Posts in Category "Uncategorized"

DefendCon – All Systems Go

We are excited to host DefendCon from Adobe –  the first security conference that combines the gender inclusive nature of a traditional women-in-tech conference with cutting-edge, quality technical content presented by a diverse array of speakers.

With DefendCon, we are creating a welcoming environment where attendees will not only learn about security best practices, but also gain insight on hot topics in the industry like artificial intelligence, IoT security, incident response and machine learning.

We’re all familiar with the stats around the growth of jobs in information security and the fact that women make up less than 11% of the cybersecurity workforce∗.  Historically, women also leave the IT workforce at almost twice the rate of men. In an industry with an increasing demand for qualified candidates, we need to attract, train and retain high performing individuals.  We know that diverse teams lead to higher performance and better results and we‘re continuing to build on our initiatives in diversity, security best practices, and security education to help creatively solve these issues.

The first ever DefendCon will take place this week on September 21-22 at the Adobe Seattle office.  We hope to provide women and men in the security industry with a quality experience to connect, collaborate and learn. We currently have speakers and participants from across the tech sector including LinkedIn, Netflix, Apple, Microsoft, Salesforce and Google.   From Adobe, our own Senior Security Researcher  Cindy Spiess, Security Researcher  Todd Baumeister, as well as Principal Scientist  Peleus Uhley  will be presenting.

With DefendCon, we’re helping the industry move faster than the status quo and addressing a serious need for more women in cybersecurity.  We look forward to building upon this inaugural effort in the months and years to come.

Check out our full list of speakers and sessions.  You can also follow the latest around the event  on Twitter @DefendCon.

 

Brad Arkin
Vice President and Chief Security Officer

* https://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf

Announcing DefendCon from Adobe

The rate of growth for jobs in information security is projected at 37% through 20221— much faster than the average for other occupations. Did you know that there will be a 2 million job shortfall for cybersecurity professionals by 20192 and women currently make up less than 11% of the cybersecurity workforce3?

Adobe believes that diverse teams lead to higher performance and better results and is continuing to build upon its initiatives in diversity, security best practices, and security education to help creatively solve these issues. We wanted to create a conference that combines the gender inclusive nature of a traditional women in tech conference with cutting-edge technical content, thus DefendCon was born. This conference aims to provide women and male allies in the security industry with a quality experience to connect, collaborate and learn. We currently have speakers and participants from across the tech sector including LinkedIn, Netflix, Microsoft, Google and more! Topics include machine learning and AI in security, IoT security, bug bounties, incident response, and container security among others.

Check out our exciting full list of speakers and sessions:  https://www.adobe.com/go/defendcon.

If you want to learn more about how you can help the gender diversity issue in cybersecurity, learn from industry leading talent, and meet the next generation of technical leaders please email the DefendCon team today. You can also follow the latest around the event on Twitter @DefendCon.

Tracie Martin
Technical Program Manager – Security

 

1 https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
2 https://image-store.slidesharecdn.com/be4eaf1a-eea6-4b97-b36e-b62dfc8dcbae-original.jpeg
3 https://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf

Lessons Learned from Improving Transport Layer Security (TLS) at Adobe

Transport Layer Security (TLS) is the foundation of security on the internet. As our team evolved from primarily consultative role to solve problems for the entire company, we chose TLS as one of the areas to improve. The goal of this blog post is to share the lessons we’ve learned from this project.

TLS primer

TLS is a commonly used protocol to secure communications between two entities. If a client is talking to a server over TLS, it expects the following:

  1. Confidentiality – The data between the client and the server is encrypted and a network eavesdropper should not be able to decipher the communication.
  2. Integrity – The data between the client and the server should not be modifiable by a network attacker.
  3. Authentication – In the most common case, the identity of the server is authenticated by the client during the establishment of the connection via certificates. You can also have 2-way authentication, but that is not commonly used.

Lessons learned

Here are the main lessons we learned:

Have a clearly defined scope

Instead of trying to boil the ocean, we decided to focus on around 100 domains belonging to our Creative Cloud, Document Cloud and Experience Cloud solutions. This helped us focus on these services first versus being drowned by the thousands of other Adobe domains.

