{"id":12138,"date":"2018-09-28T15:35:39","date_gmt":"2018-09-28T19:35:39","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=12138"},"modified":"2019-11-15T15:22:49","modified_gmt":"2019-11-15T11:22:49","slug":"advertising-agency-mistakes","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/advertising-agency-mistakes\/12138\/","title":{"rendered":"Common SMB mistakes: The supply-chain attack"},"content":{"rendered":"<p>Bill doesn\u2019t like morning calls. It\u2019s not that he\u2019s lazy; he just thinks that work should begin once one\u2019s emotional balance has been restored after the mayhem of the morning commute \u2014 and certainly not before the second cup of coffee. But the phone\u2019s been ringing non-stop.<\/p>\n<p>\u201cGive me a break! Don\u2019t people know it\u2019s rude to hang up after three rings! No respect! What if I\u2019m busy with something important?\u201d grumbles Bill, trying to dig out his phone from under a pile on his desk as it rings again.<\/p>\n<p>\u201cBill, my flash drive isn\u2019t loading,\u201d the layout designer whines over the phone.<\/p>\n<p>\u201cThat\u2019s because I disabled all the ports on your machine ages ago! You know all files have to be loaded through a secure computer \u2014 talk to Albert. If I had my way, I\u2019d cut you off from the Internet!\u201d he responds, adding silently to himself, \u201cand I\u2019d rip your arms off as well.\u201d<\/p>\n<p>\u201cI know, I know! But it\u2019s not just me \u2014 it won\u2019t load on anyone\u2019s computer! Please help, it\u2019s a really important task. We have to change the layout quick or they\u2019ll kill me. Albert won\u2019t be back till after lunch.\u201d<\/p>\n<p>\u201cDwight, we agreed that all tasks go through Albert, all documents go through his computer. It\u2019s the only one in the department with antivirus. Anyway, who suddenly gave you files on a flash drive?\u201d<\/p>\n<p>\u201cChristine did. She asked me to make some urgent corrections to the layout of the leaflet. It needs to be printed ASAP. She\u2019ll kill me if it\u2019s not done pronto, she doesn\u2019t care if Al\u2019s not around. You know what she\u2019s like.\u201d<\/p>\n<p>\u201cYour flash drives will be the death of me. Fine, I\u2019ll be right there.\u201d<\/p>\n<p>Bill hangs up and looks thoughtfully at the ceiling. Yeah, their boss is a dragon, all right \u2014 and she couldn\u2019t care less about conventions like the procedure for transferring files from external sources. The sysadmin stands up, stretches, puts his laptop under his arm, and heads toward the design area.<\/p>\n<p>The owners of the Magenta Elk advertising agency consider themselves pretty sharp. From its beginnings as a family design studio, ME has grown into a company with almost 100 employees. Now it has a whole department of designers, a creative director able to hit the spot with even the most delusional client, a Web development department, and even its own small printing house (also a former small business, acquired three years ago). Among its clients are several major international companies that trust the agency to handle their advertising campaigns.<\/p>\n<p>But the owners never found the resources for a halfway-decent IT department. Bill manages all equipment; he repaired computers as an on-call handyman before being hired a few years ago. He never managed to persuade the owners to take on at least one more member of staff to help out.<\/p>\n<p>\u201cGive me your flash drive!\u201d growls Bill, opening his laptop as he approaches. \u201cWhat can\u2019t you read here? Everything\u2019s working on my machine. Drivers are installing\u2026scan, you bet\u2026open\u2026here\u2019s the project folder.\u201d<\/p>\n<p>At this point, the antivirus displays a red window: \u201cMalicious object Trojan.downloader.thirdeye.n was detected.\u201d Bill gapes at the screen.<\/p>\n<p>\u201cDwight, what the hell is this?! Did you try to open this anywhere else?\u201d Bill jabs a finger at the file Layout_corrections.docx.exe.<\/p>\n<p>\u201cWell, how else would I know what changes to make? I tried, but it wouldn\u2019t open at all. I clicked and nothing happened.\u201d<\/p>\n<p>\u201cCan\u2019t you see it\u2019s not even a document?! The extension is EXE!\u201d<\/p>\n<p>\u201cI can\u2019t see any extensions! I can see the icon and the name. Why are you shouting at me? All I did was try to open Christine\u2019s file!\u201d<\/p>\n<p>\u201cMakes sense, I guess. The extensions of known files aren\u2019t shown,\u201d muses Bill. \u201cAll right, let\u2019s stay calm: Which machines did you try to read it on?\u201d<\/p>\n<p>\u201cWell, on Anna Miller\u2019s, in accounting. On the photographer\u2019s laptop. And there was Lena from logistics. And Tom from Web dev. And Kate\u2026what\u2019s wrong, is it a virus? It\u2019s not my fault! Maybe the photographer had an infection!\u201d<\/p>\n<p>\u201cThis isn\u2019t just any virus \u2014 it\u2019s a <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/targeted-attack\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener noreferrer\">Trojan tailor-made for you<\/a>! It doesn\u2019t just infect random machines; someone put it on this flash drive specifically!\u201d Bill logs in to the Web interface of the router to isolate the computers mentioned. \u201cBy the way, where did you get Christine\u2019s password? She left yesterday for a business trip.\u201d<\/p>\n<p>\u201cIt\u2019s on a piece of paper under her keyboard \u2014 everyone knows that\u2026\u201d mumbles the layout designer, still on the defensive. \u201cI didn\u2019t take it home or anything, I only found it yesterday!\u201d<\/p>\n<p>\u201cWhat do you mean, \u2018found\u2019?\u201d says a startled Bill.<\/p>\n<p>\u201cWell, I mean she left it for me at reception with a note saying to fix the layout ASAP.\u201d<\/p>\n<p>\u201cAre you out of your mind? Christine was here almost all day yesterday. Why the hell would she need to leave a flash drive with instructions on a sticky note? Does she leave you notes a lot? You know she prefers to talk face-to-face. And she\u2019d just upload the files to the server! Oh crap, the server!