Adobe had a turbulent start this year and in response to cries from it's disgruntled users, Adobe security has announced several strategic moves. This blog post from Adobe describes the three much-needed things Adobe will be doing to improve security for their popular Reader and Acrobat products.

First, Adobe's existing secure product development standards will now also be used against their existing/legacy code base. Second, Adobe now promises quicker and more in-depth security incident response mechanisms. Finally, Adobe will be moving to a regular patch release cycle.

The three initiatives essentially mirror what we have come to know and appreciate about Microsoft's security processes. About a decade ago, hit by bad press and poor industry reputation, Microsoft embarked on a similar but grander vision. The result of that effort is that today Microsoft is the leader when it comes to managing the enterprise security development lifecycle.

These initiatives are a great start for Adobe to begin rehabilitating their image. These initiatives go a long way, but they are still missing a few important components.

First, Adobe needs to learn how to reign in the bug finders. Both critical security incidents with Adobe so far in 2009 have involved situations where proof-of-concept code was made public before Adobe could repair the bug. Letting bug exploits out into the wild set Adobe back on their heels and left IT security groups in a reactionary mode trying to cover their security assets without much help from Adobe

Second, enterprise IT shops could benefit greatly from centralized tools that allow for product policy changes. If Adobe published means and methods to disable product functionality using active directory group policies, then IT would be in a better position to respond and implement policy-setting changes.

Finally, JavaScript bugs riddled Adobe products in 2008 and in 2009. It would behoove them to consider disabling JavaScript by default.

The long string of critical bugs in Adobe products has disappointed me, among many others. The bugs, coupled with poor company communications and difficult to deploy mitigation steps have made the last six months ever more trying in our security team. Going forward there will be 2 key metrics of Adobe's successful implementation of their new security program. First will the obvious - fewer security holes. The second indicator will be when Adobe has successfully convinced the bug finders to disclose holes to them instead of publishing them online.

The bottom line is that the changes announced today by Adobe are welcome and we all hope that Adobe sees immediate improvement across their install base.

Week 5 of the FBI Citizens' Academy was mostly dedicated to counterterrorism.

First we received an overview of the counterterrorism program from the local assistant special agent in charge for the counterterrorism group. The number 1 priority of the FBI is to protect the United States from a terrorist attack. This includes protecting US interests and citizens both locally and located abroad. We learned about the joint terrorism task force (JTTF) that makes up federal, state and local law enforcement personnel. The JTTF acts as an integrated investigative force to combat domestic and internal terrorism. Here in the Bay Area we also have a northern California regional intelligence center, also referred to as a fusion center. After the overview, speakers led the class thru 2 separate case studies. The first of domestic terrorism related to individuals harming local university professors that worked in areas where animal tested is involved. The second case study demonstrated a case of international terrorism. In this second case, a local bay area resident was found supporting terrorists on foreign soil by monetary means.

The evening ended with a quick discussion of InfraGard. InfraGard is a partnership between the FBI and the private sector for information sharing and analysis. The partnership works towards preventing hostile acts against the United States.

The date is May 12th 2009 and you are a mild mannered IT manager anticipating a single bulletin from Microsoft and a possible update from Adobe. The team has their assignments; their computers are locked and loaded. The team is ready to execute on the planned patch release mechanisms.

At 10AM Pacific Microsoft releases their patch on time. The single bulletin is the anticipated bug fix for the PowerPoint vulnerability. Some members of the team are a bit agitated by the high CVE count and the lack of updates for the OSX Office platform. You are able to quickly refocus the team and move forward. Hours later, rumors hit that not only did Adobe publish their fix, but also Apple released a new revision of their operating system.

In fact both of these things happen and OSX 10.5.7 includes fixes for 67 vulnerabilities. Together the Apple, Adobe and Microsoft patches account for 83 CVE fixes. Now the team is seriously disheartened. Your job is to draw the group together, review the unexpected workload and set priorities. Did I mention that because of the economy, your team is now smaller, but doing just as much, if not more work.

