Whether your organization is a boutique insurance company or a multi‐national healthcare service provider, you are likely handling increasingly large amounts of confidential or sensitive data on a daily basis.

In our ever increasingly connected world, it is an integral part of our daily tasks to electronically share sensitive or confidential data with members of our organization or third party entities. With this comes the responsibility of ensuring that this data is safe from prying eyes and malicious data thieves.

Trying to maintain regulatory compliances for sensitive and confidential data handling can often be made more difficult when a misstep by an employee with a non‐malicious agenda puts your organization into hot water with regulators due to a violation. Yet, whether regulatory violations occur because of criminal acts or are due to employee negligence or error, the risks for your organization are the same.

Understanding the risks of mishandling confidential or sensitive data can often help us pay closer attention to managing the security around such data. Below is a basic list of what you need to be aware of if sensitive or confidential data is lost:

Financial Penalties

The financial penalties of sensitive or confidential data loss can cause significant hardship for organizations, both in the short‐term and the long‐term. The costs can vary depending on the significance and scope of the breach, or whether the breach involves compliance standards being compromised.

Compliance Violation Fee: If the loss of data breaches any one of the industry‐specific regulatory obligations, organizations can face violation fees as high as $1.5 million per calendar year.

Remediation Cost: According to the latest study conducted by Ponemon Institute, it can cost on average $204 per breached record (up from $138 in 2005), most of which ($144) is associated with indirect costs such as lost revenue.

Customer Dissatisfaction

Customer dissatisfaction resulting directly from a data breach incident can be the main driver for data breach costs. An interesting statistic worth noting from Ponemon Institute, is the average abnormal churn rates, which were measured by the loss of customers who were directly affected by the data breach event, categorized by specific industries:

Source: Ponemon Institute

Reputation Damage

In addition to the high financial cost of regulatory scrutiny, the reputation cost of a breach can cause significant long‐term damage for an organization. With reputation being an organization’s most valuable asset, it is not a surprise that a reputation loss caused by a data breach can be crippling.

When visualizing the financial cost of reputation damage caused by a data breach, Ponemon Institute found that the economic value of reputation and brand ranged from less than 10 percent to greater than 5 times an organization’s annual gross revenues. Depending upon the type of breach, the value of brand and reputation could decline as much as 17 percent to 31 percent of annual gross revenues.

Assessing these risks ensures that sensitive data handlers are able to present reasons for high‐level decision makers in an organization to pay closer attention to security of data, and help them garner a better understanding of these risks.

The aim of this article is to provide a brief glimpse into the consequences of sensitive and confidential data loss. EdgeWave’s main website provides significantly more information about the costs of data loss and how you can protect your organization. Be sure to visit our White Paper Resource Page for more detailed information on this and other security topics.

As always please feel free to comment below or email us with any questions you may have on data loss and prevention.

The EdgeWave Team

It is with great pleasure that we announce the appointment of two distinguished technology veterans to the EdgeWave team. Dave Maquera has been named to the newly created position of President and Steve Kelly has been appointed SVP of Corporate Development and Product Strategy.

Dave Maquera brings over 25 years of executive leadership experience, most recently as Chief Strategy Officer and Senior Vice President of Clearwire, where he led strategic and corporate initiatives that produced strategic partnerships and funding opportunities.   Maquera established Clearwire as a co-founder in the largest global partnership for 4G smartphone/device technology ecosystems in the industry. This partnership included China Mobile, Vodafone, Softbank, and others, with a combined wireless customer base of over one billion people. Maquera holds a B.A. from the University of Pennsylvania and an M.B.A. from Harvard.

Steve Kelley is a security software veteran with over 15 years of experience in technology strategy, product management, and business development roles in the enterprise information technology industry.  His prior experience includes working at BeyondTrust as EVP, Corporate Development where he helped drive the firm’s product and M&A strategy to reposition the company as the global leader of Privileged Identity Management solutions across physical, virtual and cloud-based data centers.  Kelley holds a B.B.A. from the University of Notre Dame and an M.B.A. from the Kellogg School of Management at Northwestern University.

EdgeWave is excited to have executives of this caliber join our team. In the words of EdgeWave’s CEO, Lou Ryan, “As president, Dave will be focused on improving internal efficiencies, a role ideally suited for his proven track record of management accomplishments and superlative leadership skills.  We look to Steve to bring a wealth of industry-savvy strategic vision and entrepreneurial energy to our product roadmap.”

For full details of EdgeWave’s two new executive additions, be sure to read our full Press Release.

The EdgeWave Team

By now, most people who are aware of who RSA is and what they do, should know that a couple weeks ago they finally admitted that their security tokens had been compromised. Spammers earlier today took advantage of this news, crafting a new malware campaign to ride the wave of bad press surrounding the security company.

Spammers sent out messages hijacking the NSA logo and using subjects such as “Go id token update”, “Security token update”, “Token software update” and similar permutations. The body of the messages indicate that “A important vulnerability has been discovered in a certain types of our token devices.” evidently confusing the distinction between RSA and the NSA. The poor grammar should be a dead give-away to most that this is a bogus message, but for those who just skim and click, they may find themselves embroiled in a malware party, where the guests are most certainly unwanted.

Malware campaign hijacking the NSA logo.

