Morals and economic issues of ‘seamless’ payments; some thoughts.

Slight departure from the usual security fare this post, but hopefully you’ll find it interesting!

This week I attended the ‘Cards and Payments’ summit.  This was pretty interesting, and it was certainly good for me to attend a conference not purely focussed on security to see what the wider payments industry is talking about at the moment.

I’ll provide a brief overview in another post, but I wanted to write my entirely non security and non technical thoughts on a particular topic that was discussed numerous times over the two days;  How to make payments as seamless, transparent and friction free as possible.

On the face of it this seems like a great idea.  Who wouldn’t want to be able to securely pay for goods and services without any friction or interruption to what they are doing?  Indeed I’m even involved in some work around how we can use things like device ID, location, behaviour etc. to improve security while lowering friction.

However the other side of this coin is the fact that people have been proven to spend far more as they get further from transferring actual cash to someone else.  Since the inception of credit and debit cards, people in properly controlled studies spend more, will value the same good higher and will tip more with a card vs. making a cash payment.

This trend further continues as you move online, the more transparent payments are and the less involvement the consumer has in the payment process, the more likely they are to spend.

When you consider this fact in the overall picture of many countries where people have a clear propensity to overspend and carry more debt than they can manage, is this trend a good thing?

From a moral perspective should we really be creating ways that have been proven to psychologically increase spending when many people are already in a lot of financial difficulty?

You could of course argue that people need to be responsible for themselves, which is an opinion I often tend towards.  However I think industries do need to be held to some level of responsibility for their customers, especially when there are clear and impartial studies highlighting the risk and psychological triggers that are being used to change behaviours.

On a macro level I would also argue that the economy as a whole would be better off in the long term if consumers are managing their money better as they will always have money to spend.  The reality of ongoing over spending is longer term economic troubles.

One of the presenters who was promoting the benefits of completely seamless payments with seemingly no controls on how much you spend was from sky <betting and gaming.  He unsurprisingly disagreed with me and spoke of making the process as seamless and excellent as possible.  This seems particularly dangerous as they are clearly combining potential habit and addiction issues with technology designed and proven to make people overspend..

To be fair to him he did mention having other things they offer to help with gambling problems, but he was very clear these should be separate from the actual gambling and payments process – which does kind of miss the point in my opinion.

What do you all think?

Is some affirmative friction a good thing in payments?

Should business have some obligation to look out for its customers rather than just doing everything to make them spend?

Regardless of the moral question, should businesses have some view to the longer term health of the economy?

If not business, is regulation the only answer to drive good behaviours from them?

 

It would be great to hear your thoughts!

We’ll be back to security stuff for my next post..

K

Splunk Live!

I attended the Splunk Live! London event last Thursday.  I am currently in the process of assessing Splunk and it’s suitability as a security SIEM (Security Information and Event Management) tool in addition to general data collection and correlation tool.  During the day I made various notes that I thought I would share, I’ll warn you up front that these are relatively unformatted as they were just taken during the talks on the day.

Before I cover off the day, I should highlight that I use the term SIEM to relate to the process of Security Information and Event Management, NOT SIEM ‘tools’.  Most traditional tools labelled as SIEM as inflexible, do not scale in this world of ‘big data’ and are only usable by the security team.  This for me is a huge issue and waste of resources.  SIEM as a process is performed by security teams every day and will continue to be performed even when using whatever big data tool of choice.

The background to my investigating Splunk is that I believe a business should have a single log and data collection and correlation system that gets literally everything from applications to servers to networking equipement to security tools logs / events etc.  This then means that everyone from Ops to application support, to the business to security can use the same tool and be ensured a view encompassing the entire environment.  Each set of users would have different access rights and custom dashboards in order for them to perform their roles.

From a security perspective this is the only way to ensure the complete view that is required to look for anomalies and detect intelligent APT (Advanced Persistent Threat) type attacks.

Having a single tool also has obvious efficiency, management and economies of scale benefits over trying to run multiple largely overlapping tools.

Onto the notes from the day;

Volume – Velocity – Variety – Variability = Big Data

Machine generated data is one of the fastest growing, most complex and most valuable segments of big data..

 

Real time business insights

Operational visibility

Proactive monitoring

Search and investigation

Enables move from ‘break fix’ to real time operations insight (including security operations). 

GUI to create dashboards – write quires and select how to have them displayed (list, graph, pie chart etc.) can move things around on dashboard with drag and drop.

Dev tools – REST API, SDKs in multiple languages.

More data in = more value.