Microsoft produces their risk categorization. Adobe employs yet another risk methodology and Apple also defines bugs in their own way. The lack of any common metric across the three vendors in combination with the additional calculus needed to accommodate your internal risk equations equals uncertain resource drain.

On any normal Microsoft patch Tuesday, most enterprises IT teams have their risk calculators in hand and resources at the ready. Some teams split up the duties between client and server vulnerabilities. Others take the highest risk first no matter where the bug lies. Either way, the security team adapts in order to deal with the Microsoft specific criticality ratings and their exploitability index.

The same thing ensues on an Oracle CPU day. And even when smaller vendors like Adobe release bug fixes, most enterprises know how to massage the vendor specific risk data into their own risk profile equations. This data manipulation is a completely avoidable step.

CVSS (Common Vulnerability Scoring System) version 2 was finalized two years ago. Even before that, CVSS v1 was in play for a number of years. While everyone recognizes that there are some shortcomings with the standard, it is nonetheless a common means to reliably communicate information about risk. It enables vendors to consistently distribute quantifiable information to enterprises who then use this data in their own decision-making engines.

So with this industry wide tool readily available, why is it that today enterprise IT must differentiate and discriminate the various meanings of the word 'critical' from multiple vendors?

On a day like May 12th 2009, enterprise IT had a whole range of decision making to perform. Which bugs were most important for my enterprise? Where do the greatest risks lie and which patches should be tested and delivered first? Do you tackle the low hanging fruit or the higher risk and possibly more cumbersome patches first?

These decisions are made countless times every year as vendors release patches. Unfortunately for those in the trenches, too many valuable resources are consumed with just trying to normalize the vendor datasets. If all vendors across the board delivered data with standard metrics, then at least enterprise IT would be in a better position to handle the inevitable changes smoothly and with minimal disruption.

Why couldn't Microsoft have kept things easy this month? Last week Microsoft's advanced notification information spelled out a single bulletin for PowerPoint. Given the single outstanding publicly known vulnerability in Microsoft's products, May patch Tuesday certainly looked like it would be an easy one. Alas, we did receive a single bulletin today, but with it came 14 CVEs and a note of more to come.

Don't get caught up in the details

First thing to take away is that newer Microsoft Office products carry on signs of being more secure. Office 2007, with its new office file format, continues to present lower risk levels. Even in the face of zero day bugs like those of Excel in February and now PowerPoint, Office 2007 was noticeably less affected. Now with the PowerPoint 4 format being totally retired, managers have more ammo than ever to go obtain budget for upgrades.

The second important piece not to overlook is that more patches for today's bugs are due out soon. Microsoft recognized that these bugs also affect the Mac Office products, but don't have patches available yet. Releasing patches for only piece of their product line and leaving the Mac users out in the cold is unlike Microsoft. However, given that current exploit samples were less functional on the Mac and given the market share dichotomy between Office Mac and Windows, the split release cycle is understandable.

The third piece of today's puzzle is that after you look over the mass of CVEs patched; don't forget that one of them is the known zero day bug that was described in KB969136. This means that Micrsoft not only patched the known zero day bug as promised, but also went much further at delivering a more secure Office product lineup.

Week 4 of the FBI Citizens' Academy: Violent Crimes, White Collar Crimes and Civil Rights Crimes.

The mission of the FBI violent crimes program is to:
* Effectively address those violent crimes that pose significant risk to citizens of the US.
* Reduce incidents of crimes against children.
* Address other major violent crimes to include Indian Country, transportation and other special jurisdiction crimes.

Common crimes include bank robbery, kidnapping, and extortion. The presenter referred to the uniformed crime report (UCR) for anyone wanting the most up to date crime statistics. He did, however, highlight some interesting statistics. According to the 2006 UCR, there are only 2.4 sworn law officers per very 1,000 inhabitants in the US. Further, according to a number of news outlets, nearly 1 in every 100 adults is behind bars.

