CIS (Center for Internet Security) has published an interesting guide on software supply chain security.
Even if you do not build software on your own, it still is useful to to pick the relevant security measures/controls as part of your information security management to protect yourself and your enterprise.
As we all learned from the log4j issue which impacted many generally used platforms, it has become very clear that you need to look beyond the first level of control (your own)…
It’s critical to manage 2nd (your suppliers) and even third level (suppliers of suppliers)
Highlights
In high level overview, the document discusses:
Source code
Code changes
Repository management
Contribution access
Third party
Code risks
Build pipelines
Build environment
Build worker
Pipeline instructions
Dependencies
Third party packages
Validate packages
Artifacts
Verification
Access to artifacts
Package registries
Origin traceability
Deployment
Deployment configuration
Deployment environment
Supply chain guide access (need to register on CIS)
I see more and more phishing exercise fatigue kicking in at my customers…
But it’s more than ever required to be vigilant for new techniques that try to circumvent the typical URL blocking and the other protection layers you put in place.
You’re the best firewall.
What is going on?
You know, these companies that first announce a #phishing test…
which go unnoticed because they are caught by the 𝐬𝐩𝐚𝐦 𝐟𝐢𝐥𝐭𝐞𝐫…
And a few weeks later you get the 𝐫𝐞𝐚𝐥 𝐬𝐭𝐮𝐟𝐟 𝐢𝐧 𝐲𝐨𝐮𝐫 𝐢𝐧𝐛𝐨𝐱 from the same company.
With ridiculous worse quality than the actual test… but still its in the inbox ready to click (DON’T!).
You assume phase 2 of the phishing test…another round, right? (you think: “yeah, right, not me.”).
Because the new mail comes with ridiculous bad quality (⚠️1) than the actual test…
Nowadays you expect smart mails from these criminals…
But still it doesn’t feel OK …you start to realize that this might the real stuff…
Checking for some more phishing indicators (⚠️)
A mail with you in bcc…. (⚠️2)
Addressed to a very strange (New-Zealand) mail address (⚠️3)
with a PDF alike icon image embedded (⚠️4)
via a google drive link (⚠️5)….
SPOILER: I crippled the link mentioned in previous screenshot to avoid any accidents…
SPOILER 2: DO NOT, EVER CLICK these links…
Still, If you can’t control your curiosity, you might peek into the link via alternative methods (see later).
The display of unrelated content, with payment instructions (⚠️6), isn’t really what you would expect.
Because if you even dare to click the links you get another link (⚠️7)… and this time the browser malware detection (Smartscreen filtering) kicks in .. at last… so I’ll stop the curiosity here…
Why is this an issue?
The main issue here is: the phishing links are pointing to well-known (like Google drive, Microsoft OneDrive, Dropbox…) for hosting malware, which usually escape or bypass the malware URL detection…
Security tips
Rule nr 1: Don’t click links in unexpected mails
Curiosity kills the cat: Please withstand the urge to click the links to satisfy your curiosity….
If you don’t expect the mail, be very cautions, don’t click the links.
Control your curiosity: test the links in isolated mode
If you can’t control your curiosity, don’t ever click the links on your main computer.
But copy the link and open it
in a Windows sandbox
virtual machines or test machine… not your production machine
mobile device
Use Windows Sandbox
Since Windows 10 (Pro) you can use Windows Sandbox (free), that is a virtual, isolated environment. So you can test some interesting things without damaging your production host machine.
By stopping the Sandbox, the machine forgets all settings and returns to default state, pristine.
Use Microsoft Hyper-V (free) or Oracle Virtual box (free) and install a client OS in the virtual machine. Snapshot the machine before the test, perform the test, return to snapshot to avoid any left overs of malware.
Run the link on a mobile phone
Less secure, but better than running malware on your most important machine, is running the link on a browser on your mobile device. There is lower risk of infection and less impact than loosing your primary working machine, although… be aware, there is still a small risk of infection even for smartphones…
Additional security measures
To permit some stupidity and protect against accidents, please make sure
to implement all the latest OS security updates, patch on a continuous basis
have an anti-malware and anti-virus that is updated continuously
keep the default OS security features enabled including local system firewall and malware detection
consider a paid antivirus subscription, it’s worth the money and keep it up to date every hour
get a mail protection against malware, tracking, phishing and ransomware (like Windows defender for 365) have regular backups (1 online and 1 offline) and test the restores
use cookie/tracking/advertisement blockers
use a DNS blackhole system to protect your network from accessing suspicious URLs (including tracking and phishing websites, advertisements, C&C Command and control malware domains, …)
Identity Underground 
You must be logged in to post a comment.