Consumer identity – 7 things you need to know

As we have noted in the latest Total Retail Switzerland 2015 Survey released in June, one of the current challenges facing retailers includes the digital disruption that has taken hold of the retail sector.

Consumer identity is the management of a consumer’s digital persona when they engage with a provider through whatever channel.

The consumer (user of products and services) and provider (deliverer/maker of products and services) relationship is a delicate one which requires trust in order to ensure that the right amount of personal characteristics and preferences are shared and used for an agreed and transparent purpose to support a positive consumer experience.

Consumers will have different requirements for the means by which they wish to engage with providers, depending on the context. A mutuality of benefits needs to be built through a willing buyer and willing seller dialogue.

This blog post will explore a number of topics that need to be considered prior to engaging a consumer identity programme.

Individually owned identity

In a world where a consumer will want the option to use a single identity to access a variety of services from multiple providers, they will want to control and manage it. Whoever they ‘lodge’ their identity with will have the responsibility to verify who they claim to be, and will ask the consumer to ensure that everything is kept up to date and require any changes to be communicated promptly. The onus for managing their identity will lie squarely with the consumer.

Users will want to control what they share

When a consumer connects to a service they will want to control what they share – date of birth, address – and for how long the service can retain the information. Organisations who recognise this will be more attractive to users than those who don’t consider the user’s privacy to be paramount.

Context is key

What information is required to authorise a transaction or request depends upon the level of the transaction and various environmental factors. This context is vital to protecting both the user and the provider from fraud and account misuse. Using an unknown device from an overseas location may prompt for additional verification to be provided. Providing enhanced levels of security based upon increasing uncertainty (location, device, time of day) will provide comfort to the user without seeming to be burdensome.

Organisations who design privacy will be trusted more than those who don’t

Determining the minimum amount of information required to undertake a transaction will increase the trust between the consumer and the provider by reducing the amount of information that the consumer is exposing. The provider should also inform the consumer what they will do with the information once the transaction is complete, how it will be protected, how long will it be retained or will it be shared with other parties? Privacy considerations should be considered at all stages of a service. Do they need to retain address, date of birth, place of birth, current location, device used, other than in a well secured audit log? The user should be offered the option to approve the use of additional information and then how long it can be used for.

Consumers will want to choose their persona

In the digital world as in real life, consumers will wish to present different personas depending upon the environment and the nature of the transaction. In real life we can choose to be anonymous by paying with cash, and to reveal elements of our identity through the use of intermediaries such as PayPal and various debit and credit cards. How we present ourselves socially as opposed to professionally will also vary. At the same time consumers may wish to use more than one identity to separate the different parts of their lives and to compartmentalise who knows what about them.

Consumers will demand more control over their data and the extent of the consent that they give

In recent times there has been an explosion in the amount of data that is collected, whether it’s how long you’ve slept, where you’ve been lately, and it will only increase to include measures such as heart rate, blood pressure, etc. An increasing amount of data is collected about the consumer so they will start to demand greater control over who has access to it and for what duration. Organisations who provide the consumer with choice and options concerning their data will be more trusted and therefore will command a greater share of the consumer’s time, money and IPR (intellectual property rights).

Consumers are now more aware of their digital footprint

Consumers are more aware of their digital footprint and so want to have better control on how and who their data is shared with. Having ownership of their digital persona will reap rewards whether it be through a more fulfilling digital experience or financial remuneration for the use of their data.

If you have any questions, please do not hesitate to contact me.

Drones – the new professional tool?

Drones have been elevated from the hobbyist’s plaything to serious business, as a range of industries set their sights on the technology’s commercial benefits. 

You can’t help but notice that drones are hot press right now. Drones – also known as unmanned aerial vehicles, or UAVs – have received publicity for playing a useful part in everything from shark spotting on Bondi Beach to photographing large properties in all their glory (topless sunbathers included).

