Slashdot Mirror
What's The Actual Cost of A Virus?
ThosLives writes "CNN Money just posted a story that says the MyDoom virus may cost businesses $250M. My favorite quote is that for small to medium businesses with 400 or less employees, the estimate is between $48,000 and $58,000 cost to 'secure themselves' from the particular virus. Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"
Another thing that's expensive and not to be forgotten is the bandwidth of sending all this crap spam. Why should the recipient of these messages bear the costs of the bandwidth essentially wasted because of these messages.
There's no place like localhost
If you get infected you have the cost of fixing the computers, downtime and lost productivity, loss of earnings, etc. All of this can up to many thousands of dollars.
The company I work for has not become infected, the only cost of the virus is stupid bounce back messages and an hour of my time fine-tuning our mail server config. Due to this the virus has cost us something, but its hardly worth mentioning.
The cost of having a good anti-virus system is really easy to justify.
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
Yesterday I spent at least a couple of hours clearing some spyware from a PC: it had completely infiltrated the registry, was replacing all attempts to reach other web sites via MSIE with its own page, killing Mozilla, killing the various anti-spyware programs... OK, killing various processes with names like 'sistem' and deleting a bunch of recently-installed DLLs helped me recover control.
But I pity the millions of people whos PCs are infested with dialers, trojans, browser-infecting gremlims. These are not technical 'viruses' because they don't propagate. But they are very serious time wasters,
Ceci n'est pas une signature
I'm supprised that an Asian version of these viruses haven't made the rounds yet. I'm curious if businesses in S. Korea would be just as effected if this virus was socially written for that part of the world.
Life is not for the lazy.
Our office mail server is a linux box. It's a nice little redhat, properly administered. Haven't had a bit of trouble. Major government contractor across town has NT all over, massive problems. Of course, our email server doesn't allow .exe, .scr, .vbs extensions for attachments at all. There's a few more that are disallowed. The server replaces those attachments with a .txt file which states that a file has been removed.
One good example is in the Bruce Sterling non-fiction book "The Hacker Crackdown" - which can also be read online. To sum up, the financial cost of get a paticular document taken from a mainframe was given as the total cost of the mainframe, a terminal and the salaries of a bunch of people going up the heirachy from the person who wrote the document, for far longer than that person actually spent working on that document (ie. paying for someone to write it at the rate of a few words a day, someone else to stand behind then and look over their shoulder for days, someone behind them etc). The defence proposed that the actual worth of the document was the few bucks plus postage that other people paid for it when they ordered it from the company over the phone.
Opportunity costs are difficult to calculate, one missed email and you could have been a contender - on the way to fame and fortune - but it's more likely that the email is just spam.
Does anyone know where that number comes from? If one can charge a year's salary to fix one virus, I'm in the wrong job! Any input out there on the real, hard costs of things such as virus protection?"
It isn't just one person working on the virus.
With really bad viruses it will take a week of work, if you are lucky and it doesn't spread too badly.
You probably have the entire server/desktop team working on the updated anti-virus software and how to deploy it.
You have the entire Tech Support team who actually go out to people's desks when they think they have the virus.
You have the entire helpdesk team swamped with calls, many of which are just asking questions about the virus, rather than even thinking they might have it.
You have the actual end-users who are getting paid to twittle their thumbs while they wait for tech support to check out their PC.
And you have all the managment in a huff and having lots of meetings to talk about the virus which they really don't understand while all the IT people do all the actual work.
Try to be more sensitive, those dollars add up!
Also, while they probably don't pay overtime, they probably count the cost as if they did.
Promote Sensitivity on Slashdot, make me your friend.
I do wonder if the cost of replacing any remaining M$ servers with Linux or BSD would be many factors of ten lower than a year's worth of MSTDs. If you avoid getting hit even once, you probably earned your money back.
Well, Mandrake Linux fits on three CDs, so I'd say the cost of securing a business against virus attacks is about 75p.
