"He says he learned that there was nothing that could have been done to stop the attack"
Because a thing seems difficult for you, do not think it impossible for anyone to accomplish.
The world's largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren't pretty. The malware surfaced in Ukraine in June after being spread by a malicious update to MeDoc, the country's most popular accounting software. Maersk picked up an …
Stopping an attack once it begun, and is spreading very quickly, may not be that easy, especially when some upper managers don't like some systems being brought down to protect them, and they handle and monitor a lot of activities worldwide, and IT doesn't have a clear understanding of what's happening and fears disruptions. Mersk is not Facebook - if the latter halts nothing really happens, but when one of the biggest goods movers is unable to move them, ships can't load or unload, cargo can't be sorted, is a far different issue.
Probably in their situation they really had not the right policies to assess the situation, and stop it quickly enough and activate a contingency plan. Hope they learnt.
And hope it taught many other companies, that even if IT is not their core business, it's at the core of their business anyway.
-Patch your o/s monthly
-Regularly patch your Apps that open files (word/pdf etc) regularly
-Don't run an o/s or app that is no longer in patching support
- Don't let Apps connect to the internet to pull down their own updates in an Enterprise environment - test updates in a sandbox first then use your software deployment tools to push out tested updates
-Run anti-virus & update hourly and AV scan on demand all files
-Scan incoming email using AV and block .exe attachments
-Scan and block sites when web browsing using a web proxy and AV scanner
-Set web browsers to block adverts and flash
-Use a localhosts file to sinkhole malware and advert sites to 127.0.0.1
One thing I can guarantee - if you think stopping all malware is "Easy to mitigate" then you either don't have much experience in a large company or you have your head buried in the sand. People who do things right definitely do not find it easy and will have a dedicated Security team or at least a dedicated security officer who have a full time job just managing the security of the enterprise.
If it was easy then they would be out of a job.
Anyone who has to do the security bit on the side to their main sysadmin job or it manager job will probably tell you that they fully understand the issue and it is a constant battleground and a lot of it involves crossing their fingers, or they are clueless.
Much of it the same for disaster recovery or general business continuity not easy at all, even if on paper you can convince yourself it is easy anything other than an SME or smaller will probably be hoping nothing major happens rather than being truly convinced that they can cope with any eventuality.
If I was to employ someone in IT security I would be looking for someone who says" it is difficult but I can ensure that xyz issues are covered and this is my strategy for emerging threats .. etc" rather than someone who says "it's easy, I can ensure you never have an issue" because I would know they don't have a clue.
It's like China ..
You MUST USE the local government supplied software, don't use it , you are out of business.
The fact that it is supplied from fixed ip addresses over Http connections & auto installs & updates , has nothing to do with it.
Boy..... is a reckoning coming to China , once the malware writers start doing research into local government offices and their pisspoor requirements of "nepotism software" they force on local businesses.
What's the web proxy for? You can route anyway all web traffic through the proxy, even for those users who try to bypass it (although in my experience often those are the sysadmins themselves). In some environments, the proxy shouldn't backlist, it should whitelist and block everything else.
Listening to the folks who should have tightened up the company's defenses, but didn't, so instead of copping to their failures decided to frame it as impossible to defend against.
Time to pony up for an independent vulnerability assessment and get the real story, Maersk.
They have a unique ability to rid the world of the scum that created/distributed this malware.
Once you find those bastards, lock them into a shipping container, and have an 'at sea' accident.
"Oops, that loose container fell from the ship!!"
"No big deal, it is only cargo!"