PDF documents are no longer the security panacea we thought they were. And security awareness training needs to catch up with this.
For years, IT and security professionals have been advising people to distribute documents in PDF format rather than as Word .doc files. In part, this prevents the average user from making changes to the document, but it was also perceived as being more secure since Word files were known to contain macro viruses.
Sadly, the security advantages are no longer so clear-cut. It’s been known for a while that Acrobat Reader – the software that’s installed on the majority of business and home PCs – has some security problems (but, to be fair, it’s hard to find a piece of software that doesn’t). Now, csoonline.com has posted a warning that hackers are taking advantage of a vulnerability in Acrobat Reader. And here’s the official post from Adobe on December 14 which says:
This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.
So, we have to make sure that our security awareness training includes the following advice to end-users:
- All applications – including Acrobat Reader – must be kept up-to-date with security patches. This is not limited to Microsoft products and the Windows operating system.
- Since hackers may try to attack before security patches are available for applications, we should be extremely careful with documents from unknown and/or untrusted sources.
- Although today’s antivirus software is very good, we can’t rely on it 100% because it takes time for updated signature files to be distributed and installed during which time we might be vulnerable to attack.
I don’t think there’s anything really new here – just a reason to check that our awareness training is accurate, and to remind staff of the threats that are out there. And perhaps to think about whether we really need fancy formatting, or whether plain text would do just as well!