Have clearly defined goals

TLS is a complicated protocol and the definition of a “good” TLS configuration keeps changing over time. We wanted a simple, easy to test, pass/fail criteria for all requirements on the endpoints in scope. We ended up choosing the following:

SSL Labs grade

SSL Labs does a great job of testing a TLS configuration and boiling it down to a grade. Grade ‘A’ was viewed as a pass and anything else was considered a fail. There might be some endpoints that had valid reasons to support certain ciphers that resulted in a lower grade. I will talk about that later in this post.

Apple Transport Security

Apple has a minimum bar for TLS configuration that all endpoints must pass if iOS apps are to connect to that endpoint. We reviewed this criteria and all the requirements were deemed sensible. We decided to make it a requirement for all endpoints, regardless if an endpoint was being accessed from an iOS app or not. We found a few corner cases where a configuration would get SSL Labs grade A and fail ATS (and vice-versa) that we resolved on a case-by-case basis.

HTTP Strict Transport Security

HSTS (HTTP Strict Transport Security) is a HTTP response header that informs compliant clients to always use HTTPS to connect to a website. It helps solve the problem of initial request being made over plain HTTP when a user types in the site without specifying the protocol and helps prevent the hijacking of connections. When a compliant client receives this header, it only uses HTTPS to make connections to this website for a max-age value set by the header. The max-age count is reset every time the client receives this header. You can read the details about HSTS in RFC 6797.

Complete automation of testing workflow

We wanted to have minimal human cost for these tests on an ongoing basis. This project allowed us to utilize our Security Automation Framework. Once the scans are setup and scheduled, they keep running daily and the results are passed on to us via email/slack/etc. After the initial push to get all the endpoints pass all the tests, it was very easy to catch any drift when we saw a failed test. Here is what these results looks like in the SAF UI:

Devil is in the Detail

From a high level it seems fairly straightforward to go about improving TLS configurations. However, it is a little more complicated when you get into the details. I wanted to talk a little bit about how we went about removing ciphers that were hampering the SSL Labs grade.

To understand the issues, you have to know a little bit about the TLS handshake. During the handshake, the client and the server decide on which cipher to use for the connection. The client sends the list of ciphers it supports in the client “hello” message of the handshake to the server. If server side preference is enabled, the cipher that is listed highest in the server preference and also supported by client is picked. In our case, the cipher that was causing the grade degradation was listed fairly high on the list. As a result, when we looked at the ciphers used for connections, this cipher was used in a significant percentage of the traffic. We didn’t want to just remove it because of the potential risk of dropping support for some customers without any notification. Therefore, we initially moved it to the bottom of the supported cipher list. This reduced the percentage of traffic using that cipher to a very small value. We were then able to identify that a partner integration was responsible to all the traffic for this cipher. We reached out to that partner and notified them to make appropriate changes before disabling that cipher. If you found this interesting, you might want to consider working for us on these projects.

Future work

In the future, we want to expand the scope of this project. We also want to expand the requirements for services that have achieved the requirements described in this post. One of the near-term goals is to get some of our domains added to the HSTS preload list. Another goal is to do more thorough monitoring of certificate transparency logs for better alerting for new certificates issued for Adobe domains. We have also been experimenting with HPKP. However, as with all new technologies, there are issues we must tackle to continue to ensure the best balance of security and experience for our customers.

Gurpartap Sandhu
Security Researcher

Adobe @ Security of Things World 2017

Dave Lenoe, Director of the Adobe Secure Software Engineering Team, will be speaking this week at Security of Things World 2017 in Berlin, Germany. Dave will be speaking about “Building in Seamless Security Updates – Lessons Learned for IoT Device Manufacturers” at 13:45 on Monday, June 12th. The session will discuss the importance of providing security updates quickly, making them easy to install for users, and best practices that can be built into IoT devices from the ground up. If you are attending Security of Things World this week in Berlin, we hope you are able to join Dave for this informative session.

Thanks to All Who Have Downloaded Open Source CCF

As announced at ISACA North America CACS this past Monday, May 1st, by our own Abhi Pandit, Adobe has made available an open source version of its Common Controls Framework (CCF). We have had significant interest in this unique project both before and after the event. We would like to thank all of those that have downloaded open source CCF to date. As always, we welcome  your feedback as you make use of the framework in your own compliance efforts. You can contact us directly at opensourceccf@adobe.com. If you have not yet downloaded your copy, please visit our website to register and download today.