The reason why so many attacks are against Windows is that Windows is usable by complete morons -- and, as an inevitable result, you get complete morons using it. Yes, we all know GNU/Linux requires a little tech savvy. You don't get smart enough to use GNU/Linux without first learning that running just any old programme when you don't have the faintest idea what it does, is a bloody stupid thing to do. On the other hand, any living advertisement for the pro-choice movement can fire up Windows XP and get their computer riddled with malware in a twinkling. Why? Because Windows is too easy to use.
It's a perfect illustration of reverse evolution in action. You try to make something idiot-proof, then nature only goes and comes out with a dafter idiot.
You could never make a car that a five-year-old could drive safely -- and even if you could, it would necessarily lack so much functionality it would barely be usable. Really, there's no point trying -- it's better to issue full driving licences only to adults and only on completion of a test. And then we don't have to suffer the consequences of cars that would be driveable by five-year-olds.
The very fact that GNU/Linux naturally weeds out complete retards probably explains why there are not -- and will never be -- as many GNU/Linux exploits as there are Windows exploits.
Je fume. Tu fumes. Nous fûmes!
You know, I've always wondered if BSD-type "jails" could be implemented on windows in regards to email messages containing attachments, or if such a thing exists, why isn't it widespread to cut virus propagation?
Sort of like isolating Outlook, which runs attachements in a virtual server where viruses would be locked in a controlled environment and fail to spread outside of that system.
That's not even close to the cost, even if you work very, very cheaply.
The cost of anti-virus and related is the least part of the equation, even factoring in the admin's time, and I don't care *how* cheaply you work. Not even if you're a volunteer.
The real cost is factored more like this:
- Staff hours that are lost looking at false bounces (or worse, getting infected, something which is very common) and having to correct that
- Helpdesk hours that are lost answering questions from people with a mailbox full of bounces for stuff they didn't send (or we hope not);
- Helpdesk hours that are lost disinfecting the
machines of all those who clicked the attachment. Mostly, the same ones who fell for it last time, too.
- Sysadmin hours that may be spent on watching over stressed mail queues to make sure they don't get full, and dealing with potential mail backlogs.
Those are three broad areas, I'm sure the accounting department could tell me a bunch more of their favorites.
Let's say you make $20 per hour at your job. The cost of your benefits is probably also about $20 hour, assuming health insurance, etc. Heck, it could be more. But lets go with $40/hour as the total cost of your compensation for this example.
Now, let's say you lost 30 minutes of productivity to a worm. OK, $20 bucks that your company spent on having you do something other than your job function. But, you're way smarter than most of your colleagues. You didn't click it. You've just wasted 30 minutes initially looking at what it was, deleting more copies that came in, and deleting bounces, and you ever even called the help desk. Most people are probably at one hour, maybe more. Lots more, if they got
infected.
If by some chance it works out that the average cost of compensation (salary + benefits) in your company is $40/hour, and you have 100 employees and on average each person lost 30 minutes to the worm (again, I bet it's hard to get the number that low in most companies when a big wrom like this appears), that's $2000 right there. Antivirus software is not even factored in because you either had it already or not, but either way, it's not a directly related expense.
OK, that was the first day. People will deal with more crap in their mailboxes tomorrow, and the day after and quite a few days after. At least for a week, you might expect to have a company-wide average of 30 minutes per person, per day, spent on things related to the worm.
Now we're at $10,000.
This all assumes that no data was damaged or destroyed (if it was, the monetary value of that data, if irreplaceable, is charged. For replaceable data, the cost of an admin restoring it is charged).
And don't think your average will probably be that low. If a lot of people get infected, your helpdesk staff and sysadmin staff will probably be spending the majority of their time on this problem for at least a week. In a typical 100-person company with a Windows machine on every desk, you may be really lucky to get away with $10,000 chargeable to the worm.
