I guess to me I felt like I must have been missing something for these things to be so basic but yet for so many places to be getting hit with ransomware. There are a lot of things that seem so simple to me that it leads me again to think I must be wrong, and hence has lead me to a touch of imposter syndrome at times.

This has been eye opening, thank you.

John-

I think you got the basics down as all those thing SHOULD protect you.  The operative word here is SHOULD but one must remember it only takes one machine to not be patched or the AV not be working (yup this happens) for Ransomware or any other virus/malware to take hold of your environment.

Patching can sometimes be difficult and even when one thinks they are 100%, someone pulls out a computer from under a desk that hasn't been patched in months or allows an unprotected device to attach to the network (they just want to take that spreadsheet home to work on, etc......).  The problem is typically the human factor.

Along with the three you mention, I would add a strong dose of Security Awareness training especially on what is allowed and not allowed on your network, what patching means and why it is done.

my nickel

d

The prevailing assumption in this thread is that organizations and many local government IT shops are doing the right thing (i.e., the "basics"). Well news flash they are not. They don't control user authentication and authorization with the basic philosophy of least privilege. There are lots of organizations that give there users "admin" on their local machines and over provision roles on databases. Can you say lateral movement? I new you could. 

It's often patch delay time being exploited.  Whilst you know there's a patch and it's in testing, you haven't fully deployed it yet.  So if you're patching monthly, you need to consider moving to weekly or even daily!  You need to consider what happens if you have a major incident that diverts resource, cover over holidays and what to do if staff are away ill.   You need to consider how you can get remote machines patched and you need to posture check them when they come back into the office.  Whilst companies are often trying to do the right thing, it's only by completing the work that malware is kept at bay.  

On patching and updating, I have been wondering if it is possible to get disclosure from vendors about what libraries and sub systems and in their products. If I see there has been a vulnerability or bug found in one of these I don't always know if I am affected due to this lack of disclosure. Even if there is no patch available I would still be able to mitigate the risk in different ways, if I know I am at risk.

So am I missing anything on getting this disclosure?

John-

> dcontesti (Community Champion) posted a new reply in Tech Talk on 01-04-2020

> I think you got the basics down as all those thing SHOULD protect you.  The
> operative word here is SHOULD but one must remember it only takes one machine to
> not be patched or the AV not be working (yup this happens) for Ransomware or any
> other virus/malware to take hold of your environment.

And if you've got a backup, as backup to the other countermeasures, then you SHOULD be OK ...