How to button up a cybersecurity risk on every computer in the government

Tom Temin: Mr. Faust, good to have you on.

Paul Faust: Tom, I’m grateful to be with you. Thank you.

Tom Temin: And I imagine you share the concern with Microsoft where Word is the big payload or sometimes Excel, but PDFs can have malicious payloads. So what’s your general thinking on how users can make sure that they can be safe from those because everybody uses PDFs?

Paul Faust: Yes, that’s right, Tom. PDF is a pretty pervasive format. It’s been around for over 20 years. In fact, I believe the first killer app for PDFs were downloadable tax forms. So they’ve become very pervasive. It’s an open standard. And I think the big idea here is that more than ever, all levels of government are facing threats around the security of their networks and protecting sensitive information. And that certainly includes any of the attachments that we all receive and send. And there’s a rising component of that threat, which is the propensity of bad actors to misappropriate published media, and that starts with documents, which we all know are more or less the lifeblood of government. But that also is increasingly including video and images, what are commonly called deep fakes. And the intended outcome is generally the same. And that’s to create misinformation and that misinformation leads to distrust. And a big part of our role is to make it as easy and as straightforward as possible for government knowledge workers to handle and to publish media that is secure, and it’s consistent, and it’s accessible. And that starts with PDFs. And that’s to maintain trust with the citizens ultimately,

Tom Temin: Well, is there a way though, that a PDF can be scanned, and this is my own knowledge gap here, but often documents coming in, you get a message in Microsoft Outlook, not so much in Google Mail, but in Microsoft that says this has been scanned and found to be virus free? So there’s really two issues here, I guess. One is a complete fake piece of information in PDF format. The other is a legitimate PDF, but which has been somehow injected with a malicious payload – two different issues.

Paul Faust: Yes. And so what we have spent a lot of time doing, Tom, is improving what we call protected mode. And it’s specifically developed for the Windows environment. And when it’s enabled, it opens the document that might have some executable content enabled, but it does it within a sandbox that restricts that document’s execution and access through operating system controls. So for example, a process inside the sandbox can’t access processes outside the sandbox without the user providing permission, what we call a trusted broker process.

Tom Temin: Alright, most people just use the Reader end which is what the NSA was concentrating on. So what do you do about the Reader which it’s not even an application you generally open separately, you just click on the PDF and the reader invokes itself. So what can the average user do to protect themselves, do you think?

Paul Faust: The latest NSA guidance actually pertains specifically to reader. And it helps administrators go through a very thoughtful process about what type of content should be executable within that document, and then really strike a good balance between security and usability. JavaScript is what is most commonly used in electronic forms for you and I to complete and sign and return documents electronically. Sometimes, those malicious actors will insert JavaScript that has a really bad outcome intended. And that’s a great phishing strategy to send anybody within a government workforce a malicious PDF, to get access to information that you don’t want them to have access to. So the NSA guidance provides guidelines and a methodology for how administrators can standardize on a particular security posture to deploy Reader throughout the enterprise.

Tom Temin: We’re speaking with Paul Faust, he’s a public sector digital media vice president at Adobe. So these controls then have to be deployed by the systems administrators, not something end users can generally do.

Paul Faust: Generally, end users are going to be better served by a central administrator who’s establishing standards and processes to configure that centrally, and then deploy that through what we call our customization wizard. So those are tools that we provide right out of the box for all versions of our platform, not just reader, but also our products that help you publish PDFs but it’s better left in the hands of an IT administrator just set those standards across the enterprise.

Tom Temin: And you bring up a point. I think I was at the COMDEX show, dating myself, when the PDF format was introduced, and we all thought it seems like magic. You can put any document and it’ll show like it looked originally, but since then, so much more capability has been added to PDFs, like you say, live links, JavaScript execution and so forth. Is it still possible under the settings recommended by the NSA to get through with links and JavaScript and so forth that the creator might wish the final recipient does still have?

Paul Faust: Absolutely. And there’s a step in the process when any given document would be opened, where the user has an opportunity to manually approve the execution of that script, or the opening of a URL or other honestly intended content to display. So you know, it goes back to the ability of the IT administrator to make thoughtful choices that actually improve usability as opposed to locking everything down, making PDFs essentially just printable documents that aren’t very useful for collaboration or other types of automation.

Tom Temin: And what about the possibility of “man in the middle” attacks? Those still can occur. And I’m thinking of this in terms of something you mentioned earlier, which is tax forms. Well, now PDFs are fillable out-able by people as opposed to print and fill in and scan and resend and all of this. So what about the issue of something that either end did not want to be in there getting in there somewhere along the way? And that could be automated, too.

Paul Faust: Sure. So the idea, I think for documents that you would download from a government website, I think the greater concern, as opposed to malicious content that might be in there, the greater concern, in many cases, in the analysis that we’ve done across all levels of government, that includes state and local, there’s actually very sensitive information pertaining to the author, address information, contact information, other PII that at time of publishing before that document goes onto a public website was not sanitized. And so part of the equation that we’ve got a big responsibility to solve for is ensuring that the government is creating documents that themselves are secure. And security includes making sure that there’s no sensitive information that could be hidden in the document in a PDF is a very extensible standard. And there are easier than ever ways to make sure that PII or other sensitive information does not make it into the published version.

Tom Temin: Yes. So is there a way that agencies that are deploying PDFs to be filled out that the information that the person is filling out, the end user is putting in – that could be a federal employee or someone from the public – is filling out the data locally, but the form is actually itself not local, only displaying local?

Paul Faust: Yeah, generally, when you’ve got a PDF fillable form, the author, provided that that author is a trusted author and there are ways to prove that that is the case. And you always want to look for certain signs within that document, that the author is who they say they are. As long as you trust that author, there’s generally not as much of a concern that once you fill that information in and potentially hit a send button, there’s generally not a concern that that information is going someplace where you don’t want it to. But again, as a user, you’ve got to make sure that that document is signed by the author who you believe it is to be. And there are really easy ways to do that. And what we’re finding is that those are not always being taken advantage of.

Tom Temin: Alright, so use the capabilities out of the box, in other words, and you’re probably going to be OK. And just a final question, did the NSA work with Adobe in establishing this new procedures they’ve published recently on the Reader security?

Paul Faust: So we’ve got great relationships with all of our federal partners. And I would say it’s a bi-directional sense of guidance along the lines of how to take best advantage of the features, and then also, what new features Adobe needs to be building into its solutions. So I think the NSA guidance is strong and effective for anybody who’s relying on propagating Reader across their enterprise. And a lot of that guidance would pertain to the rest of our solutions as well.

Tom Temin: And by the way, a lot of agency websites give you the option of downloading the latest version of reader in order to see the document you’re after. So we can presume that agencies have got it set up so that when people download that, it has those NSA controls in it, or it should by now.

Paul Faust: It should. I think all agencies should take a look at this latest guidance to make sure that they are configuring on an enterprise level any Adobe software that is viewing PDF. It’s very straightforward. And I think the big benefit to everybody is the ability to handle documents and what I sort of consider this to be a digital clean room for documents. The ability for everybody to do that safely is easier than ever.

Tom Temin: Paul Faust is public sector digital media vice president at Adobe. Thanks so much for joining me.

Paul Faust: Tom, it was my pleasure. Thanks so much.

Comments are closed.