However, behind the headlines serious movements and investments are being made to put what was once seen as a hobbyist’s technology to more professional and practical use. There are some commercial applications that particularly suit drone technology. Here are a number of examples:

Aerial photography

The first and most dramatic application of drone technology is the attachment of cameras, to help photographers and film makers achieve a new and dramatic shot. Many other organisations are beginning to realise that there are a magnitude of cost savings to be made in using a drone instead of a helicopter to take aerial footage. Applications such as real estate, weddings and news coverage are all rapidly including drones in their arsenal.

However, some countries have regulatory and legal issues about how footage can be obtained. None more fractious than in the US, where a lack of clear regulations, new local authority laws and lawmakers are tripping over themselves to make a regulatory framework that works.

Search and rescue (SAR)

From firefighters to mountain rescue, a large number of public agencies are researching or adopting drones into their tool chest. Drones occupy a unique position in the matrix by filling the gap between ground operations and traditional helicopters. This opens up opportunities to search areas faster and for longer, by being far cheaper to run than traditional helicopters and aircraft.

Technology is the limiting factor to full-scale SAR deployment: short flight times and low camera resolutions are the main restrictions.

Agriculture

…or specifically, precision agriculture. Precision agriculture, as the name implies, involves farm management based on observing, measuring and responding to inter and intra-field variability in crops.

Japan has been a long-term user of drones in precision agriculture due to its unique geography and public trust of robotics. But this is moving further afield into countries where more traditional agriculture methods are used, as more and more enterprises look to adopt a less wasteful agricultural approach.

This will have cost and profit implications, and helps reduce the environmental impact of industrialised agriculture through the reduced use of raw materials such as water, pesticides and fertilizers. Drones are particularly effective in this role and the market for drones in agriculture is expected to be worth billions in the US alone. In countries where resources such as water are scarce or expensive (such as Australia and the Middle East), precision agriculture is set to be a real focus in coming decades.

Surveys

Traditional high resolution surveys by helicopter or plane are typically costly and take a long time to organise. Drones are rapidly taking their place. They can fly GPS-precise routes over often complicated landscapes and, with the adoption of precise stabilisation systems and better software, often give a better result. Drones are much cheaper to operate and can be deployed very quickly. Much of the detailed disaster mapping in Nepal recently was all done by drone.

Mining and archaeology

As drone airframe design advances, we are seeing increasing adoption of sensor equipment, to service the data requirements of the business. Examples of these payloads include: high definition optics, infrared, ground penetrating radar, ultrasound, magnetometers and other scientific equipment.

Of particular interest is LIDAR (short for ‘light detection and ranging’), which allows very precise three-dimensional maps to be constructed of sites that were previously inaccessible to helicopters and aircraft. Often this is used in conjunction with other spectrum analysis tools to allow miners and archaeologists to see much more than they would have done previously, allowing more precise digging to take place. As this technology is also cheaper, smaller sites and operations can be analysed in more depth.

Last mile deliveries

Many post and delivery services are looking to adopt drone technology for logistics. However, this is currently fraught with difficulties and risk – technical, regulatory and environmental.

There are business drivers for being able to use drones in the last mile, as cost economies mean some previously uneconomical routes can now be serviced profitably. Many such routes exist in the developing nations where infrastructure is lacking. Even in Switzerland, Swiss Post is actively pursuing this technology to allow deliveries to remote areas that get cut off by snow or avalanches in winter.

Natural disasters have seen a demand for this type of drone use as well. GPS precision allows delivery of emergency packs to families in a local area when all road routes have been cut off.  The added advantage is that helicopters are freed up to focus on medical evacuation and other transportation duties.

A range of businesses are starting to see the opportunities that drone technology represents. To some, it can fundamentally change a number of their business processes. To others, it is an opportunity to improve profitability or even expand into new markets. The crucial factor is in understanding the advantages and pitfalls of the technology in order to help them make the best decisions for their business.

Please contact me if you would like to discuss this topic.

