Tale from the Dark Side
Penumbrous forces wait to feed on your calamity
- By Ronnie Rittenberry
- Oct 01, 2011
In this autumnal month of witchery,
trickery, and general tom-ghoulery,
there comes a Halloween-worthy
tale disturbing enough to haunt the
mind of any business owner or information
technology professional. It’s a
curdling tale of innocence, ignorance
or naivete (you be the judge) damned
by unseen yet palpable presences—veritable
shadow figures lurking and preying
like ghosts in the machine.
As is often the case with such tales,
this one’s all the more harrowing because
it’s true. Or so says Stu Sjouwerman,
founder and CEO of KnowBe4, a
firm that specializes in Internet security
awareness training, especially for smallto
medium-size enterprises.
According to Sjouwerman, the unfortunate
series of events began on a day
much like any other at a small company
that provides a subscription service to
a specialized database. The company’s
network consisted of 20 workstations,
an SQL server, an exchange server and
a dedicated website server, all linked
together by a broadband connection.
Normal enough for a smallish business,
right? Hold that thought. This is where
the story gets weird.
The company did not have a trained
IT team—rather, it had one person
serving part-time in an administrative
role handling IT issues. This unlucky
soul was going about his day, taking
care of business, when he noticed
something that made his spine verily
tingle: For no apparent reason, the
company’s webserver suddenly started
experiencing much higher levels of
traffic from countries where it did not
even conduct business.
His flesh creeping, the part-time administrator
suspected cybercriminals
had broken into the company’s network.
And, unfortunately, he was right.
All Tricks, No Treats
Sjouwerman says that, upon investigating
the situation, it was discovered that
one of the workstations had become infected
with Zeus malware after an employee
clicked on a link in a phishing
e-mail. All the company’s servers and a
number of workstations were compromised,
giving cybercriminals full access
to the network. The company’s logs
revealed that the webserver was being
used to host an illegal music download
service, and also that mischievous miscreants
had installed hidden rootkits.
The disinfection of the company’s
network required a frightful amount of
time and expense. Sjouwerman says in
a press release recounting the eerie episode
that his company spent 110 billable
hours correcting the problems associated
with the network breach, including:
- 10 hours to select, order, configure
and install a quality firewall;
- 20 hours to build a new webserver,
upload digital backups and bring it
“nearline”;
- 25 hours to scan all servers and
workstations with several anti-malware
tools to locate rootkits;
- 15 hours to wipe and rebuild Windows
on all workstations to ensure
removal of all rootkits;
- 10 hours to install anti-malware software
on all servers and workstations;
- 10 hours to bring the new webserver
online and debug the initial problems;
and
- 20 hours to repair things that broke
during the rebuild, install drivers,
bring printers back online, and so
forth.
At the standard rate of $90 per hour,
the total cost for the technical-service
cleanup was $9,900, according to Sjouwerman.
On top of that, the breached
company incurred loss of both revenue
and productivity during the repair and
rebuild: its webserver was offline for an
entire day, resulting in approximately
$6,600 in lost revenue; and all of the
company’s 20 employees lost at least
one workday during the rebuild, at an
average cost of $120 per person per day,
resulting in a combined productivity
loss of about $2,400. Between the outside
consultant fees, lost revenue and
lost productivity, this single network
breach cost the company a total of
$18,900. All for that one horrific click!
Grave Consequences
“Many small and medium enterprises
think they’re adequately protected
against security threats because they
have antivirus software, but the reality
is that cybercriminals can bypass that
software by tricking an employee into
clicking a link in a phishing e-mail,”
Sjouwerman says. “Most business owners
have no idea of the time and cost involved
in disinfecting a workstation, let
alone an entire network. [The breached
company] paid nearly $20,000 to undo
the damage caused by one employee’s
unwitting click. Those costs would have
been exponentially higher for a midsize
company with a larger network. And
just think how much a business stands
to lose when cybercriminals use their
network access to capture login information
and passwords for bank accounts
and other financial transactions.
That’s when losses rapidly escalate into
six figures.”
Sjouwerman points out that the
moral to this haunted mouse tale is that
such escalations need not occur.
“Our research has shown that training
can reduce employees’ susceptibility
to phishing attacks by 75 percent after
the very first session,” he says, “and that
subsequent testing and retraining can
shrink the percentage to close to zero in
a matter of weeks. . . . It pays to invest
in cybercrime prevention training.”
Sjouwerman adds that, thanks
to a free phishing security test on
KnowBe4’s website, the initial part of
such an investment costs nothing more
than a bit of time. He encourages owners
of small- and medium-size businesses
to take advantage of the test (at
www.knowbe4.com/phishing-securitytest/)
to learn how many of their employees
are Phish-prone™, or susceptible
to phishing attacks. The module
takes only a few minutes to complete
and might well help avoid a nightmarish
situation later.
This article originally appeared in the October 2011 issue of Security Today.