Supply Chain Shimmy

It’s been a while since my last discussion on security. Things have been busy back in the office, so I have had little time to sit down and write.


However, I see things and I think it’s important to pass the message on regarding what I see as being the biggest problem of 2018/2019.

There was a time, way back in mid–2017, when we were talking about end user security training, we spent most of the time talking about how to differentiate between legitimate emails and spam.

The usual stuff: check the actual email address, sometimes it will say Gavin Woods but the email is vic890123@gmail.com. Hardly rocket science.

The next one was checking the URL of any links you would click. Nowadays these links are often worked over by Mimecast or some other deep inspection tool first so it’s harder to go wrong, but it’s still important to check where you are in relation to where you wanted to be. You may want to go to www.bankofireland.ie but the link might look more like www.bankofireland.ie.hackme.com. Again, hardly rocket science.

In the last year though we have a seen somewhat of a sea change. I’m always surprised, even after 20 years in IT, how some things are possible in almost any particular time/age in the history of technology, but they still seem to find their feet at a particular point in time and take off. This is one of those things.

First, we are going to look at a scenario and then we’ll take a few mins to look at the best way to avoid being a victim.

Imagine the scenario.

You have a supplier, “Bob’s Supplies”. Bob doesn’t think much about security. One day he gets an email, opens it and sees a document that he needs to download. He gets prompted for a login and before thinking he types in his usual password. Unbeknown to him he has just given a hacker access to his mailbox.

The original email received by Bob is a proper spam email that our usual user awareness catches. You need to be having a really bad hair day to fall for that one. Now it’s time for the hacker to get to work though. He now has access to Bob’s mailbox and all the time in the world. So, he has a quick shifty around and notices some emails to you. These were usually emails that Bob sent you regarding invoices and statements. He resurrects one out the old sent items and sends it to everyone in your accounts team with a few minor changes. Instead of having the statement as an attachment there is a little link that says, “Download your statement here.”

These emails, what I’m calling “The Supply Chain Shimmy” are much, much harder to identify correctly. Let’s have a look again at our end user awareness training.

1) Check the email. Pass! This is actually from Bob.

2) Check the link. Give it a really good check and it might still fail but it’s worth a discussion as it’s not that simple.

Links are hard for normal folk so they tend to go with their gut. They put their faith in the feel of an email. This email will for sure feel like it came from Bob as it probably did a while ago, and then had a few minor tweaks and was resent. The question is now a little different for the user. The question changes to “do I trust Bob? I do; therefore I’ll have a reasonable attempt at opening the email and any attachments.”

If you think you have done the training and you’ll get through this I have a simple message. You won’t. Even if you do, your staff won’t.  Someone is going to click through on that email and when they do Joe Hacker now has access to your or your staffs’ emails.

Once this happens the whole cycle starts over but now it will probably be to your customers. The potential cost of reputational damage can be very high. Especially if, for example, that email went to all your customer account contacts and told them your bank details have changed.

“OK” I hear you say. “I get it! So, what do I do?”

The best answer is Get Two Factor Authentication (2FA) for your work account, the same as the bank use for logging into the bank. You absolutely need this. Spam has a success rating in the few–in–a–million range. These emails, so far as I can make out, have a success rating in the 1 in 10 range. You need to assume that if the right email comes along it will get through. 2FA is your only protection. If you don’t understand 2FA call us and have it explained and let us help you get it implemented. It’s largely free and it’s the single best security improvement you can make this year.

One last paragraph. Normally we don’t like to talk about breaches but in order for you to understand that this is important you need to know that we are seeing these on a monthly basis. Some are devastatingly effective and super well presented. This is not a matter of bad IT config or bad advice. Nitec have been 2FA for years and have been asking anyone who’ll listen to protect themselves with 2FA. If you don’t do it now, trust me, you will once you have been breached. The whole ‘shutting the door after the horse has bolted’ sort of defeats the purpose though, so it’s much better to do it now.

  • Connectwise
  • Logitech
  • Microsoft Partner Gold x 6
  • HP Enterprise
  • HP Preferred Partner, Gold
  • Aruba
  • Mimecast
  • Watchguard
  • Citrix
  • BT
  • Webroot
  • Arcserve
  • APC
  • Plantronics