For our European customers and friends, Abhi will be speaking about open source CCF at the upcoming Euro CACS conference in Munich on Monday, May 29th, from 14:15 – 15:30. If you are planning to attend Euro CACS, we look forward to seeing you at the session. We will also have a booth in the expo area with more information about open source CCF and our other security and compliance initiatives across Adobe.

We look forward to seeing you there!

The Adobe Team at North America CACS 2017

Chris Parkerson
Sr. Campaign Manager

Adobe Releases Common Control Framework (CCF) as Open Source

The Common Control Framework (CCF) by Adobe is the cornerstone of our company-wide compliance strategy.  It is a comprehensive set of simple control requirements, rationalized from the alphabet soup of several different industry information security and privacy standards.  The CCF has enabled Adobe’s cloud products, services, platforms and operations to achieve compliance with various security certifications, standards, and regulations (SOC2, ISO, PCI, HIPAA, FedRAMP etc.).

This multi-year effort to implement the CCF across all business units was led by our Risk, Advisory and Assurance Services (RAAS) group.  As part of our ongoing efforts in knowledge sharing with the broader security community, we are releasing a generic version of CCF through a Creative Commons license to help drive ongoing innovation around compliance in the security industry.

Open source CCF contains a baseline set of control activities. These control activities are meant to assist organizations in meeting the requirements of ISO/IEC 27001, AICPA SOC Common Criteria, AICPA SOC Availability, and the security requirements of GLBA and FERPA. These common activities were identified and developed based on industry requirements. They have been adopted by Adobe product operations and engineering teams to achieve compliance with these standards. This information is only to be used as an illustrative example of common security controls that could be tailored to your organization’s security objectives.

We are excited to share the CCF with the security and compliance community. However, potential users should note that it is more than just a unified compliance framework. Our goal with CCF is to help the industry realize more significant value by adopting a more collaborative implementation strategy within their business. This will help enable more scalable security, compliance, and operations processes to ensure ongoing success.

We hope you will take the opportunity to download CCF today and begin using it in your organization. We welcome feedback and questions about the framework. You can contact us on the Open Source CCF team directly at opensourceccf@adobe.com.

Abhi Pandit
Sr. Director, Risk Advisory and Assurance Services (RAAS)

Adobe @ CanSecWest 2017

It was another great year for the Adobe security team at CanSec West 2017 in beautiful Vancouver. CanSec West 2017 was an eclectic mix of federal employees, independent researchers and representatives of industry, brought together in one space, to hear about the latest exploits and defense strategies. As a first time attendee, I was impressed not just by the depth and breadth of the talks, but also by the incredibly inclusive community of security professionals that makes up the CanSec family. Adobe sponsor’s many conferences throughout the year, but the intimate feel of CanSec West is unique.

As the industry shifts towards a more cloud-centric playbook, hot topics such as virtualization exploits became a highlight of the conference.  Several presenters addressed the growing concern of virtualization security including the Marvel team, who gave an excellent presentation demonstrating the Hearthstone UAF and OOB vulnerabilities to exploit RPC calls in VMWare.   Additionally, the Qihoo 360 gear team, continued on their theme from last year on qemu exploitation. Demonstrating attacks that ranged from leveraging trusted input from vulnerable third party drivers to attacking shared libraries within qemu itself.

IoT also continued to be a hot topic of conversation with several talks describing both ends of the exploitation spectrum, such as the limited scale but potentially catastrophic effect of attacking automobile safety systems and the wide-scale DOS style attacks of a multitude of insecure devices banding together to form zombie armies. Jun Li, from the Unicorn team of Qihoo gave an informative talk on exploiting the CAN BUS in modern automobiles to compromise critical safety systems. On the other end of the attack spectrum Yuhao Song of GeekPwn Lab, & KEEN + Huiming Liu of  GeekPwn Lab & Tencent from  Xuanwu Lab presented on mobilizing millions of IoT devices can cause wide-scale devastation across core internet services. 