More than a match for fraudsters

How to combat sophisticated fraudsters who use information technology, social network analysis and psychology to target payment processes

These days fraudsters are increasingly targeting organisations’ payment processes using so-called social engineering techniques. Unlike plain hacking, social engineering is the art of manipulating people so they involuntarily give up confidential information, or act against company processes and policies. With the help of a combination of information technology, social network analysis and psychology, social engineers pass themselves off as customers, suppliers, and/or perhaps as your own company’s management to trigger the transfer of funds from the business.

Understanding your organisation’s readiness to combat today’s fraudsters is essential. PwC’s Fraud Risk and Control Framework covers fraud and corruption control holistically, splitting it into four key elements and then further into their component processes and controls. The key elements are:

  • Planning and resourcing
  • Prevention
  • Detection
  • Response.

Capture

 

Controlling the fraud risk within your business starts with understanding fraud trends

Our assessments aim to identify activities that can significantly impact your organisation’s reputation, expose the company to criminal or civil liability, or result in a financial loss. Such a fraud risk  assessment includes examining the existing systems, processes and the control environment to identify high risk transactions and the potential for misappropriation by either employees, related parties and/or third parties. The assessment evaluates whether or not processes and controls can be circumvented, including the susceptibility of controls to management override.

Read more here. If you have any questions, please do not hesitate do contact me.

Neutrino Exploit Kit delivers zero-detection Zeus Variant

We recently spotted Neutrino being used to deliver a zero-detection Zeus variant and are sharing some brief indicators here.

The Neutrino Exploit Kit check-in response contains base64 encoded data within HTML comment tags:

<!–.DEBUGMTQwMTA3NjM4NjcxNTc2NiNyYXRlIDUjMTQzMzM4NDE4MzIxNjMwNSNsb2FkZXIgaHR0cDovL3NlbGxzLXN0b3J
lLmNvbS9mb3J1bS9hY2V6LmV4ZSM=DEBUG.–>

Decoded, this translates to:

1401076386715766#rate 5#1433384183216305#loader http[:]//sells-store[.]com/forum/acez.exe#

Retrieving that executable, which has an MD5 hash of 2fc852f50667a09609d2a66770df180d, and analysing it in on Malwr.com, we can see that it creates mutexes that match the Zeus banking trojan:

Image 1
https://malwr.com/analysis/NjIzY2EyZjMzMzM2NGQzMjhhODk3MjY3NmFkMDgyYTc/

At the time of writing this was not detected by any anti-virus software on VirusTotal:

Image 2
The domain sells-store[.]com is registered by a registrant called Wuxi Yilian LLC which is associated to many other spam/scam domains. The creation date of this domain is 1 June 2015 which suggests this is a recent wave.

Image 3
The exe makes a DNS request to domain stat777-toolbarueries-google[.]com which is also registered by Wuxi Yilian LLC

As seen in previous variants of Zeus, this matches the common format:

https://zeustracker.abuse.ch/monitor.php?host=stat2070-toolbarueries-google.com

Image 6

 

Information regarding the Zeus Trojan can be found on the following Symantec post:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=2

Information regarding the Neutrino Exploit Kit can be found here:

http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

The Emerging Threats Pro signature that captures the Neutrino check-in response is 2810822. We are sharing some simple IDS signatures to detect the second stage infection .exe download:

Suricata

alert http any any <> any any (msg:”[PwC] eCrime Neutrino DDoS tool 2nd Stage implant download (acez.exe)”; flow:established,from_client; content:”/forum/acez.exe”; http_uri; isdataat:!1,relative; sid:30000001; rev:2015060401;)

Snort

alert tcp any any <> any any (msg:”[PwC] eCrime Neutrino DDoS tool 2nd Stage implant download (acez.exe)”; flow:established,from_client; content:”/forum/acez.exe”; http_uri; isdataat:!1,relative; sid:30000001; rev:2015060401;)

 

We also have simple IDS signatures for the Zeus C&C domain that is contacted:

Suricata

alert http any any <> any any (msg:”[PwC] Zeus C&C domain (stat777)”; flow:established,from_client; content:”stat777-toolbarueries-google.com”; http_host; isdataat:!1,relative; classtype:trojan-activity; sid:30000002; rev:2015060501;)

alert dns any any <> any any (msg:”[PwC] Zeus C&C domain (stat777)”; flow:established,from_client; dns_query; content:”stat777-toolbarueries-google.com”; isdataat:!1,relative; classtype:trojan-activity; sid:30000003; rev:2015060501;)

Snort

alert tcp any any <> any any (msg:”[PwC] Zeus C&C domain (stat777)”; flow:established,from_client; content:”stat777-toolbarueries-google.com”; http_header; isdataat:!1,relative; classtype:trojan-activity; sid:30000002; rev:2015060501;)

alert udp any any <> any 53 (msg:”[PwC] Zeus C&C domain (stat777)”; flow:established,from_client;  content:”|1C|stat777-toolbarueries-google|03|com”; nocase; classtype:trojan-activity; sid:30000003; rev:2015060501;)

alert tcp any any <> any 53 (msg:”[PwC] Zeus C&C domain (stat777)”; flow:established,from_client; content:”|1C|stat777-toolbarueries-google|03|com”; nocase; classtype:trojan-activity; sid:30000003; rev:2015060501;)

 

If you have any queries about this, please contact me.

Hunting the network snark

Using entropy to help in hunting anomalies on a network is an approach that has been around for at least the last ten years or so. The trouble is that, by itself, knowing that a certain network flow has an entropy of 7.5 doesn’t help you. It could be a perfectly legitimate SSL session, or possibly a compressed HTTP pipeline of legitimate content.

Wouldn’t it be handy to have some automated process for helping narrow down which flows were suspicious? Well, if you’ve followed my previous articles on instrumenting your network, we can start to do just that.

Recipe for Success?

Start with a bowl containing your raw IPFIX (with AppFlow) data and your full packet capture. Add a dash of logs – DHCP, DNS and network authentication – then blend in some packet entropy with open source data.

Read more here.

If you have any further questions, please contact us.

A new Internet tipping point – consumers getting more power… and responsibility

I’ve recently come of age in the world of the Internet, it’s 21 years since I first signed up for my Demon Internet account. Using a modem at speeds we wouldn’t recognise these days, I was just grateful to get online! The ability to email people outside of my organisation and to find pieces of code (yes I did purport to write code all those years ago) was invaluable.

It wasn’t long before we started to do minimal ecommerce, buying from Amazon and the like. For me this included discovering the wide range of books online that I could buy and learn from. As the ‘Information Super Highway’ – as it was then called – got more popular, so we were enticed onto the highway with a simple trade: our data in exchange for free access to content. And we all want something for free, thinking that it won’t ever cost us!

Read more…

If you have any further questions, please contact us.

5 Growing Pains for Chief Data Science Officers

The role of The Chief Data Science Officer (CDSO) is new and evolving – and with evolution comes opportunities and challenges. We’re finding that CDSOs are faced with growing pains on several fronts – and if businesses can’t find a way to properly address some of these issues, the role of the CDSO could be at risk.

CDSOs are joining companies where the business case for their role is left ambiguous. This makes it difficult for them to demonstrate their value the organization. In an effort to define role and responsibilities, CDSOs must work with multiple stakeholders to forge strategic partnerships and carve a pathway to success.

Here’s where to start:

1) Avoid perpetuating “ivory tower” perceptions

The first order of business for CDSOs is to justify their existence and establish how they can contribute value to the organization. Start by building relationships. CDSOs need to work with business owners and subject matter experts to get deep into the business decisions and problems, and identify opportunities where they can use data and analytics to generate insights that enhance decision making. Failure to demonstrate value to the business can raise doubts about the legitimacy of the role.

Often, CDSOs are stepping into companies where there are multiple teams of functional analytics experts managing their data and technology platforms across multiple business units. CDSOs need to work with these existing groups to determine the right organization and operating model that can enhance the value they bring, while not slowing down the existing initiatives of business units.

