What lessons can be learned from the latest spate of Ransomware attacks?

I think one of the main lessons learned is that the security services shouldn’t be hoarding zero days and tools to exploit them, (especially) if they can’t properly secure them.

The thing to remember, however, is that WannaCrypt and Petya both had patches available before they hit and both also took advantage of poor configuration.

Additionally, many organisations that were hit hard could have avoided some (possibly all) pain if they had standard belts and braces security practices in place.

The main lesson organisations should learn is that they should get the basics right.

For example:

Vulnerability Management

Conduct regular vulnerability scanning, understand the security posture of all assets and what vulnerabilities are present, what threats are related to these vulnerabilities, and what risk they pose to the IT estate and the business it serves.

This includes both missing patches (i.e. MS17-010) and poor configuration (i.e., having SMBv1 enabled).

This should all be supported by proper processes that allow for ongoing discovery, remediation of vulnerabilities (either via action or risk acceptance) and confirming remediation.

Ideally, all risks across the entire IT estate should be known about and managed.

Additionally, roles and responsibilities should be assigned to ensure that all of the above is done correctly. This includes security managers, security analysts, vulnerability managers IT technicians etc.

Patch Management

Ensure that patches are deployed in a timely manner. This doesn’t just mean pushing the latest Patch Tuesday patches. This also includes understanding what software you have in your IT estate and having a full inventory of assets to make sure everything is patched.

Removable Media Controls

Ensure removable media is limited to devices that are sanctioned only. Ideally, I would blacklist all removable media and whitelist anything that you approve. (This is just my view, however)

Malware Prevention

Ensure you have some kind of AV on all end points, at least the classic heuristics and definition based AV. (although there are more advanced solutions available) Make sure it is up to date and working.

Disaster Recovery

Ensure you have backups, including off-site, off-line backups of critical data.

Incident Management

Ensure you have a plan to react to a major security incident; ensure you have the right people in the right places supported by the right processes.

Control User Privilege

This one goes without saying really: make sure that all users have the least amount of privilege. This should be supported to ensure that this is audited regularly.

User Education and Engagement

Ensure all staff understand the security policy of your organisation. Conduct exercises such as phishing campaigns to test your users and provide training to allow them to understand the risks involved and be better prepared to spot pushing emails, web sites, social engendering etc. (Again, this is just a view, some people may suggest that security shouldn’t be a user problem; it should be an IT problem)

Good Network Security Hygiene

Have the correct access controls on your perimeter, ensure you have properly configured firewalls at all appropriate places in your network (with regular rule audits and reviews), and make sure that VLANS are properly setup with as much segmentation as is required. Ensure that all remote users can connect securely and that any devices they connect from have at least 1-to-1 patch levels as devices already on the network. Also, make sure that you have robust BYOD controls.

One lesson that came up before is that authorities should not be hoarding vulnerabilities for their own purposes. Through extended non-disclosure they were putting companies and individuals at risk instead of making them more secure. Even if the EternalBlue exploit would not have been leaked and used by WannaCry and Petya, it would be a risk to not have the vendors fix the vulnerability in case other people or organizations found it but didn't disclose it.

Also installing patches, teaching users about the dangers of spam and network segregation for critical systems.

If you are referring to WannaCry and Petya.A outbreaks, then the instructions are simple: follow basic security best practices, which are:

1) Install security patches in time

2) Do not let users work under administrative privileges (domain and local administrators)

3) Do not install suspicious applications from unknown sources

Just by following these 3 simple rules you will be able to protect your system against this kind of attacks.

These are basic mass attacks, not the targeted ones.