There were many talks on how the strategy for vulnerability prevention is changing from attempting to correct individual pieces of vulnerable code to implementing class-excluding mitigations that make 0-day exploitation time consuming and costlier. In a rare moment of agreement from attackers and defenders, both David Weston from Microsoft and Peng Qiu and Shefang Zhong, Qihoo 360 touted the improvements in Windows 10 architecture, such as Control Flow Guard, Code Integrity Guard and Arbitrary Code Guard that prevents entire classes of exploits. Similar to previous class busting preventions like ASLR, the main problems with wide-scale adoption of these new technologies will be a challenge as we continue to chase a multitude of third-party binaries as well as trying to ensure continuing compatibility with legacy software. As David Weston reiterated in his talk, even these improvements are not a panacea for security and there is still much work to be done from the industry to ensure a workable blend of security and usability.

Finally, my personal favorite presentation was presented by Chuanda Ding from TenCent, who gave a detailed analysis of the state of shared libraries in systems. In a world of modular software we are quickly becoming joined to each other in an intricate web of shared libraries that may not be fully understood either by the defenders or the by the consumers. Chuanda Ding cited Heartbleed as a benchmark example of what happens when a critical software bug is discovered in a widely used common library. As defenders and creators of software this is often one of the most complex issues we deal with. As code we move to a more interwoven software landscape and software offerings increase, it becomes harder to identify where shared third-party code exists, at what versions it exists and how to effectively patch them all when a vulnerability arises. I cannot understate how much I loved his last chart on shared libraries, you should check it and the rest of the great talks out on the  Cansec West slideshare.  Also be sure to catch our next blog post on the results of the Pwn2Own contest.

Tracie Martin
Security Technical Program Manager

SOC 2-Type 2 (Security & Availability) and ISO 27001:2013 Compliance Across All Adobe Enterprise Clouds

We are pleased to report that Adobe has achieved SOC 2 – Type 2 (Security & Availability) and ISO 27001:2013 certifications for enterprise products within Adobe’s cloud offerings:

  • Adobe Marketing Cloud*
  • Adobe Document Cloud (incl. Adobe Sign)
  • Adobe Creative Cloud for enterprise
  • Adobe Managed Services*
    • Adobe Experience Manager Managed Services
    • Adobe Connect Managed Services
  • Adobe Captivate Prime
*(Excludes recent acquisitions including Livefyre and TubeMogul)

The criteria for these certifications have been an important part of the Common Controls Framework (CCF) by Adobe, a consolidated set of controls to allow Adobe teams supporting Adobe’s enterprise cloud offerings across the organization to meet the requirements of various industry information security and privacy standards.

As part of our ongoing commitment to help protect our customers and their data, and to help ensure that our standards effectively meet our customers’ expectations, we are constantly refining this framework based on industry requirement changes, customer asks, and internal feedback.

Following a number of requests from the security and compliance community, we are planning to publicly release an open source version of the CCF framework and guidance sometime in FY17 so that other companies may benefit from our experience.

Brad Arkin
Chief Security Officer

IT Asset Management: A Key in a Consistent Security Program

IT Asset Management (ITAM) is the complete and accurate inventory, ownership and governance of IT assets. ITAM is an essential and often required stipulation of an organization’s ability to implement baseline security practices and become compliant with rigorous industry standards. As IT continues to transform, organizations face the challenge of maintaining an accurate inventory of IT assets that consist of both physical and virtual devices, as well as static and dynamic spin-up-spin-down cloud infrastructures.

The absence of ITAM can result in a lack of asset governance and inaccurate inventory. Without a formalized process, companies might unknowingly be exposed to insecure assets that are open to exploitation. On the contrary, proper ITAM helps enable organizations to leverage a centralized and accurate record of inventory in which security measures can be implemented and applied consistently across the organization’s environment.

Risks Without ITAM

Assets that are not inventoried and tracked in an ITAM program present a very real and critical risk to the business. Unknown assets seldom have an appropriate owner identified and assigned. In essence, nobody within the organization is owning the responsibility to ensure that the unknown asset is sufficiently governed or secured. As a result, unknown assets can quickly fall out of sync with regulatory or compliance requirements leaving them vulnerable for exploitation.

In a world of constant patches and hotfixes, an unknown asset can become vulnerable after only a single missed update. Bad actors rarely attack the well-known and security hardened asset. It is far more common for a bad actor to patiently traverse the organization’s network, waiting to attack until they have identified an asset which the organization itself doesn’t know exists.