2) Build Relationships with the C-Suite

Historically, enterprises have focused on traditional data warehousing, reporting and business intelligence in their use of data. But, now that every business function wants to use technology to advance their business goals, the enterprise needs to use data in new ways to make better decisions. Enterprises should use data exploration to inform business analytics. Tapping data to prepare for a possible future is the CDSO’s specialty and everyone’s interest. The CDSO should work with the CIO to educate the C-Suite and beyond on the importance of putting more organizational emphasis on predictive analytics. According to our 5th Annual Digital IQ Survey, C-Suite executives who effectively collaborate are far more likely to outperform their peers.

3) Find the funding

The governance mechanisms for funding in most organizations often confer power to those with the funds – typically P&L owners – and C-level committees. Given the role CDSOs and teams play as a “shared service” traversing IT and business functions, it is important for them to be able to make a direct request for funds as opposed to through one of the many groups they work with or support. To secure funds, CDSOs should pull out all the stops with visualizations, demos and prototypes to “make it real” to business owners how they can enhance their performance with improved analytics.

4) Navigate the vendor landscape

As with any emerging area, the field of data science is filled with a host of start-ups and established companies claiming to offer just the ‘right’ solution for the company. CDSOs must carefully evaluate products based on the organization’s business case – and that’s no easy feat given the multitude of options in today’s crowded marketplace.

Some tools are designed as horizontal offerings that are shallow and not as deep, but more easily integrated across business units. Other solutions plunge into a particular industry or functional area, but are ‘special-purpose’ tools that aren’t versatile nor can be easily integrated with existing solutions.

By the time the company realizes they need something different, executives can sometimes invest a lot of time and money trying to make the product work. It’s a chore trying to move onto something different, especially explaining the shift to senior management. Decisions around when to use proprietary vendor solutions versus open-source alternatives is also a challenge that CDSOs need to grapple with.

5) Change the decision-making mindset of executives

In our recent global Big Decisions Survey, more than 58% of executives made decisions based on their own intuition or experience or those of others. Only 29% relied on data-driven decisions. Executives say they want to use analytics and data, but it’s still not prevalent at companies, in the C-Suite or beyond. Technology companies and younger employees are much more accustomed to using data to steer the ship, but most executives make decisions based on their gut reactions.

Executives can be hesitant to use more advanced data and analytics techniques to inform their actions, especially if the data contradicts what they feel is the right way to go. CDSOs must break deeply ingrained habits using an “art” and “science” approach to data. Creating compelling, visual proof-of-concepts/prototypes with simulation and gaming elements can allow executives to combine their intuition and experience with data & analytics to improve decision making.

We’ve only scratched the surface of the many issues that CDSOs are struggling with as they navigate uncharted waters. We’ll delve into each of these areas more and explore how CDSOs can chart a course for success. In the meantime, let us know if you have any other additions to our list.

Attacks against Israeli & Palestinian interests

This short report details the techniques being used in a series of attacks mostly against Israel-based organisations. The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine. Although we are unable to link this campaign to any already documented in open source, it bears similarities to some described by others previously[1],[2].

The earliest samples in the campaign we have identified date back to the summer of 2014. The number of samples discovered and relatively small scale of infrastructure suggest the attackers have limited resources with which to conduct attacks.

More details…

If you have any further questions, please contact us.

Will VENOM’s strike poison your shared infrastructure?

The fangs of a newly-found security vulnerability in virtual computing systems were revealed by security researchers at CrowdStrike last week. Named “VENOM” its announcement calls attention to a previously unrecognized risk that may impact millions of systems around the world, as well as disrupt normal business as IT organizations scramble to patch affected systems.

VENOM stands for Virtualized Environmental Neglected Operations Manipulation. It affects some, but not all, virtualization management systems in use within organizations and cloud service providers today. It highlights a weakness in some virtual systems where a hacker after gaining access to one company’s secure network could then jump to other independent companies that just happen to share virtual server space.

This new vulnerability appears to be of a similar scale to the Heartbleed vulnerability discovered in OpenSSL last year; however, this new issue has the potential to impact across organizational and company boundaries. Most organizations use server virtualization in some form today. The use of “cloud” servers crested the 50% mark this last year and is expected to hit 86% adoption by 2016, according to CIO Insights.

