sans article on windows browser security

Kevin Lister has a fun post over on the SANS diary where he presents tables on common web attacks and countermeasures. (Warning: I’m feeling contrarian today…)

[Aside: Some of my trivial annoyances with this article echo my similar annoyances surrounding yesterday’s announced IE CSS 0day (advisory link, krebs link, eeye link). There is a huge difference between initial attack (the 0day) and the payload…even when they’re tied together into one package or chained exploit.]

The unfortunate part of any discussion like this is defining the context/scope. In this case, I would break down context into 4 distinct options:

  • non-technical home user / micro network
  • technically-sound home user / micro network
  • small business (~10 to a few hundred people)
  • medium to large enterprise

Why the difference? Because how one approaches web security should differ depending on your context. Articles like this probably should define a scope first.

In addition, one should define the scope of the defense. Are you trying to protect against the initial attack itself, the resultant payload, or both?

While Kevin has a lot of “Free” items, none of these approaches are “free” in small and larger businesses. Even a “Low” in the tinker field means man-hours in research and support.

I have a few misc points to make as well. For home users they can also take “alternative browser” one step further by using an alternative OS. There is no mention of host firewalls, sandboxing, or virtualization (i.e. sacrificial host). I personally think the alternative OS option should have something more significant than a “-” effect. An attack against IE will fail against Firefox, and vice-versa. So we’re back into a, “it depends” mode. I also feel that the “noscript” category, based on these tables, is woefully under-valued if someone just glances at this data. I think it’s worth more than what is reflected.

I’d also note that there are three fuzzy classes of protections that probably should be treated separately.

  • Those that require someone to make an update (signatures, opendns, ips, whitelists…)
  • Those that stop a certain behavior from occuring (lower admin rights, noscript, dep…)
  • Those that avoid the issues entirely (alternative whatevers…)

(I’d post comments, but posting on sans has been problematic at best for me…when I even remember my password there.)