Amit Yoran, president of security firm RSA, writes:
Today is a new beginning for RSA as we are now a part of the collective team of Dell Technologies, the world’s largest privately controlled tech company.
No doubt, many of you are asking what the impact of this merger will be to RSA. I am happy to tell you that RSA’s mission remains unchanged. And our commitment and passion to help our customers transform their security programs remain unchanged. RSA will continue to focus on delivering solutions that help enable our customers worldwide to create business-driven security strategies that connect business context with threat activities to more quickly and efficiently defend against cyber risk. There will be no changes to our product strategies, sales models, customer support interactions, processes, or resources that we are not driving.
The acquisition comes as part of
RSA has published customer and partner FAQs.
Yeah, yeah… RSA is a security company. That’s why it offers its customers FAQs in the form of PDF files.
Truly terrifying.
This has 1st April all over it.
To be fair PDF's are generally secure; particularly when run in 'Protected Mode'.
They're an industry standard so I can't say I'm surprised that they're distributing a universal format like PDF.
PDF security is generally very good and the attack surface is far less than a macro-riddled word file.
I just don't see a need for it, and it – once again – sends a message to users that they should click on PDF links willy-nilly. Whereas we know that many times this is the type of file that bad guys will exploit to infect unsuspecting users' computers.
What's so wrong with making the FAQ a regular HTML webpage?
I'm not seriously suggesting that RSA's PDFs are risky, of course. But I don't enjoy the laid-back attitude to their use when they plainly aren't required.
It may send the "message to users that they should click on PDF links willy-nilly" but most companies expect their staff to open/use PDF's.
The number of invoices, technical drawings, brochures, interactive forms etc. that are used in the modern business world mean that not using PDF's is impractical. Modern email systems along with modern operating systems, anti-virus, sandboxing and threat management systems mitigate the threat of rogue PDF's.
Even Sophos use "Secure PDF Exchange" as their encrypted email solution that they sell to businesses.
I accept that, once in a blue moon, a malicious PDF might slip through the net but no suitable cross-platform alternative exists to a PDF. (I'm not talking about this specific example here).
I expect that RSA used PDF because they first emailed those PDF's to companies and couldn't be bothered to convert them to an HTML webpage. If this is the case it doesn't excuse their laziness but I can understand it.
While it does seem a bit odd to distribute a FAQ via PDF, isn’t there just a bit of irony in zinging RSA for encouraging folks to click on a PDF download link, and then encouraging folks to click on the same download link by providing it in the article?
I think it’s really a question of trusting the source, Graham. You clearly expect folks to trust you enough to click on a download link that you provide (…and I do; I clicked after first examining the link). I suspect that RSA is following the same approach. Presumably, those who click are already security-minded in the first place, and will have taken additional steps to protect themselves in the event they happen to click on a mischievous link.
I occasionally distribute how-to or checklist documents as PDFs — something the customer is likely to want to keep or even print out for ongoing reference. Often those PDFs include links to other documents or resources that help fulfill the purpose of the original document. There’s a baseline of trust with customers who receive those PDFs that the links are genuine, and not harmful.
Also, PDF is a handy format for encrypted forms and questionnaires that can be filled out and securely returned as encrypted email attachments by folks who don’t use PKCS email encryption…which unfortunately is the vast majority of people.
Anyhow, I get your point. I wouldn’t occur to me to distribute a FAQ via PDF. It makes little sense just from a content management perspective. What if customers or partners ask questions that haven’t been included in the original PDF? You can update the PDF, but then you’ve got a versioning problem. It seems easier to just update a web page. Besides, the web page can include a form for submitting other Questions that become Frequently Asked.
What the heck does "… that we are not driving." mean?