New technology and business
motivations
Consumer devices are getting
smaller, faster and cheaper. With that, they have become mobile and convenient
to execute online purchases, payments, administration and a host of other
chores swiftly, many of which were not possible just a few years ago. Such
consumer conveniences also generate massive amounts of data. Not just transaction
data, but also other personal data, like location, user behaviour, and user
relationships with other entities. These information are valuable for
businesses to profile, target their potential customers and cross-sell products.
What is Valuable?
Data means different things to different
people. One man's information is another man's bland data. For instance, company
staff directories are treasure coves to executive headhunters, but are merely
data to the layperson. In other words, data is 'King', but data in context is
information - a 'bigger King'. Further, in the online world of rapidly flashing
ether, data in context in immaculate timing is 'King of Kings'. For example, time-sensitive market data exploited for high frequency trading in the
financial markets, is a 'King of Kings'. They make millions of dollars literally
within seconds. Here, we are referring to immaculately precise and timely
operations happening in orders of nano-seconds.
Who are the CyberThieves?
And there are those who lurks in
the dark side of Cyberspace, waiting to deceive, steal and disrupt. While the
bulk of hackers are 'script kiddies', the ones that we should be worried about
are the determined, clever and focused, who vies for monetary, non-monetary, business, political or
social objectives. It may also be worthy
to note that the bulk of security breaches still comes from within organisations.
Inside, it is easier to hack. Being in the system, it is easier to know the
loopholes and how to clean the tracks once the intrusion is complete. A survey
of 100 banks across 30 countries by Kaspersky estimated that internal hackers
may have stolen up to a $1 billion in the year 2013.
Future devices now
New consumer devices easily
available in the retail market are getting smaller and harder to detect.
Wearable computers are gradually creeping into our daily life, in the form of spectacles (eg. Google Glass), wrist watches or wrist bands (eg. Apple Watch),
spy pens,...etc. It will not be practical to restrict employees and workers
from using such wearable computers.
New control doctrines
As such, information security
controls will no longer be perimeter defence, but checks and controls pervasive throughout the system. No entity
is completely trusted. There will be numerous
cross-verification among users, processes, servers and technologies.
Cloud-based intelligence sharing and collaboration will be paramount to keep
the system secure.
And so we must implement: more adaptable supervisor-and-executor dual controls for transactions; persistent checks
against user account takeovers; centralised loggings capable of reconstructing transactions;
and leverages on Cloud-based Cyber-intelligence services.
Eventually, you will notice that
for every business function, say a "Make Payment" request,
the application system will invoke six or seven security processes of
identification, authentication, verification, logging,...etc. So be prepared
for added computing power or suffer a deterioration in application response time.
New Controls
In moving across new electronic
frontiers, merely implementing the conventional firewalls, intrusion detection
system, malware detection system, encryption and identity access management is
no longer sufficient.
Increasingly, new controls will
be based on different root technologies, as it is difficult to arrest an
intrusion with the same technology. For instance, it is difficult to use web
technology to detect the Man-In-The-Browser attack. Such attacks are so elusive
that they can happen right under the user's nose, without the realisation that
his transaction is compromised. The user would be under the impression that he
is safe, having observed all the secure procedures like, entering his id, password and
even one-time code generated from a secure physical token, but oblivious that
he has been attacked.
To detect such attacks, other
technologies such as, cognitive biometrics and trend analysers, among others, have to be deployed.
Cognitive biometrics recognises
the usual pattern a user touches and moves his devices, and differentiates if it is from
a Cyberbot or a human intruder. Trend analysers detect usage anomalies, like sharp
jumps in frequency of usage, or the sums of money being transacted.
Extending beyond Security
Trend analyses require broader
aspects of data collection and mining, leading to what is called 'Big Data'
processing. And with the ubiquitous use of the Internet and the growing
ambitions of businesses, Big Data gets bigger everyday.
Back in the early 1990s when I
was in oil and gas exploration, we thought the seismic trace interpretation
data we were processing were massive. These were data of induced and echoed
sound captured from vast oil exploration sites stretching thousands of square
kilometres in surface area and kilometres deep into the subterranean. Think of it as a
gigantic 3-dimensional volume of sound amplitudes at one-hundred metre grid intervals. Upon collection of the data, we cleaned up the noise, modeled an
algorithm and mined them for useful information with the goal of discovering
oil and gas deposits. Much the same as in modern day generic Big Data
operations. However, while those Petabytes of data were notoriously large to
handle with the technology those days, they are no longer considered big by today's standards.
Besides the intimidating size of
the data, diversity, data properties and data locations, are some of the other challenges.
Data can come from varied sources, in structured and unstructured, formal and
informal formats. In my opinion, using data just from the organisation's daily transaction gravitates
towards 'Business Intelligence'. It is not just a matter of definition, it does
have semantic differences in scope. In Big Data operations, data comes from
many sources, and sometimes we may not even know what the real question is when we stumble upon unexpected and interesting patterns. When that happens, basic assumptions are challenged and re-established. We will then have to go back to the basics to clarify our objectives, before moving forward.
The extent of Big Data is
powerful. It can be used not only to detect fraud, but also to (for the case of
banking) verify that clients are clean enough to bring onboard and and yet comply to central bank regulations against anti-money laundering (AML).
Implementation
Before proceeding to
implement, make the aforesaid benefits clear to your
stakeholders. Start your security controls small within the less ambitious
goals, but make it known to your sponsors and stakeholders that these
technologies can be extended to offer a lot more in the future.
Now, go down to basics and define the Proof of Concepts (POCs) of
the technologies that can solve your problems.
The challenge here is to define what constitutes a successful POC. For
instance, if we are testing a cognitive biometric system to weed out fake
users, is the product coming up with a lot of suspected users a better one than
the one that comes up with lesser suspects? How do we know which one has more
or less False Positives and False Negatives? It is all well and good if we are
testing them on simulated data, but how would simulated data be of any real help?
Ultimately, the real proof is in the pudding - that is, with real-time transactions, and
for that, the results may be difficult to ascertain.
Then, we will have to dwell into
the fundamental science the product is based on. If the vendor's description of
what their product is based on are fuzzy and ill-defined (granted that they
have to keep their trade secret), then chances are that they are not to be
trusted.
Ultimately, a quantitative and qualitative POC definition success indicators is essential, before each
technology is tested.
Once the POCs are proven, it is
now time to take stock of your existing system to make sure that it is
fundamentally sound. For instance, to ensure that the user authorisation,
centralised log server and the fraud management rules engine are operating smoothly
and securely administered, before the new technologies are added.
As usual, implement the new
controls in stages starting with the quick and easier wins to convince your
stakeholders, to secure the approval of the next phases of development.
Conclusion
New devices are attractive because
they bring in new businesses and opportunities. Data cleverly harnessed are
valuable and can literally make you millions of dollars in seconds. As with all
treasures, there will be thieves lurking. Given all these new technological
frontiers opening, we need better and more sophisticated controls. These
controls, unlike in the past, comes from varied technologies and must no longer
be perimeter defences, but pervasive throughout the information system. New
pervasive controls are powerful and can serve beyond the objectives of data
protection. These new controls can be leveraged to analyse business trends and
manage fraud. Implementation must be approached step-by-step and iteratively,
while keeping the management informed of their massive potentials for the
future.
This article is a very brief
summary. It dwells on the salient points of the new frontiers of
information security and how we can proceed to implement the technical
controls. There are a myriad of other business and managerial considerations in
a real life situation. Given the limitation of space here, we shall leave those other discussions in another article, another time.
Note: We are now an official media partner with BIGIT INSIGHT. This article will be published in their magazine.