The presenter turned our attention to criminal gang activity nationally and locally. According to Morgan and Quinto press, in 2007 the most dangerous cities included Oakland at number 4 and Richmond in9th place. Gangs, as the presenter taught us, fulfill social needs for their members. Whether it is the mimicking of an extended family, creating social or ethnic bonds, the gangs provide members with an identity that is represented by their clothing, hand signs, graffiti and tattoos.

White-collar crime efforts fall into 2 areas of the national FBI priority list - #4 combat public corruption at all levels and #7 combat major white collar crime. Crimes that typically fall under the white-collar division include public corruption, corporate or securities fraud and health care fraud. Of these crimes, the most up and coming are financial fraud including mortgage fraud and Ponzi schemes. The FBI investigates public corruption cases and provides check and balances in the criminal justice system because agents typically have fewer local and political ties.

The final topic for the evening was civil rights. The FBI is the primary federal agency responsible for investigating all allegations of civil rights violations. Selected crimes involving civil rights allegations include: hate crimes, color of law, human trafficking and freedom of access to clinic entrances act.

Hard to believe, but RSA 2009 was just last week. I found it to be a very successful show and now it's my turn to recap.

Themes
Every year the marketing team tasks me with finding themes at the show. In no particular order, the top themes between the talks and the booths were: virtualization, cyberwar/cybersecurity, and compliance/policy/regulation.

Attendance
During the first part of the week, I had noted that the attendance appeared to be dramatically lower than usual. To my surprise, as the week progressed, the attendance appeared to be on par with prior years. In fact, a member of the RSA conference PR team emailed me to say that the unofficial count for 2009 is less than 15% off of prior years. Considering current news of financial cutbacks, a drop in less than 15% would appear to be pretty good.

Best Event
Without a doubt, the security bloggers meet up on Wednesday evening was the week's highlight. This was a great chance to chat candidly with bloggers, press and friends.

One Thing I Learned
The Virtualization Security Panel opened up slew of new thoughts for me. Hopefully, I'll have some time to both implement my ideas at work and share them in a blog post.

Special Thanks
Special thanks to a number of journalists who let me share some time with them: George Hulme, Dennis Fisher and Ryan Naraine

All my blog posts from RSA 2009.

Putting Simon Crosby and Chris Hoff on the same panel to discuss virtualization security is a recipe for a good lively discussion. At the end of the panel, the audience was not disappointed. In addition to Crosby and Hoff, the panel also included Michael Berman of Catbird and Stephen Herrod of VMware.

The discussion started with some hi jinx by Crosby and Hoff. Crosby handed out gifts to the panelists that included a broken toy sword and a ball and chain. Hoff gave out cigars, one notably much smaller for his nemesis, Mr. Crosby. Despite Chris Hoff's sometimes-flamboyant style, he initially came out mild mannered and on an even keel. His moderate, centrist and thoughtful approach lasted throughout the discussion. Conversely, Simon Crosby of Citrix and huge proponent of Xen spent most of his time trying to put VMWare into a corner. Crosby touted Xen as the most secure hypervisor system because of its open nature and its continuous real life testing because of it's use as the foundation of Amazon's EC2 offering.

Despite the moderator's attempts to encourage the panel to discuss real world security implications of virtualization, the topics kept going back to the implementation and security of VMware products like vShield. In the final moments of the session, the panelists did finally provide a few recommendations worthy of implementing today. One of these nuggets was that insight included most of the security basics necessary for all systems, virtualized or not. Examples of these basics included using configuration guidelines, creating operational plans that include security and risk considerations and building architectures that consider the security implications of the entire virtualization life cycle.

Overall, the virtualizations security panel was entertaining and insightful.

Maybe it's in my nature to expect something more all the time. Melisa Hathaway's speech lasted maybe 20 minutes and could have been written during the prior administration last year. Any insight into what we can expect for goals from the 60-day review were completely glossed over.

The keynote began with a hokey spoof of the classic TV show Mission Impossible. A narrator with a deep voice gives, Ms Hathaway her mission to secure the nations cybersecurity infrastructure. The message concludes with a warning that her blackberries will self-destruct in 60 days, a weak nod to the technical audience.