\u201d Bill starts tapping the keyboard again. \u201cAnyone can leave anything at reception. What time did it happen, exactly?\u201d<\/p>\n<p>\u201cWell, I don\u2019t know. It was evening and I was about to leave, then Yvonne said that someone had left me an envelope with a flash drive. She was on her way out for a bite, but she didn\u2019t see who it was. I came back, tried it on Anna\u2019s laptop and on Christine\u2019s, then \u2014 well, you know the rest.\u201d<\/p>\n<p>\u201cDwight, you understand that someone \u2014 \u201d the tirade is interrupted by a mobile call. It\u2019s the CEO. \u201cI\u2019ve got a bad feeling about this\u2026.\u201d<\/p>\n<p>\u201cWhat\u2019s up? Why aren\u2019t you at your desk?\u201d inquires the short-tempered CEO.<\/p>\n<p>\u201cSorry, the designers have a problem. Someone left a USB flash drive \u2014 \u201d<\/p>\n<p>\u201cForget the designers,\u201d interrupts the CEO. \u201cI just got a call from \u00d6sterberg &amp; Jones. Their website has been seeding viruses since last night. We\u2019re the only other people who had access to the site \u2014 for updating banners. I need proof it wasn\u2019t us. Assuming it wasn\u2019t us.\u201d<\/p>\n<p>\u201cUmm. Who was it who had access?\u201d asks Bill, growing cold.<\/p>\n<p>\u201cDon\u2019t know, exactly. A couple of Web dev guys; they did the site. Maybe Dwight. Christine for sure \u2014 it\u2019s her client, and you know she loves having control over everything.\u201d<\/p>\n<p>\u201cMmmm\u2026here\u2019s the thing\u2026\u201d Viktor\u2019s voice suddenly drops. \u201cActually, I think it was us.\u201d<\/p>\n<p>\u201cWell, we\u2019re screwed. They\u2019re threatening lawsuits. If it\u2019s us, then we have a lot of explaining to do. I need a detailed analysis by end of day. If you need outside experts for the investigation, let me know right now. I need a full, honest report in hand when I go crawling to \u00d6sterberg &amp; Jones. Now give me a quick rundown. What the hell happened?\u201d<\/p>\n<p>\u201cLooks like someone deliberately hit us with an infected flash drive. \u00d6sterberg &amp; Jones was probably the real target. You know how security is. I do what I can, but we\u2019re a little short on equipment, people, materials\u2026. Even the antivirus isn\u2019t \u2014 \u201d<\/p>\n<p>\u201cOK, OK, I get it. That\u2019s your polite way of saying I\u2019m an idiot. You\u2019ll get your staff, and antivirus for everyone. <em>If<\/em> we survive this. Which I very much doubt.\u201d<\/p>\n<h2>Lessons<\/h2>\n<ul>\n<li>The company\u2019s procedure for working with files from external sources is perfectly good and proper. But it is not followed, because some employees believe that a task is more important than security. In reality, security should have a higher priority than even direct orders from management.<\/li>\n<li>Too many people can access partner resources, a problem made worse by the fact that no one knows exactly who has access. Ideally, this information should be known by one employee, maximum two. Moreover, access credentials should be required for every login. Saving them in the browser is an extremely bad idea, as is accessing the site from an unprotected computer.<\/li>\n<li>Passwords written on paper and stuck under the keyboard may sound ludicrous, but it\u2019s actually quite common at many companies. This is totally unacceptable \u2014 even if no one ever comes to your office, sometimes team members can cause just as much damage.<\/li>\n<li>A reliable security solution must be installed on all machines, without exception.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Case study: An analysis of insufficient safety practices at a small advertising agency. <\/p>\n","protected":false},"author":700,"featured_media":12139,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[1062,1946,767,1768,1947,187,1758],"class_list":{"0":"post-12138","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-antivirus","10":"tag-case-study","11":"tag-cyberattack","12":"tag-endpoint","13":"tag-error-analysis","14":"tag-passwords","15":"tag-supply-chain"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/advertising-agency-mistakes\/12138\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/advertising-agency-mistakes\/14513\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/advertising-agency-mistakes\/16447\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/advertising-agency-mistakes\/14641\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/advertising-agency-mistakes\/13550\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/advertising-agency-mistakes\/17166\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/advertising-agency-mistakes\/16441\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/advertising-agency-mistakes\/21415\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/advertising-agency-mistakes\/5341\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/advertising-agency-mistakes\/24047\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/advertising-agency-mistakes\/11076\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/advertising-agency-mistakes\/11020\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/advertising-agency-mistakes\/9814\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/advertising-agency-mistakes\/17898\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/advertising-agency-mistakes\/21731\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/advertising-agency-mistakes\/17517\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/advertising-agency-mistakes\/21390\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/advertising-agency-mistakes\/21394\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/supply-chain\/","name":"supply chain"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12138"}],"version-history":[{"count":4,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12138\/revisions"}],"predecessor-version":[{"id":14596,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12138\/revisions\/14596"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12139"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}