The two links in the body of the message both lead to a Windows executable, one named blocked_list.exe, the other token_security_update.exe. Both appear to be the same malicious payload. The malware is being identified as Zbot and Kazy depending on the particular antivirus vendor and is currently detected by only 30% the 40+ AV engines at VirusTotal.

Zbot is a persistent and very dangerous piece of malware. It has historically been associated with enabling sophisticated bank fraud by silently enabling remote attackers to hijack online banking sessions initiated by a legitimate user on an infected machine, among other nefarious capabilities.

Thanks to the iGuard team for helping to identify this campaign.

Me neither, but if you are, consider yourself a potential target for the latest scam from the criminal underground.

Yesterday, our defense network flagged an anomalous clustering of messages which when analyzed revealed an interesting virus campaign. The messages come with subjects such as “The IRS 2011 Summer Forums”, and “The Internal Revenue Service 2011 Summer Forums Invitation”, among other similar variants.

Malicious Email

The body of the message starts with the salutation “Exclusively for [targeted individual],” (only, the recipient’s full name appears where the bracketed text is). The message goes on to describe the events, which seems like something only tax practitioners would be even remotely interested in. Apparently the IRS does host such events, and a quick look shows that the IRS is aware of the malicious campaign.

It seems a strange hook to be used as a means of tricking end-users into opening a malicious attachment. This obscurity may imply that the perpetrators of this particular crime have their targets set on small-business individuals who have privlaged access to financial information and systems. This kind of targeted attack is called spear-phishing and it continues to be one of the most significant threats on the web today.

Attached to this wolf-in-sheep’s-clothing is a specially crafted Microsoft Word Document which contains an Adobe Flash based exploit. The document itself would just appear to be a blank document to the victim, or it might crash the program. Either way, opening the document (named application_form.doc) would initiate the attack against the user’s system. This would result in code being executed which would then download other malicious software to be executed on the now compromised system. That malware is typically associated with root-kits which give attackers a backdoor into the system. This allows a remote attacker to monitor keystrokes, search the hard drive and even piggyback encrypted sessions with online banking systems.

The vulnerability is codified as CVE-2011-0611 which is listed as “Critical” by Adobe and was initially discovered back in April of this year, circulating in the wild as a 0day exploit. This vulnerability was also implicated in some of the high-profile targeted attacks earlier this year as noted in my previous post.

At the time of our detection, the malicious .doc was only recognized by two of the 43 antivirus engines at Virus Total. As of the time of this writing, nearly 24 hours later, the detection remains low with a paltry five engines–or not quite 12% detecting the malware.

This campaign is a continuance of a string of Advanced Persistent Threats which security researchers are coming to know as the new face of spam. Gone are the days when spam was a mere annoyance, blasted out indiscriminately across the web. Over the past year spam has taken an ugly turn towards low-volume, more specific targeting and rather innocuous seeming, or downright misleading content. A mere click could end up granting access to the machine (and the privileged access that machine enjoys in a larger network context) to cybercriminals potentially thousands of miles away. Spam volume may be down, but the threats are more sophisticated and dangerous than ever.

Today, I came across a couple of interesting spam campaigns.

The first campaign spoofed the sender as “inform@ffiec.gov” (Federal Financial Institutions Examination Council). The message threatened the recipient with a subpoena due to “suspect financial activity on your account”. While the message was rather poor in it’s construction, containing several spelling and grammatical errors, the attack was interesting in it’s use of misdirection.

The recipient was directed to click on a link for more information about the pending “case file”. Clicking on the link would run the browser up against a drive-by exploit. However, the victim would have no indication anything bad had just happened, all they would see is a legitimate website – www.iccwbo.org. Yet, the attackers constructed the malicious webpage such that it loads the content from the ICC (International Chamber of Commerce) in an iframe. Meanwhile, the browser was busy executing obfuscated JavaScript unbeknownst to the victim.

The JavaScript attempts to exploit CVE-2010-1885 or perhaps more commonly known as the “Windows Help and Support Center Vulnerability” which surfaced almost exactly one year ago. We saw a lot of malicious activity around this exploit last year when it was included in several exploit kits and helped to build the next generation of botnets.

Evidently there are still enough people out there who haven’t patched their systems that the attackers felt this particular vulnerability would be successful. A patch has been available from Microsoft for many months.

The other campaign is perhaps the more interesting of the two. Everyone is (or should be!) familiar with phishing emails. This campaign spoofed a message from “Chase Paymentech” with the subject: “Welcome to Chase Paymentech”. The message was well constructed and appears to have used a genuine message from Chase as a template.

This was no phishing attempt however.

The call-to-action was for the victim to open an attached .doc in order “[t]o begin accepting customer payments, please activate your account now by following these easy steps” — the first step being to open the attachment of course. In this case the document was named “merchant_info.doc” which contained an embeded Shockwave Flash document. The document appears to target the CVE-2011-0611 vulnerability in Adobe Flash Player. This is a relatively recent exploit first seen being exploited in the wild mid April of this year.

This particular vulnerability seems to be a favorite for spear-phishing type attacks and may have been involved in some of the recent high-profile attacks, notably against RSA and others. At the time of detection by our systems, none of the AV engines at VirusTotal detected the infected .doc as malicious.

Another interesting aspect of this campaign is that it appears to be targeting domains in the .us ccTLD exclusively.

As always, it is wise to use extreme caution when dealing with email links and attachments. Even up-to-date AV engines tend to struggle with detecting the front-line attacks we see frequently directed over email.