I just read this post on “How to protect your network from ransomware.” The post doesn’t contain advice that will prevent modern ransomware attacks, though. I do not intend to pick on the author or Network World; I know they are trying to help, and the advice is certainly sound general security hygiene.
Until about a hundred years ago, bloodletting was a pretty common medical treatment for many kinds of diseases. Looking back at it now, the practice is pretty disturbing and counterproductive. But at the time, the treatment appeared to work great. People were treated and either the bloodletting worked (i.e., they recovered) or it didn’t work (they died). Patients that recovered were held as evidence the treatment worked, and patients that died were simply considered to have been too far gone for anything to have helped.
I see a lot of the same faulty logic in security advice. No ransomware outbreak means the advice worked, and an outbreak is attributed to some issue so extraordinary that no advice could have helped. Attacks that successfully trick our fully phishing-awareness trained staff and evade our antivirus applications are so cutting-edge that nothing we could have done would have prevented it anyway. Right?
Why don’t we write guides that contain advice on actually preventing ransomware attacks?