How to button a cybersecurity risk on every government computer

How to button a cybersecurity risk on every government computer

The best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews at Apple podcasts Where Podcast One.

Do not click on this attachment! How many times have you heard that one in anti-phishing training? Often attachments containing malicious payloads are delivered in popular Adobe PDF format. Recently, the National Security Agency released advice on how to set up your PDF reader app securely. To learn more about the whole PDF issue from Adobe itself, VP of Public Sector Digital Media Paul Faust spoke to the Federal Drive with Tom Temin.

Tom Temin: Mr. Faust, glad to have you.

Paul Faust: Tom, I’m grateful to be with you. Thank you.

Tom Temin: And I imagine you share the concern with Microsoft where Word is the big payload or sometimes Excel, but PDFs can have malicious payloads. So what is your general opinion on how users can ensure that they can be safe from these since everyone uses PDFs?

Paul Faust: Yes, that’s right, Tom. PDF is a fairly common format. It has been around for over 20 years. In fact, I believe the first killer application for PDFs was downloadable tax forms. So they have become very common. It is an open standard. And I think the big idea here is that more than ever, all levels of government are facing threats around the security of their networks and the protection of sensitive information. And that certainly includes all the attachments we all receive and send. And there’s a growing component of that threat, which is the propensity of bad actors to hijack the published media, and it starts with documents, which we all know are more or less the lifeblood of government. But it also increasingly includes videos and images, commonly referred to as deep fakes. And the expected result is usually the same. And that’s to create misinformation and that misinformation leads to distrust. And a big part of our role is to make it as easy and simple as possible for government knowledge workers to manage and publish secure, consistent and accessible media. And it starts with PDFs. And this is to maintain trust with the citizens ultimately,

Tom Temin: Well, is there a way to scan a PDF, and it’s my own lack of knowledge here, but often documents come, you get a message in Microsoft Outlook, not so much in Google Mail, but in Microsoft who says this was scanned and found virus free? So there are really two issues here, I guess. One is full fake information in PDF format. The other is a legitimate PDF, but somehow injected with a malicious payload – two different issues.

Paul Faust: Yes. And so what we spent a lot of time doing, Tom, is improving what we call protected mode. And it is specifically developed for Windows environment. And when enabled, it opens the document which might have executable content enabled, but it does so in a sandbox that restricts execution and access to that document through operating system controls. So, for example, a process inside the sandbox cannot access processes outside the sandbox without the user providing permission, which we call a trust broker process.

Tom Temin: Okay, most people only use the reader side, which is what the NSA was focusing on. So what about the reader that isn’t even an app that you usually open separately, just click on the PDF and the reader invokes itself. So what do you think the average user can do to protect themselves?

Paul Faust: The latest NSA guidelines actually relate specifically to the reader. And it helps admins go through a very thoughtful process about what kind of content should be executable in that document, and then strike a good balance between security and usability. JavaScript is what is most commonly used in electronic forms for you and me to fill out, sign and return documents electronically. Sometimes these malicious actors insert JavaScript which has a very bad expected result. And it’s a great phishing strategy to send anyone in a government workforce a malicious PDF, to gain access to information you don’t want them to have access to. Thus, the NSA guidelines provide direction and methodology on how administrators can standardize a particular security posture to deploy Reader across the enterprise.

Tom Temin: We speak with Paul Faust, he is Vice President of Public Sector Digital Media at Adobe. These controls must therefore be deployed by system administrators, which end users generally cannot do.

Paul Faust: Typically, end users will be best served by a central administrator who establishes standards and processes to configure them centrally, then deploys them through what we call our Customization Wizard. So these are tools that we provide right out of the box for all versions of our platform, not just the reader, but also our products that help you publish PDFs, but best left in the hands of others. ‘an IT administrator just sets those standards across the enterprise.

Tom Temin: And you raise a point. I think I was at the COMDEX show, dating myself, when the PDF format was introduced, and we all thought it sounded like magic. You can put in any document and it will display as it originally did, but since then a lot more features have been added to PDFs, like you say, live links, JavaScript execution, etc. . Is it still possible, with NSA recommended settings, to use links and JavaScript etc that the creator might still want the end recipient to have?

Paul Faust: Absoutely. And there’s a step in the process when opening a given document, where the user has the option to manually approve running that script, or opening a URL or a other content honestly intended for display. So, you know, it comes down to the IT admin’s ability to make thoughtful choices that actually improve usability instead of locking everything down, making PDFs essentially printable documents that aren’t very useful for collaboration or other types of automation.

Tom Temin: And what about the possibility of “man-in-the-middle” attacks? These can still happen. And I think of that in terms of something you mentioned earlier, which is tax forms. Well, now PDFs can be filled out by people, instead of being printed, filled out, scanned, sent back and all that. So what about the question of something that either end didn’t want to be in there somewhere along the way? And it could also be automated.

Paul Faust: Sure. So the idea, I think for documents that you would download from a government website, I think the biggest concern, as opposed to the malicious content that might be on there, the biggest concern, in many cases, in the analysis we have done at all levels of government, including state and local, there is actually very sensitive information regarding the author, address information, contact information, d Other PII which, at the time of publication before this document is posted on a public website, has not been cleaned up. And so part of the equation that we have a big responsibility to solve is to make sure that the government creates documents that are themselves secure. And security is about making sure there is no sensitive information that could be hidden in the document a PDF is a very extensible standard. And there are easier ways than ever to ensure that PII or other sensitive information doesn’t end up in the published version.

Tom Temin: Yes. So is there a way for agencies that deploy PDFs to fill in the information that the person fills in, the end user puts in – this could be a federal employee or someone from the public – fills in the data locally , but the form itself is not local, showing only local?

Paul Faust: Yes, usually when you have a PDF form to fill out, the author, provided that author is a trusted author and there are ways to prove that is the case. And you always want to look for certain signs in this document, that the author is who he claims to be. As long as you trust that author, there’s usually not as much of a worry as once you’ve filled in that information and possibly clicked a submit button, there’s usually not that much of a worry that those information goes where you don’t want it to. But again, as a user, you need to make sure that this document is signed by the author you think it should be. And there are very simple ways to do it. And what we find is that these are not always exploited.

Tom Temin: Alright, so use the out-of-the-box features, in other words, and you’ll probably be fine. And just one last question, has the NSA worked with Adobe to establish these new procedures they recently released on Reader security?

Paul Faust: So we have excellent relations with all of our federal partners. And I would say it’s a two-way sense of direction on how to get the most out of features, and then also what new features Adobe needs to incorporate into their solutions. So I think the NSA guidelines are solid and effective for anyone relying on Reader propagation in their business. And a lot of that advice would apply to the rest of our solutions as well.

Tom Temin: And besides, many agency websites give you the option to download the latest version of the reader in order to see the document you are looking for. So we can assume that the agencies have it set up so that when people download it, it has those NSA checks in it, or it already should.

Paul Faust: It should. I think all agencies should review these latest guidelines to ensure they are setting up any Adobe software that views PDF at the enterprise level. It’s very simple. And I think the big benefit for everyone is the ability to manage documents and what I kind of consider a digital clean room for documents. Making it safe for everyone to do so is easier than ever.

Tom Temin: Paul Faust is Vice President of Public Sector Digital Media at Adobe. Thank you very much for joining me.

Paul Faust: Tom, it was my pleasure. Thanks very much.