Monday, June 15, 2015

Information Security Across New Frontiers


New technology and business motivations
Consumer devices are getting smaller, faster and cheaper. With that, they have become mobile and convenient to execute online purchases, payments, administration and a host of other chores swiftly, many of which were not possible just a few years ago. Such consumer conveniences also generate massive amounts of data. Not just transaction data, but also other personal data, like location, user behaviour, and user relationships with other entities. These information are valuable for businesses to profile, target their potential customers and cross-sell products.

What is Valuable?
Data means different things to different people. One man's information is another man's bland data. For instance, company staff directories are treasure coves to executive headhunters, but are merely data to the layperson. In other words, data is 'King', but data in context is information - a 'bigger King'. Further, in the online world of rapidly flashing ether, data in context in immaculate timing is 'King of Kings'. For example, time-sensitive market data exploited for high frequency trading in the financial markets, is a 'King of Kings'. They make millions of dollars literally within seconds. Here, we are referring to immaculately precise and timely operations happening in orders of nano-seconds.

Who are the CyberThieves?
And there are those who lurks in the dark side of Cyberspace, waiting to deceive, steal and disrupt. While the bulk of hackers are 'script kiddies', the ones that we should be worried about are the determined, clever and focused, who vies for  monetary, non-monetary, business, political or social objectives.  It may also be worthy to note that the bulk of security breaches still comes from within organisations. Inside, it is easier to hack. Being in the system, it is easier to know the loopholes and how to clean the tracks once the intrusion is complete. A survey of 100 banks across 30 countries by Kaspersky estimated that internal hackers may have stolen up to a $1 billion in the year 2013.

Future devices now
New consumer devices easily available in the retail market are getting smaller and harder to detect. Wearable computers are gradually creeping into our daily life, in the form of spectacles (eg. Google Glass), wrist watches or wrist bands (eg. Apple Watch), spy pens,...etc. It will not be practical to restrict employees and workers from using such wearable computers.

New control doctrines
As such, information security controls will no longer be perimeter defence, but checks and controls pervasive throughout the system. No entity is completely trusted. There will be numerous cross-verification among users, processes, servers and technologies. Cloud-based intelligence sharing and collaboration will be paramount to keep the system secure.

And so we must implement: more adaptable supervisor-and-executor dual controls for transactions; persistent checks against user account takeovers; centralised loggings capable of reconstructing transactions; and leverages on Cloud-based Cyber-intelligence services.

Eventually, you will notice that for every business function, say a "Make Payment" request,  the application system will invoke six or seven security processes of identification, authentication, verification, logging,...etc. So be prepared for added computing power or suffer a deterioration in application response time.

New Controls
In moving across new electronic frontiers, merely implementing the conventional firewalls, intrusion detection system, malware detection system, encryption and identity access management is no longer sufficient.

Increasingly, new controls will be based on different root technologies, as it is difficult to arrest an intrusion with the same technology. For instance, it is difficult to use web technology to detect the Man-In-The-Browser attack. Such attacks are so elusive that they can happen right under the user's nose, without the realisation that his transaction is compromised. The user would be under the impression that he is safe, having observed all the secure procedures like, entering his id, password and even one-time code generated from a secure physical token, but oblivious that he has been attacked.

To detect such attacks, other technologies such as, cognitive biometrics and trend analysers, among others,  have to be deployed.

Cognitive biometrics recognises the usual pattern a user touches and moves his devices, and differentiates if it is from a Cyberbot or a human intruder. Trend analysers detect usage anomalies, like sharp jumps in frequency of usage, or the sums of money being transacted.

Extending beyond Security
Trend analyses require broader aspects of data collection and mining, leading to what is called 'Big Data' processing. And with the ubiquitous use of the Internet and the growing ambitions of businesses, Big Data gets bigger everyday.

Back in the early 1990s when I was in oil and gas exploration, we thought the seismic trace interpretation data we were processing were massive. These were data of induced and echoed sound captured from vast oil exploration sites stretching thousands of square kilometres in surface area and kilometres deep into the subterranean. Think of it as a gigantic 3-dimensional volume of sound amplitudes at one-hundred metre grid intervals. Upon collection of the data, we cleaned up the noise, modeled an algorithm and mined them for useful information with the goal of discovering oil and gas deposits. Much the same as in modern day generic Big Data operations. However, while those Petabytes of data were notoriously large to handle with the technology those days, they are no longer considered big by today's standards.

Besides the intimidating size of the data, diversity, data properties and data locations, are some of the other challenges. Data can come from varied sources, in structured and unstructured, formal and informal formats. In my opinion, using data just from the organisation's daily transaction gravitates towards 'Business Intelligence'. It is not just a matter of definition, it does have semantic differences in scope. In Big Data operations, data comes from many sources, and sometimes we may not even know what the real question is when we stumble upon unexpected and interesting patterns. When that happens, basic assumptions are challenged and re-established. We will then have to go back to the basics to clarify our objectives, before  moving forward.

The extent of Big Data is powerful. It can be used not only to detect fraud, but also to (for the case of banking) verify that clients are clean enough to bring onboard and and yet comply to central bank regulations against anti-money laundering (AML).

Implementation
Before proceeding to implement, make the aforesaid benefits clear to your stakeholders. Start your security controls small within the less ambitious goals, but make it known to your sponsors and stakeholders that these technologies can be extended to offer a lot more in the future.

Now, go down to basics  and define the Proof of Concepts (POCs) of the technologies that can solve your problems.  The challenge here is to define what constitutes a successful POC. For instance, if we are testing a cognitive biometric system to weed out fake users, is the product coming up with a lot of suspected users a better one than the one that comes up with lesser suspects? How do we know which one has more or less False Positives and False Negatives? It is all well and good if we are testing them on simulated data, but how would simulated data be of any real help? Ultimately, the real proof is in the pudding - that is, with real-time transactions, and for that, the results may be difficult to ascertain.

Then, we will have to dwell into the fundamental science the product is based on. If the vendor's description of what their product is based on are fuzzy and ill-defined (granted that they have to keep their trade secret), then chances are that they are not to be trusted.

Ultimately, a quantitative and qualitative POC definition success indicators is essential, before each technology is tested.

Once the POCs are proven, it is now time to take stock of your existing system to make sure that it is fundamentally sound. For instance, to ensure that the user authorisation, centralised log server and the fraud management rules engine are operating smoothly and securely administered, before the new technologies are added.

As usual, implement the new controls in stages starting with the quick and easier wins to convince your stakeholders, to secure the approval of the next phases of development.

Conclusion
New devices are attractive because they bring in new businesses and opportunities. Data cleverly harnessed are valuable and can literally make you millions of dollars in seconds. As with all treasures, there will be thieves lurking. Given all these new technological frontiers opening, we need better and more sophisticated controls. These controls, unlike in the past, comes from varied technologies and must no longer be perimeter defences, but pervasive throughout the information system. New pervasive controls are powerful and can serve beyond the objectives of data protection. These new controls can be leveraged to analyse business trends and manage fraud. Implementation must be approached step-by-step and iteratively, while keeping the management informed of their massive potentials for the future.


This article is a very brief summary. It dwells on the salient points of the new frontiers of information security and how we can proceed to implement the technical controls. There are a myriad of other business and managerial considerations in a real life situation. Given the limitation of space here, we shall leave those other discussions in another article, another time.



Note: We are now an official media partner with BIGIT INSIGHT. This article will be published in their magazine.

No comments:

Post a Comment