security information to the end-user may be considered in scope. Example, DNS can be poisoned, even though the ability to poison the cache may be due to a patch issue, providing incorrect security context to the end user may be considered in scope.

Blue TeamTest User Agent Security Capabilities

• Determine if user agent presents user with consistent and usable security information even in a hostile environment• Errors in Cert, can user determine how to proceed?• Spoofed Site, is the site the actual intended site?• Is the session and privacy information protected

with integrity and confidentiality controls?

• Is the information provided by User Agent to user useful to maintain a secure posture

Test the ability for the User to make a risk assessment using information provided by User Agent

Some Useful LinksTo create a test environment

User Agent Testing – finding an environment that can be exploited

PC flank http://www.pcflank.com/ Browser Hawk http://www.cyscape.com/showbrow.aspx Scanit Browser Security test http://bcheck.scanit.be/bcheck//

GUI based exploit and testing tools

Metasploit http://www.metasploit.com/

Note: listed on the shared bookmarks page