I work for a well-known mail filtering company, and I'm getting a front-row seat for the impact this is having. It's large, even for companies that have our services. If you have tens of thousands of employeeds, you're going to see a lot of bounces coming in, and those divert staff time to deal with them.
Now, imagine you have tens of thousands of employees and you're not using a service like ours. You're going it alone. Your admins. Your equipment. Your anti-virus software which you hope gets the new signatures before the worm gets to you. Your admins and helpdesk staff are working their butts off for at least a week, probably more (not that they weren't already busy). You might have hundreds or even thousands of infected machines to deal with. Countless bounces. Suddenly, you find yourself looking at a cost reaching into the hundreds of thousands of dollars. Not a pretty sight.
While
Well.. in this case, the mail client doesn't matter as far as I can see.
The premise of this worm is that a person gets an e-mail, downloads and attachment, opens and execute it, right?
Or this one of those magic worms that runs all by itself when you view the message?
Am I missing something or what?
The cost of 400 yellow post-it notes saying "DO NOT OPEN FILE IF EXE OR SCR!"
You don't even need this one. Just strip all incoming executables at the mail server so the user never gets anything dangerous to click on.
We did that (at an admittedly small - just under 100 user) site using MailMarshal, now known as NetIQ Marshal.
There's never any good reason to send an executable file via e-mail anyway. Software updates etc are better accessed through ftp or straight off the web. Self extracting archives (zip files) are unnecessary given the number of free decompressors available if the company is too cheap to pay for licenses.
Blocking all (Windows) executables is easy in most filtering software, removes the worry of not being up to date with anti-virus library files, and works 100% of the time.
This was back in the days of the good old Anna Kournikova, ILoveYou and similar viruses. We had exactly zero infections, and zero problems.
Yes you can still get viruses in other ways (if some damn fool downloads a virus direct from a website) but how often does that actually happen? They all come via e-mail, and propagate via e-mail - be it your server or their own SMTP connection.
We block almost all attachments, but allow .zip files through
.zip files, and block .zip files containing executables but allow those with plain documents through.
A good scanner can look inside
If I were you, I would consider upgrading to a better scanner.
A better thing is to simply reject all emails with attachments, except for very specific ones on your allow-list that are known safe (for example, .jpg). This way, even if you get a virus that your virus scanner doesn't yet recognise - it gets rejected. There are other methods of sending files that don't require email.
As for anyone who opens attachments, it's fine to say that when you've got at least reasonably computer savvy users. However, many small companies have one computer 'expert' (which may be the boss's son) and a computer illiterate workforce who knows how to type a letter in Word and send an email. They don't know what EXE or SCR is and are unlikely to remember. They might be fabulous truck drivers on the other hand, who've never had a wreck and who always get their vehicle to where it's going on time. Why fire them for a mistake in something they have little knowledge about?
Oolite: Elite-like game. For Mac, Linux and Windows
But seriously, this whole thing only took about 2 hours or so of my time. Blackhole the infected machine at the firewall, check mail logs, remove the virus, update AV pattern file, about an hour. Of course, another hour is wasted responding to the "you sent me a virus" emails.
One other person, who was absent yesterday, opened an attachment and became infected. Clean up time, about 30 minutes.
After this, I said semi tongue in cheek, "If anybody opens another attachment, I'll shoot them". No more infections after that! How's that for education? :)
The media portray these things (like everything else), much bigger than they really are. But don't tell management, every time something like this happens, handling the situation makes me look like like some super admin. Not bad for the job security. :)
They're preying on stupidity. Soon they'll prey on fear.
I can see where it's heading. As an example:
I somehow think the worst is yet to come
The argument I hear the most, without a doubt "Windows gets more viruii because it's more popular". I call bullshit! I know it's bullshit because of Apache. Apache, by almost any web server survey, has at least as many servers as IIS (netcraft says between 2x and 3x, but let's say just as many for sake of argument). So by this reasoning, apache should have as many worms as IIS. But, as far as I can remember, there have only been two Apache worms. Neither of which btw were as crippling as any IIS worm. In fact, I was running multiple apache servers at the time of both of them and got neither one. What about Oracle? IIRC Oracle has a larger market share than sql server. Do we know of any RDBMS worms as devistating as slammer?
