Good patch management could have stopped the spread this week of the NotPetya ransomware, says one of the world’s expert investigators of cyber breaches.

“It’s interesting me they’re successful at all because they’re attacking known vulnerabilities,” David Ostertag, global security investigations manager at Verizon Enterprise Solutions, told Canadian reporters on Wednesday. “All those attack types attack a vulnerability that have patches existing, So if we we follow good patch management you don’t have to be worried about those.”

David Ostertag

Later in an interview he expanded on the problem, saying a lot of companies are struggling with a risk- based strategy to patch management: Can they put a lower priority on servers that don’t store data, for example, or that aren’t connected to the network?

The best infosec teams apply a risk-based approach to their entire IT security program, he said — everything from data, access management, network infrastructure design, anti-virus and patch management – prioritize activity.

But sometimes, he admitted, the solution is hire more staff, or outsource patch management.

Ostertag was in Toronto to talk to customers and potential customers about Verizon’s 10th annual Data Breach Investigations Report, an analysis of 42,000 security incidents and 1,935 data breaches from customers and 65 agencies security vendors. In addition to heading Verizon’s global incident investigations team he also oversees the report and its lessons learned.

Like other security experts, Ostertag suggested there’s nothing new in cyber defence: Password protection, network segmentation, knowing what data the enterprise has and where it is, and patching

“All of those basic security foundations are as important today as they were 15 years ago,” he said.

Yet, he admitted, the message still hasn’t gotten through for a lot of infosec leaders.

One message in particular: The need to adopt multi-factor authentication for employee logins. Stolen or easily guessable passwords featured in over 50 per cent of breaches, the annual breach report shows. “If there’s one thing that would help prevent breaches … probably multi-factor authentication would be number one. Too often we have breaches that involve single user names and passwords. If everyone were to implement true multi-factor authentication we would probably stop 50 per cent or more of breaches we see these days.”

That is getting heard. In talking to Canadian companies Ostertag said he has seen a “dramatic increase” in interest in implementing multi-factor authentication solutions.

What’s also changing, he added, is the Canadian attitude that cyber attackers aren’t interested in this country.

As for spear phishing, a very common technique for compromising security, Ostertag said these days typically an attacker will do a lot of research through public sources to find information on the target. That includes identifying executives or managers who have control over wanted data, and learning the corporate culture and jargon to craft a phishing email that will bypass awareness training.

One way to limit malicious email or links that may get past email gateways is putting an identifer on email that comes from outside the firewall. Verizon (NYSE: VZ) puts a capital E in the subject line; messages without an E are from employees, and therefore likely trustworthy.

While there’s no shortage of security awareness training methods, Ostertag said he was taken with one retail chain’s idea: Give staff who see and warn of suspicious messages a toy fish, which they can put in an “aquarium” on their desk. It prompts competition to see who has the most fish.

“It’s very effective” because it’s simple, he said.

Ostertag also warned attackers have a new technique for exfiltrating data: Send it out as its found, around the clock, rather than create a large package. “It’s low and slow, it doesn’t stand out,” he explained “It’s difficult to detect because it looks like legitimate business.”

As for cloud computing, Ostertag said when configured correctly cloud services can give the CISO more security than on premise solutions. But, he added, it also means making sure there is due diligence on who the provider is and where the corporate data will be stored. “We have multiple cases [when investigating an incident] where we have never found where the customer data resided,” he said.