Read more…

If you have any questions, please contact us.

When data hinders, not helps

Many organizations operate a dedicated department specifically for combatting Cyber Security threats. These are typically called “SOCs”, or Security Operation Centres.

The SOC collates information from across the organization and from external agencies to form a strategy to prevent, detect and respond to cyber attacks and security issues. The more data the SOC has access to, the more accurate a security picture they can obtain, and more detailed analysis can be performed, either to investigate issues or help prevent them from occurring. But more access means more data to analyse.

The nature of security threats has changed significantly in recent years and the “security in depth” principle has led to the implementation of numerous security-specific technologies into the organization. Which creates yet more data for the SOC to monitor and react to.

This creates a new problem; how much data is too much data?

Let’s examine a fictional 250-person company, and watch what happens to the amount of data the SOC has to process.

In 2005, this organization would have had a number of servers, a firewall, some first generation anti-virus programs, a basic network, and some basic web services. It typically generated around 6.5gb of log data per day; all of which the SOC would examine for specific signs of security issues. With a small team, and in a 2005 threat landscape, this was achievable.

However, in 2015, that same organization has doubled in size. It has new offices, it has VPN and mobile devices, it has new business applications, it has additional security technology such as malware filters, data loss analysers and intrusion detection systems. It has the latest generation of web technology. The threat profile is now very different and much more advanced. The resulting log data per day is now 30gb per day.

The net effect? An increase in log volume of over 450%

When data hinders

Chances are, the organization has not invested in resources for the SOC for financial reasons after the financial crisis, so the existing team is now overstretched and in danger of not being able to correctly detect and prevent security issues.

In addition there is a heightened awareness of cyber risks at senior levels in organisations and increased regulatory scrutiny of how cyber risks are being managed, creating additional expectations and pressure on the SOC.

This combination of factors makes managing a SOC and meeting the increasing expectations of key stakeholders a challenge. There are however some useful strategies that can help to address this very modern problem. I will discuss them in more detail in future blogs, but here is a quick overview:

  1. Know the Enemy
    The SOC is responsible for detecting and preventing security issues from occurring, but it can only do this effectively if it knows what it is supposed to be detecting. Leading SOCs invest in external intelligence sources to help prioritise SOC spend and resource to focus on the threat detection and mitigation with the greatest risk.
  2. Know the business
    Often a large organization will operate in silos, with departments not necessarily communicating its activities to other areas. This can have a dramatic affect on the SOC, as something as simple as an application upgrade can suddenly increase log data with no warning. An effective SOC will establish a two-way dialog with key business areas regarding security trends, recent findings, and upcoming business activities.
  3. Know the assets
    A good SOC knows where all the important assets are, and focuses its energies on monitoring and protecting those assets. Each asset has a formal security rating, and the rating will dictate the security precautions required. For example, protecting customer data is far more important than protecting the stationery ordering service.
  4. Know the data
    Knowing the difference between a message and a warning is a key skill of the SOC, and it makes sense to invest in a working framework and SIEM applications which help filter and prioritise messages. Create dashboards which show only security-specific information. For example if there were 10,000 successful logons on to an e-banking service this is not really a security concern; however, if a customer logs on from 3 countries at the same time, that is an issue that needs a SOC reaction.
  5. Know your staff
    Managing the SOC often involves lots of repetitive activity watching data. This can quickly lead to complacency and missed signals. Just as important, it can result in demotivation, burn out, reduced performance and even loss of staff. One way SOCs are overcoming this is to rotate staff around functions, so every member of the team is required to spend 25-30% of their time working on new dashboards, on new filters, improving forensic performance, trend analysis, attending security events and interacting with the other departments.

Transforming the SOC to meet the challenges of today requires an intelligent approach to how companies manage cyber security and its own critical information assets. To discuss how PwC can help you improve the effectiveness of your cyber security management, please contact Euan Ramsay.