Microsoft still isn't taking security seriously. Although this virus requires user interaction, Microsoft shouldn't make it so easy to execute content. Hell, content can be executed just by looking at the preview pane in outlook. Check out the story over in developers. MS decided instead of fixing the url spoofing bug that phishers have been using since december, they are just going to not allow urls with an @ sign in them.
Then you've got your idiots over at security focus, such as Tim Mullen (who is a security consultant for MS btw) who believes security shouldn't be an issue for MS to worry about. It should be the end user who worries about it. It's no wonder they do not take security seriously when you've got people with views like that advising you.
Let's not forget the anti virus companies. Their lively hood is protecting people from virii. Not stoping them, protecting people from them. If we didn't have virii, then the anti virus companies would be out of business.
When you've got all this political bullshit swirling around the only one that loses is the end user. The one who bought their computer to enhance their life. To get onto the internet and reasearch car safety because their teenager is about to drive. Or the grandma who wants to recieve pictures from her grand children. Or the first time user that gets a virus within 15 minutes of plugging in their new computer, ensuring they will probably hate it from that point on.
The notion that ordinary users should pay to have virus protection seems rather antiquated in this age of mass mailing worms etc that have more effect on businesses than homes.
I personally use a great freeware antivirus program from a German company called AntiVir (www.free-av.com), which gives it away for personal use but requires commercial use to have a licence (as a nice aside, it is WAY more efficient that the bloated Norton apps). This makes sense, as it's businesses that keep telling us they're losing millions of dollars when a virus hits them, whereas home users might be inconvenienced for a little while but not seriously affected in most instances.
How about having the government recommend some free antivirus programs, or even require companies to sponsor antivirus companies, since it's in their interests to do so?
Visceral Psyche Films
How much money would it cost, to install - say - Linux on all desktops, and never let any employees use Internet Explorer or Outlook ever again? I think in the long run it would be cheaper than getting hit by a virus every few months...
Don't forget that some infectors are network enabled and will try to spread to all uninfected computers on your network. Since you don't have a method that stops those (if you did, it wouldn't have spread), you'll end up having to take down the network to clean the machines without them getting re-infected by their neighbors. (This gets really ugly in big companies)
Ok, infections can (keyword can) be very expensive for a company, but there is a tendancy for "software" issues to inflate the numbers they use when whining about financial lost they were caused.
Comment removed based on user account deletion
Considering that there's a lot of us in the IT sector out of work, Virii can be a godsend. Why? 'Cause, even if it's only for a week or so, we get called by the local contract companies to clean it up. I did a 2 week stint at Honeywell in Phoenix doing just that. I was unemployed when they got hit by whatever virus back in August and got the call to help with it's cleanup. This later turned into a longer contract to help out their PC Techs clean out their ticket backlog caused by the virus; some 2000 or so tickets generated and left untouched during the cleanup. We were out there for a total of 5 weeks.
Stuff like this, large comapnies needing to outsource virus cleanup, is also a major factor to be considered when looking at those numbers. Figuring that the contract companies got an average of $25/hr for each of us and multiply that by the initial order of just over 100 techs for the first 2 weeks of cleanup (Honeywell has numerous, large facilities around Phoenix), and you see just how much money these things can cost a company.
Fifty watts per channel, baby cakes.
I tought my grandmother to use a computer. She, like other old people, has some difficulty using it but opening e-mails is not a big deal. She just clicks on a message and reads it. She even learned to send messages herself and was very proud of this.
But this time she got in trouble. I don't know how - maybe antivirus software was disabled or something else but MyDoom infected her computer. Yes, it was Windows. I actually don't have much time to install software for my family members and just bought a second hand computer with Windows and everything and gave it to her to use. Now I think I will take some time to wipe it out and install Linux instead.