Ms Hathaway's speech followed the typical script. She covered historical, current and real threats along with their outcomes. Whether it was the recollection of the movie WarGames or an attack on ATM machines that was years old , the content was a supposed to make the audience feel fear. These obvious tactics were old news for the technical and extremely knowledgeable audience.

When she finished dispensing fear we learned about the enormous effort of the 60-day review she is carrying out. Ms. Hathaway likened the ambitious goal to a marathon, not a sprint, and told us about the numerous organizations consulted. The 60-day review team is targeting private companies, federal, state and local governments as well as to other countries. No surprise here.

In what Ms Hathaway termed as a "trailer", we got a brief glimpse into her 60-day review findings. To no one's surprise the review calls for greater public discourse, private/public partnerships and a significant call to action for the audience sitting directly in front of her.

What we didn't get was any new information or new ideas and no specific course of action beyond what we all already understand to be necessary. It must be my fault for expecting something more. I'll work on pulling back on my expectations in the future.

Managing IT for a software company has its challenges. For me, the lines between efficiency, security and innovation are difficult to draw at a company like nCircle where engineers require some freedom to perform their best. The panelists at the RSA session "Responding to the ignored threat - Macs in the Enterprise" seemed to face the same kind of problems I do.

Based on the war wounds of the speakers, enterprises continue to find challenges when they try to bring Apple products into their security fold. Each of the enterprises has the usual defined security policies and on a daily basis they weigh the risks associated with "grey " areas against the productivity of their users. Today's hot topic was the largely ignored impact of Apple products on security practitioners working hard to reduce enterprise risk.

At Universities the Mac population has been on a significant increase and nearly 50% of all users, students and facility, use Macs. In addition to the Mac, nearly all users either have or want an iPhone. Both these devices make enterprise security problems more daunting. Try telling your new employee he can't have his favorite productivity tools because of security issues.

The panelists each discussed their current environments along with the trends and challenges they face with the Mac, and with all end points. A common opinion among the speakers was that the ease of use built into all modern computers, and especially Macs, have made users less knowledgeable and this is a bad thing for security. A naïve user is more likely to fall victim to attacks like phishing. A naïve user, with a burning desire for Apple products with their inherent lack of centralized management tools spells trouble.

Panelists offered a number of suggestions for tackling these issues. At Baylor, they are actively working hard to deploy Open Directory so that IT security can set basic end point security policies like screen saver passwords and control over patching cycles. At the University of Georgia system, the security team has put a significant emphasis on training. This teams holds brown bag sessions monthly, sends out newsletters and other communication tools help them increase awareness and reduce overall risk.

Sadly, it was evident from the discussion that Apple's continued reluctance to provide enterprise security tools is still causing heartburn for security professionals. Apple has yet to deliver anything on par with the policy systems Microsoft has built into Active Directory.

In what is traditionally a shoulder-to-shoulder mad dash for giveaways, the opening night of RSA was more reminiscent of the last day when most of the people are already homebound. Forget trying to determine who isn't here this year, but consider which companies won't be here in 6 months as witnessed by their dotcom-bomb spending patterns.

Because I always buy a full conference delegate registration for RSA, I am left out in the Moscone lobby area waiting for the expo floor to open. In years past, the crowd waiting in line for their free food and drinks on the Monday night open has looked more like a giant herd of cattle. This year, you could have popped a tent; BBQ'd, and setup a tennis court. The cavernous rooms didn't stop there. Once the floor opened, lines at the bar were nil and corridors were congestion free.

History repeats itself time and time again. Here is a hint, want to know who will be bought in 2009? Just look around at the show floor and take inventory of which vendors are spending like they didn't learn anything about the dotcom bomb days. Which vendors bought bigger booths? Which are giving out free stuff without asking for anything in return? Don't feel pity for the small vendor booths on the perimeter, go congratulate them for spending within their means.

See you at the show!