The Hypothetical Scenario:
The computer network bug that comes to be known as the Pentecost worm is first publicized in a red alert on IT security Web sites Monday, May 31, 2004. The public first becomes aware of it through garbled e-mails between major companies and their customers, particularly those confirming automated transactions. But this virus has been alive for as long as three months, though few people recognized its seriousness.
A vulnerability in Apache Web software, run by more than 50 percent of network Web servers, was identified and publicized on IT security Web sites and mailing lists as early as mid-March. It was one of 30 vulnerabilities in a variety of operating systems and application software published that week.
To protect their systems, IT managers reminded themselves to download and install patches to protect their systems. The vulnerability looks relatively innocuous: validation routines for updating data can be bypassed in certain circumstances by the use of carefully crafted input data.
Unknown to the IT community, a powerful worm exploiting this weakness has been released somewhere in India in mid-April. It is slow to proliferate, using one of several techniques to penetrate servers. It takes days to spread through networks around the world.
Companies using the Apache Web server do not realize that their security measures can be bypassed and that the worm has access to intranet and secure internal networks hosting financial systems, search engine databases and other complex data.
In order to operate, the server must validate each transaction with the database, but the vulnerability allows this validation to be bypassed in certain circumstances.
The worm exploits this loophole by randomly changing alphanumeric characters in the transaction record, thereby corrupting the data. Because the software targeted can be used to provide access to a range of industry-standard databases, including those used by customer relationship management and transaction systems, all are vulnerable.
At first, the worm corrupts the data slowly--at a rate of one character in 10 billion--and this is difficult to detect. But the rate of data corruption increases by an order of magnitude every week.
Managers first notice small errors in reconciliation routines. Customer complaints about errors in account and billing statements increase.
Corruption rates reach one character in one million after almost a month, and several companies raise internal alarms about errors and inaccurate customer data.
When corruption rates reach one character in 100,000, managers know their companies have been infected. Because this worm was surreptitious, backup data systems are also infected.
Companies operating rotating backup systems find that many of the copies are also infected, though to a lesser extent. Live transaction systems and individual customer accounts are compromised, but in some companies the extent of data corruption is not easily verifiable.
Many companies discover that they have a problem in the weeks and days leading up to May 31st, but most of them have been working to contain the problem.
Late in May an IT security analyst realizes the potential impact of the Web server vulnerability and posts an alert including a demonstration version of how a potential worm might exploit it.
Shortly afterward this vulnerability is connected with the data corruption evidence that such a worm may already be in circulation. First the trade, and then mainstream media disseminate the story.
On Tuesday, June 1, corporate managers and customers return from their Memorial Day weekend to headlines about computers worldwide speaking in tongues.
A major savings-and-loan company is one of the first to admit publicly that the worm has infected it. Executives release a statement to shareholders, but it's too late. Its stock price falls 60 percent in the first hour of trading. The bank is forced to admit that it cannot be certain that its customer accounts are correct. Customers panic and begin withdrawing funds, causing the bank to suspend business by midafternoon. Other infected banks and trading companies, alarmed, freeze accounts and suspend business before making their announcements public.
Almost 10 percent of the companies in the Fortune 1000 are affected with at least one internal system suffering from corrupted data. Hundreds of' thousands of smaller companies, with less secure IT systems, are also affected. Government and non-commercial systems also suffer high levels of infection.
Every company launches an internal audit to establish what parts of their computer systems have been affected by the breach. Data restitution is a priority. In extreme cases, some companies have to poll customers to rebuild data from scratch. 1T departments scramble and senior managers attempt to minimize the impact on customers and business operations. Workers are consumed with the latest crisis; little else can be done before this is fixed.
Many companies reinstall software and data systems, reconfigure firewalls and look for new, expensive security measures. Lawyers, consultants and employees prepare to go to court against the perpetrators--if they can ever be found. Most companies suspend e-mail systems and routine use of their computer networks during the investigation and repair.
Electronic trading, financial services and communication systems are hardest hit. Some companies suspend part of their commercial activity, and several major corporations suspend it entirely for the rest of that week. Half of the affected companies are still closed by the end of the following week as well. Some companies are faced with losses of more than $100 million.
Companies absorb must of the costs themselves. Although more than 33 percent of major corporations have insurance policies protecting them against cybercrime, only 2 percent of midsize and small companies do.
The amount recovered through insurance is only 2 percent of the costs resulting from the attack.
Losses To U.S. Companies from Computer Virus Attacks
Threat Machines
Name Date Type Class affected
MyDoom/Novarg Jan. 2004 worm 4 Over 600,000
SoBig.F Aug. 2003 worm 2 1 million PCs
SQL Slammer Jan. 2003 worm 4 100,000+ servers
Klez (versions e-k) Feb. 2002 worm 3-4 750,000
DoS Internet May 2002 virus 3 13 ISPs
Nimda Mar. 2002 virus 4 1.25 million
Code Red Jul. 2001 worm 5 10,000 servers
Anna Kournikova 2001 virus 3 5 million PCs
I Love You 2000 virus 3 20 million PCs
Melissa 1999 virus 2 8 million PCs
Name Cost
MyDoom/Novarg $500 million
SoBig.F $250 million
SQL Slammer $2 billion
Klez (versions e-k) $1.1 billion
DoS Internet $75 million
Nimda $100 million
Code Red $2 billion
Anna Kournikova $750 million
I Love You $1 billion
Melissa $400 million
Source: Risk Management Solutions
RELATED ARTICLE: The far-reaching implications of data corruption.
This is a fictional example. The Pentecost worm does not exist and this is not intended as a prediction, nor does it imply any knowledge of specific vulnerabilities of computer systems that could be exploited.
But this is an illustration of how a large economic loss could arise from widespread penetration of a virus or worm through the computer systems of companies across the United States and the rest of the world. Security consultants and IT business managers believe that data corruption is one of the most costly kinds of losses facing major businesses today.
If backup systems also suffer (as explained in this example), losses escalate Exponentially.
Transaction systems, using electronic ordering and confirmation procedures, are also extremely vulnerable and would likely suffer sustained business losses for some time as a result of the loss of trust from a publicized breach of security.
Very large losses could also occur from an attack on online revenue systems. as companies with retail revenues increase the amount of business they generate through online channels.
E-commerce currently generates more than $50 billion a year in transaction volume, and now accounts for nearly 2 percent of all retail revenue, up tenfold from two years ago, according to a November 2003 estimate by the U.S. Department of Commerce.