It is a psychology of inept users to click on things. It cannot be changed, at least not easily. There will always be some grandma or some office clerk who will click and execute attachment regardless how many warnings will be there. That is the biggest security problem with Windows systems - the files are always executable by default. It is different in Linux. To run the script it requires to set executable attribute first. Who needs to execute attached file anyway?
The security which does not take into account user psychology is worthless. I predict that there will be more viruses like MyDoom in the future as there were in the past. The whole Windows architecture is broken with regard to user interaction and it cannot be easily fixed.
--
I doubt that people lose an hour of daily productivity because of a virus. Most workers with a computer on their desk work more than 8 hours a day although they are paid for only 8. Furthermore, your analysis assumes that time without a computer is lost time-- thats not the case.
And you can't really factor in the cost of IT staff, that is their job (among other things). If there weren't a new virus every once in a while, there would be fewer IT jobs.
If the IT specialist does their job right, the virus never makes it to a cubicle or at worst affects email for some people for a while. If a company is overrun by a virus, that cost is real, but I would hesitate to even attempt to put a number on it. In such a situation, the company should consider replacing their IT specialist.
It's difficuilt to say how much exactly does a business loose, how much they report lost to IRS(US Taxation). However a couple of "factoid" opinions can be formulated. A. Exposure/non-exposure is not guaranteed, sometimes even the best protected business will have virii/malware walked in via laptops and vpn's. B. The bigger the beuracracy the greater the cost, the less flexible the business and the more teirs in their chain of command the more stops on the way to a cure and the more junk left behind by people who are "willing to take the risk", "do not need to replace this in this fiscal quarter", "downsize systems administrators", "Microsoft and Cisco are the only way to go", "We're not supporting more than one operating system here!". C. Administrativa does not replace security. You can tell a user not to do something a thousand times just to see them do it again. This includes policies such as "do not bring your laptops/data/crap" from home and plug it in to the corporate LAN, "don't run AOL, etc...", do not install Corp VPN client on your home computer without a firewall. D. Antivirus software is most likely allready present in most corporate and home setups (unless in dark ages) and hence it's the failure of this technology that causes outbreaks. E. The larger the warehouse of administrative/clerical/non-technology workers using Windows(tm)/Office(tm) the greater the chance for an all-out systems down. Esp. if this cubicle field is adjescent to a Windows NT/2000(tm) server room with Microsoft Certified Systems Engineers (MCSE) running the show, shaparoned by a Microsoft Certified IT Manager (MCIM) who reports to a Microsoft Certified Cheif Information Officer (MCCIO)(tm). (but I digress) F. The less able the business to do business without computers the greater the cost. eg. All systems down in a Used Car lot means they cannot print contracts or run computer based credit/load check, however paper still works great. All systems down in a Webhosting company is an immediate loss, followed by a long-term customer loss which can reflect directly into dollars. That all being said, I think the numbers are BULL****! BULL****! BULL****! They are brought to you by the same people who slap those "Information Security Incidents may cost this business $10000000000000000 per incident" posters near the water cooler. Scary enough though people get convicted for crimes under the same "public scare" principle though.
The cost is not just money spent on Antiviral products. These are available for free but most companies would rather pay a little extra and get support for the product. All software causes problems of one kind or another, might as well pay upfront for the solution.
.exe messages will not help. Most workers will have no idea how there computer works. You might as well fire them for not being able to tune the breakroom TV. A better policy of blocking mail and scanning it would help. But that takes a skilled IT dept, who will be better payed at a larger company.
The extra costs come from lost time. Some that is very hard to measure. 400 person companies will not have a large helpdesk or IT staff. They are caught in a situation where a large staff is not needed normally, but the existing staff is too small to handle a big problem. So when a large problem does arrise the few staff are overworked and it takes a long time to fix, hence the lost money.
