[CoolGuySteve]

While patches would have helped in this specific case, that's only because Merck was collateral damage.

In a targeted attack, it's likely the foreign agency would be using a 0-day attack.

The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.

But those practices are extremely rare in my experience.

If I was on unfriendly terms with the US, I'd use this as a case study on how to cripple the economy by taking advantage of the large monocultures created by lax IT in a hundred or so of the largest firms.

[redprince]

> In a targeted attack, it's likely the foreign agency would be using a 0-day attack.

A targeted attack is also expensive and the victim would need to have something worth this kind of money and attention. "Nation state actor" just isn't a reasonable risk assumption for a great many organizations.

> The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.

When the "nation state actor" comes looking for you with some motivation, all that and the air gap won't mean much. See Stuxnet.

Like J. Mickens said: "Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good pass-word and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT."

https://www.usenix.org/system/files/1401_08-12_mickens.pdf

[MrMorden]

Nation-state actors can be deterred by nation states. If Vova believes that CNAing someone in the US will cause the US to bankrupt him and/or the people whose support he requires to stay in power, he'll make damn sure this doesn't happen. As long as the US does not demonstrate this capability and willingness to use it, he'll continue to misbehave.

[MrMorden]

Offline backups are about the easiest thing you can do, and they protect against pretty much everything. Air gaps are useful, but they're just a connection with unusually high latency. Network monitoring protects against zero-days.

[nwallin]

The fact that good is worse than perfect does not mean good is no better than bad.

Having every machine in the company three months out of date on critical security patches is just negligence. I'm surprised the insurance companies didn't take that tack.

[wildmusings]

0days are precious and expensive. The odds of being targeted by one are incredibly low compared to those of being targeted by an exploit for which there is a patch.

[yowlingcat]

True as that may be, let's keep in mind just how juicy of a target Merck is, being a gigantic multinational with a market cap roughly equivalent to the GDP of Portugal.