Cyber Horror Stories: Experts Share 3 Chilling Security Disasters

Every October, we get into the Halloween spirit by celebrating the things that go bump in the night. But for those in cybersecurity, the chills don't stop with haunted houses and ghost stories. October is also Cybersecurity Awareness Month, a time when CISOs and security professionals gather around the campfire to share the real-life horrors that haunt their networks and systems.

What better way to mark the season than by swapping terrifying tales of monster phish, malware nightmares, fearsome feedback, and insider threats? These are the cyber horror stories that have kept many security pros awake, staring at their monitors in the dead of night.

Below are three such bone-chilling accounts from the frontlines of cybersecurity. Well, they're actually all pretty funny in the end, but these tales certainly start with elements of terror.

The Malware is coming from inside the house!

It's an all-time creepy campfire story: a mysterious caller keeps threatening the babysitter at night with scary one-liners like, "Have you checked on the children lately?" She calls 911, and after a few minutes, the operator yells: "GET OUT GET OUT, THE CALL IS COMING FROM INSIDE THE HOUSE!"

Barak Engel managed a funnier version with a happy ending, when he traced down repeated malware incidents at a company to one salesperson. Turns out he was just really curious about what would happen if he clicked on a malicious link.

‍Transcript:

We had a persistent virus issue at a company, specifically in the go-to-market department. After some investigation, we tracked it down to one user. This user was repeatedly triggering virus infections, or at least our antivirus was constantly catching them.

So, we brought him in for an interview. I sat down with him and asked, "What's going on? Why do you keep getting these virus infections?" He looked at me, puzzled, and said, "Well, I’m curious. When I see something that looks like a virus, I click on it because I want to see what it does."

Now, I don’t know how most people would respond to that, but I suspect the usual reaction would involve some kind of HR action. Maybe a reprimand or a stern warning. But I took a deep breath. I was sitting next to the head of IT, and instead of taking disciplinary action, we decided to give him a special computer. This machine was isolated from the network, just a basic setup with an Internet connection, so he could explore all the viruses he wanted without risking the rest of the system.

We told him, "You know, we love your curiosity! Keep checking out those viruses. But in return, we just ask that you share with your team what you’ve learned."

That turned out to be the most effective security awareness training I’ve ever conducted. This guy was so enthusiastic! He ended up getting everyone else excited about security too. He eventually even transitioned into the security team himself.

I remember at one point, I had about 20 salespeople in an enterprise software company suddenly interested in security because of him. He was outgoing, your typical salesperson type, and he would come up to me and say, "Hey, check this out! Look at what this virus did!" He made it sound so cool. It opened up all these weird things on his computer, and he’d share it with everyone.

It was a really powerful moment. What started as a potentially dangerous situation turned into a learning experience that sparked a whole group of people’s interest in security.

--Barak Engel, vCISO, Founder of EAmmune

The crappy report and the feedback from hell

"Alexander and the Terrible, Horrible, No Good, Very Bad Day" wasn't a horror story exactly, but it certainly detailed a horrible day. That would sum up Petri Kuivala's experience in a new role at a new company when he gave his first BoD cybersecurity report to his CFO for review.

His feedback contained one word: "S**t."

Transcript:

I'm a long-time CSO, having held the role since 2009, and I’ve got plenty of horror stories. But let me share one that stands out.

Back in the day, I was tasked with developing a cybersecurity report for the board of directors. This was over a decade ago, and no one had a blueprint for such a thing. I had to figure it out on my own, doing the best I could.

I knew I needed to use simple language, so I decided to employ traffic light colors—everyone understands them intuitively. My goal was to condense everything onto one page. This was a challenge because I was working for a large corporation with over ten factories, a lot of R&D, and hundreds of locations. Trying to fit all that security information onto a single page was difficult, especially since I was still fairly new to the organization.

I chose to simplify the NIST framework and use the traffic light colors to make it more understandable. I was quite proud of what I’d come up with, as any young professional might be. I sent the one-pager to the CFO, expecting (some praise), a clap on the shoulder. After a couple of hours, I got an email back. It was just one word:

“S**t.”

I didn’t know s**t about what were the expectations, so it was damn difficult (to process). I didn’t know s**t about what he was really expecting, and there was no feedback whatsoever in his email.

So, I had to study the s**t to understand better and to get a better grasp of his expectations. It was tough.

Eventually, things improved. The key was adopting a listening mindset. Instead of pushing my own ideas, I started focusing on what they were actually worried about. We discussed topics like human security—subjects everyone could relate to—and spent more time listening to their concerns.

In the end, we created a solid report that was used for many years. But looking back, it was a learning experience, and quite a ridiculous one at that.

--Petri Kuivala, CISO Advisor, former CISO of Nokia and NXP Semi-conductors

The exorcism of “Enemy1991”

It's the moment every CISO dreads: the hacker is in your system and now you must pay... or else. How did Petri deal with this as a young security professional at Nokia?

Transcript:

I’ve been a CISO for a long time and have multiple cyber horror stories under my belt. This particular case happened before I became a CISO. It was really early in my cyber career, back in 2002 when I got a phone call.

I was a junior in a large organization, which I can probably name now: Nokia. Someone called me to say that one of our major services had been taken over by hackers.

At first, I doubted it, but I traveled an hour to the location, where I met with people in the war room. The reality was that there were 17 unknown accounts, all with major or admin access to the SQL database.

For those unfamiliar, that means admin access to everything.

Funnily enough, one of the account names was "Enemy1991." The room was in chaos. I was young, having recently come from a police organization, and the only thing I could do was project calmness and make sure we started to understand what exactly we were fighting.

We quickly realized that if we shut down the service, we’d lose more than €1,000,000 a day. But within a day, we had no choice but to shut it down. When we tried to kick out Enemy1991 and his friends from the system, they locked us out. Our only option was to pull the plug.

Eventually, we analyzed the system and realized it had been extremely poorly maintained. No SSL was used, there was no input validation, everything was running with admin rights, and there were no backups.

This experience really showed me how far we’ve come as an industry. It’s not a horror story that’s likely to be repeated anymore, but back then, it certainly was.

--Petri Kuivala, CISO Advisor, former CISO of Nokia and NXP Semi-conductors