Benefits of ITAM

Before a company can sufficiently implement programs designed to protect its operational assets, it must first have the ability to identify and inventory those assets. Companies should put into place processes and controls to automate the inventorying of assets obtained via procurement and virtual machine provisioning. Assets can be inventoried and continuously tracked using a Configuration Management Database (CMDB). Each asset can be inventoried in the CMDB and assigned an owner, who is responsible for asset governance and maintenance until the decommission, or destruction, of the asset.

Processes must also be put into place to continuously monitor and update the CMDB inventory. One example of how Adobe monitors its CMDB is by leveraging operating security controls. For example, Adobe performs an analysis to determine if all assets sending logs to a corporate log server are known assets inventoried in the CMDB. If the asset is not inventoried in the CMDB, then the asset is categorized as an unknown asset. Once unknown assets are identified, further analysis is performed so that the asset can be added to the CMDB and an appropriate owner assigned.

At Adobe, we have created the Adobe Common Controls Framework (CCF), which is a set of control requirements which have been rationalized from the complex array of industry security, privacy and regulatory standards. CCF provides the necessary controls guidance to assist teams with asset management. ITAM helps provide Adobe internal, as well as third party external, auditors a centralized asset repository to leverage in order to gain reasonable assurance that security controls have been implemented and are operating effectively across the organization’s environment.

As described above, maintaining a complete and accurate ITAM in an organization of any size is no easy task. However, when implemented correctly, the benefits of ITAM allow organizations to consistently apply security controls across the operating environment, helping result in a reduced attack surface for potential bad actors. If organizations are not aware of where their assets are, then how can they reasonably know what assets they need to protect?

Matt Carroll
Sr. Analyst, Risk Advisory and Assurance Services (RAAS)

 

Working with Girls Who Code

I was lucky to grow up with a support system of teachers and family who encouraged me to pursue a career in STEM. My father was an engineer and as a little girl, I wanted to be just like him. So when it came time to decide what my major in undergrad would be, I had no doubt about choosing computer engineering. When I moved to Seattle, I met many girls who did not share the same experiences as me. One told me her family just didn’t believe girls could do math, while another told me teachers were never supportive and told her that girls didn’t do well in math and science. This was just unacceptable to me. I believe that all children, regardless of their gender, race, and background should be encouraged to pursue any field they want.

Girls Who Code is a non-profit organization with a mission to create programs that will inspire, educate, and equip girls with the computing skills to pursue 21st century opportunities. Girls Who Code found that by 2020, there will be 1.4 million jobs available in tech fields and US graduates are on track to fill 29% of those jobs – but only 3% of these will be women. In the 1980s, 37% of computer science graduates were women, but today it’s only around 18%. I work in cybersecurity where the percentage of women in the field is around 11%. These are very disappointing statistics, and I wanted to help change the situation. So when my manager approached me to help teach the Girls Who Code class for Adobe in Seattle, I jumped at the opportunity.

Adobe has partnered with Girls Who Code for three years to host summer immersion programs. Apart from providing classroom space, program managers and mentors, this summer, Adobe was the only Girls Who Code partner company that provided its own instructors, with four full-time, female employees teaching the coding classes.

During the months of July and August, I taught 20 high school girls, ages 15-18, the basics of computer science skills including Scratch, Python, Arduino programming, and web development. The program also taught leadership skills like self-confidence, self-advocacy and public speaking. Other Adobe employees organized field trips, speakers, and workshops and helped the girls with projects. Several Adobe women volunteered one hour per week to provide career mentorship and conduct technical interview workshops for the girls.

The last two weeks of the program, the girls picked an idea for a final project and took it from inception to launch. They came up with BIG ideas they felt passionate about from developing a safe places app, to teaching children arts and music, to helping students be more productive. They used technologies they had never used before including Jquery, integrating the Google and Facebook API, and using Mongo db to host everything on AWS. On graduation day, the girls presented their projects to their family, mentors and various Adobe employees.

I’m proud to work at Adobe, a company that follows through on its values. In addition to all the time and resources, the Adobe Foundation gave each of the girls a laptop and a one-year Creative Cloud subscription to continue their tech journey. I am thankful to my team,  who supported me in this effort and picked up the slack while I was teaching. In my own little way, I hope I have encouraged more young women to pursue STEM fields, including careers at Adobe and our peers in the tech industry.

Aparna Rangarajan
Sr. Technical Program Manager – Security