Four ways to reduce security risks using software updates and deployment resources

Young Multiethnic Female Government Employee Uses Tablet Computer in System Control Monitoring Center.

Keeping software updated is fundamental and there are successful strategies to further enhance your organization’s security posture.

The Cybersecurity and Infrastructure Security Agency (CISA) leads a national effort to understand, manage, and reduce risk to cyber and physical infrastructure. Recently, CISA published Binding Operational Directive 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities (KEV). This directive established a new CISA-managed vulnerability catalog and established requirements for government agencies to remediate KEV catalog entries that are applicable to their IT environments. Rather than have agencies prioritize thousands of published vulnerabilities that may not be as likely in a real-world attack, this directive shifts the focus to prioritizing the most active threats in the industry. Each KEV catalog entry includes a clear remediation action with due date, such as a vendor provided update or other configuration instruction. CISA will update the KEV catalog as new exploits are identified. This directive and catalog enhances, but does not replace, the existing remediation requirements for critical and high vulnerabilities on federal information systems.

Adobe fully supports these cybersecurity initiatives, and offers the following recommended strategies for consideration:

  1. Subscribe to security notification services

    Have your security team subscribe to important updates via email, from both government and applicable IT vendors in your environment. Visit the CISA KVE site to subscribe to the Known Exploited Vulnerabilities catalog update bulletin. For Adobe products and services, utilize the Security Notification Service which provides automatic email notifications whenever Adobe specific security bulletins are published with their Common Vulnerability and Exposure (CVE) numbers. If you need to report an Adobe security issue, please use the appropriate contacts on our website.

  2. Quickly install software updates as they are released

    Software updates can include new features and capabilities, but also important stability improvements and security updates. Many desktop applications and mobile app stores include update mechanisms that regularly check and install these updates automatically — and customers are encouraged to maintain this default setting as applicable. For mission critical enterprises with large software deployments, and not always connected to the internet — these systems should still be administratively updated as quickly as possible. Every second a security update is not deployed, is another second a door is left open to malicious actors — that could have been mitigated.

  3. Utilize enterprise deployment, configuration, and support resources

    Many Windows desktop applications can be centrally managed via Microsoft System Center Confirmation Manager (SCCM) — now a part of the Microsoft Endpoint Configuration Manager (CM) — and Mac desktop applications can also be managed with Apple Remote Desktop (ARD). Adobe provides instructions for using CM and ARD to deploy Creative desktop updates as well as CM and ARD for Acrobat, too.

    The Adobe Update Server Setup Tool (AUSST) is another option to help centralize the distribution of Adobe apps and updates. Supported Adobe desktop software can directly contact an intranet distribution server for ongoing updates. This is especially helpful if you have a network of desktops not connected to the Internet. An authorized IT administrator can download updates from adobe.com, then transfer them via USB or optical storage media to the internal Adobe Update Server, for all the desktops to receive.

    The Adobe Remote Update Manager (RUM) provides a command-line interface that admins can use to remotely install updates of Adobe apps — instead of having to log in to each desktop UI and install.

    To help organizations that regularly scan to inventory software installation and license-related information, Adobe offers software tagging identifiers for Acrobat and Creative desktop products.

    Extensive documentation is available for enterprise deployment and management of Creative and Acrobat desktop applications, including MSI and command line support, Windows Server Group Policy Objects (GPO), configuring certificate based digital signatures that work with Federal and DoD Public Key Infrastructure through the Adobe Approved Trust List, and an extensive administrative preference reference for registry keys in the Acrobat Enterprise Toolkit.

    As software vendors increasingly move to cloud-based services, security documentation is also available under the Federal Risk and Authorization Management Program (FedRAMP). Adobe strongly supports FedRAMP, and Adobe’s FedRAMP authorized cloud services are listed in the FedRAMP Marketplace.

    Many vendors run online user communities to share best practices and receive peer support. These communities are great places to ask deployment questions if you are unable to find applicable documentation. At Adobe, we use the Adobe Experience League Community where subject matter experts support users across our applications and services, and we have a dedicated forum for government topics.

    When all the documentation and online communities still do not address your concerns, please do reach out to the vendors for assistance. Adobe provides several enterprise support programs across our product lines, including options for named support professionals, expert sessions, training, and Adobe support staff based in the country.

  4. Replace or remove software that is no longer supported

    When software is no longer supported by a vendor, including stability and security updates — it must be removed or replaced with a supported alternative. Otherwise, that software becomes increasingly at risk for security exploits that no longer have protections available. Sometimes it’s a product version that becomes unsupported and there are new versions available. In other cases, the product reaches an end-of-life (EOL) stage, without any new versions. Responsible vendors publicly communicate this information, as we do on Adobe’s Product and technical support period site. For example, Acrobat Pro 2015 reached end of support last year (2020), and Acrobat Pro 2017 reaches end of support next year (2022), while the current and support version is Acrobat Pro 2020. When a product reaches EOL — proactive vendor communication is critical. For example, in 2017 Adobe announced the end of Flash Player with continued support until the end of 2020. This provided content distributors and administrators with two and a half years advance notice to plan their migrations and take appropriate action.

If you have additional thoughts on these topics, let’s have a conversation in our online community where subject matter experts from government and industry can virtually meet and collaborate.