Large companies have large support staffs, smaller companies can be fixed relatively rapidly. Those caught in the middle get screwed.
Firing staff for opening
Actually, it really *is* possible to get your costs down to an insignificant level in a small business.
.exe, .scr, .pif, and the like. No virus coming in, and it generally buys enough time until the anti-virus software can be updated. Cost? Free. Setup time? Less than half an hour, and lasts indefinitely.
.zip attachments, which can get past the email server filter, so it will be interesting to see what happens; but, I suspect not much.
Firstly, my email server bounces all emails with attachments like
Secondly, I have Symantec Antivirus Corporate Edition installed on a server and on all client workstations. It automatically downloads new updates every week. Ok, there was an initial cost to the program, I think $3,000; I haven't bought updates for a few years because it still works great. Why fix what ain't broke? There is the initial setup time, which is 5 minutes per machine, but once it's set up, I've never had to fiddle with it again. Cost plus my time? Realistically, it can be distributed over a three to four year time period, so maybe $600 a year?
This latest virus does do some
Gotta second this one. MailScanner is great.
We have an Exchange 2000 server, but it only talks SMTP to an outside Sendmail box, and uses a pop catchall to import and distribute mail.
The Sendmail box has MailScanner with SpamAssassin and ClamAV (which for an opensource antivirus catches a phenomenal number, and fast!), also blocking any executables.
The Exchange box has TrendWare's AV product on it for both Exchange scanning of all messages as well as protecting the server itself.
The actual clients also have yet another AV product on them.
Multiple layers of AV all updated once a day or more... There is a narrow vector for new worms to come in, but odds of infection, and thus the cost of cleanup are much much lower.
I used to work at a company that does storage and fulfillment for Toyota Motor Manufacturing. They have a contract that says for every hour they can't deliver product, they owe Toyota $100,000. So if a virus were to knock them offline for a 5 hour period, they would lose $500,000 on fines alone.
You forgot to mention that Microsoft hides file extensions anyhow (why, why, why?). That's what the social engineering aspect of these worms relies on.
Time for Microsoft to issue a set of critical security patches which DISABLE FOR ALL TIME file extension hiding.
Like that'll ever happen....
Phil
In other words, they "can't live without" the scheduling, etc. that Outlook and Exchange provides.
Mozilla Mail doesn't provide the scheduling- and even if it did, it's not integrated into the framework like Outlook's is. Same goes for Pegasus Mail, Eudora, and any of the other programs out there.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
You forgot infected machines that are not in your control.
1. They are infected and they increase load of your email server and increase traffic. You are lucky if your provider does not charge for traffic.
2. They are infected, but are sending emails to the wrong addresses. Bounces get back to your server, increase load of your email server, increase traffic and end up in your mailboxes. Bounces are not caught by your virus scanner. Users will call you again within several hours, because somebody says that "they have send the virus".
3. Due to possible false positives, you keep caught message in quarantine. What is your current quarantine size?
4. If you inform sender about caught emails, how much mess is in your server email queue?
You don't administer bigger server, if any info about this worm does not drive you nuts.
No, they are called morons because they do not have any common sense. If an idiot does not check the oil in his car and never gets an oil change, we still consider him a moron when his engine seizes even if he is not a mechanic.
I readily admit that I know virtually nothing about car repair. Even I know enough to get regular maintance, to check the fluid levels on occaision and stop the car when some warning light comes on the dash. Knowing these things does not make me a mechanic, but are a necessary requirement for basic use. One should know how to run basic maintaniance on the machines they use.
So some one is a moron for clicking an attachment just as they are a moron for driving on a flat tire.
Just a Tuna in the Sea of Life
I don't think this thing is exploiting WinZip, is it? I know it's using WinZip to get through firewalls, but I hadn't heard that it exploted WinZip directly. I thought you still had to run the enclosed .scr or .exe yourself.
Cuz if so I'd better get cracking. I'd unzipped one of these earlier. I don't seem to be infected but one never knows.