My key goal for the organisation – One log management / correlation solution – ALL data.  Ops (apps, inf, networks etc.) and Security (inc PCI) all use same tool with different dashboards / screens and where required different underlying permissions.

Many screens and dashboards available free (some like PCI and Security cost)  dashboards look and feel helps users feel at home and get started quickly – e.g. VM dashboards look and feel similar to VMware interface.

another example – windows dashboard – created by windows admins, not splunk – all the details they think you need.

Exchange dashboard – includes many exchange details around message rates and volumes etc, also includes things like outbound email reputation

VMware – can go down to specific guests and resource use, as well as host details. (file use, CPU use, men use etc.)

Can pivot between data from VMware and email etc. to troubleshoot the cause of issues.

These are free – download from spunkbase

Can all be edited if not exactly what you need, but are at least a great start..

Developers – from tool to platform – can both support development environments and be used to help teach developers how to create more useful log file data.

Security and Compliance – threat levels growing exponentially – cloud, big data, mobile etc. – the unknown is what is dangerous – move from known threats to unknown threats..

Wired – the internet of things has arrived, and so have massive security threats

Security operations centre, Security analytics, security managers and execs

  • Enterprise Security App – security posture, incident review, access, endpoint, network, identity, audit, resources..

Look for anomalies -things someone / something has not done before

  • can do things like create tasks, take ownership of tasks, report progress etc.
  • When drilling down on issues has contextual pivot points – e.g right click on a host name and asset search, google search, drill down into more details etc.
  • Even though costs, like all dashboards is completely configurable.

Splunk App for PCI compliance – Continuous real time monitoring of PCI compliance posture, Support for all PCI requirements (12 areas), State of PCI compliance over time, Instant visibility on compliance status – traffic lights for each area – click to drill down to details.

  • Security prioritisation of in scoop assets
  • Removes much of the manual work from PCI audits / reporting

Application management dashboard

  • spunk can do math – what is average stock price / how many users on web site in last 15 minutes etc.
  • Real time reporting on impact of marketing emails / product launches and changes etc.
  • for WP – reporting on transaction times, points of latency etc – enable focus on slow or resource intensive processes!
  • hours / days / weeks to create whole new dashboards, not months.

Links with Google earth – can show all customer locations on a map – are we getting connections from locations we don’t support, where / what are our busiest connections / regions.

Industrial data and the internet of things; airlines, medical informatics (electronic health records – mobile, wireless, digital, available anywhere to the right people – were used to putting pads down, so didn’t get charged – spunk identified this).

Small data, big data problem (e.g. not all big data is a actually a massive data volume, but may be complex, rapidly changing, difficult to understand and correlate between multiple disparate systems).

Scale examples;

Barclays – 10TB security data year.

HPC – 10TB day

Trading 10TB day

VM – >10TB year

All via splunk..

DataShift – Social networking ‘ETL’ with spunk. ~10TB new data today

Afternoon sessions – Advanced(isn) spunk..

– Can create lookup / conversion tables so log data can be turned into readable data (e.g. HTTP error codes read as page not found etc. rather than a number)  This can either be automatic, or as a reference table you pipe logs through when searching.

– As well as GUI for editing dashboards, you can also directly edit the underlying XML

– Can have lots of saved searches, should organise them into headings or dashboards by use / application or similar for ease of use.

– Simple and advanced XML – simple has menus, drop downs, drag and drop etc.  Advanced required you to write XML, but is more powerful.  Advice is to start in simple XML, get layout, pictures etc sorted, then convert to advanced XML if any more advanced features are require.

– Doughnut chart – like a pie chart with inside and outside layers – good if you have a high level grouping, and a lower level grouping – can have both on one chart.

– Can do a rolling, constantly updating dashboard – built in real time option to refresh / show figures for every xx minutes.

High Availability

  • replicate indexes
    • gives HA, gives fidelity, may speed up searches

Advanced admin course;

http://www.splunk.com/view/SPCAAAGNF

Report acceleration

  • can accelerate a qualifying report – more efficiently run large reports covering wide date ranges
  • must be in smart or fast mode

Lots of free and up to date training is available via the Splunk website.

Splunk for security

Investigation / forensics – Correlation, fast to root cause, look for APTs, investigate and understand false positives

Splunk can have all original data – use as your SIEM – rather than just sending a subset of data to your SIEM

Unknown threats – APT / malicious insider

  • “normal” user and machine data – includes “unknown” threats
  • “security” data or alerts from security products etc.  “known” security issues..   Misses many issues

Add context  – increases value and chance of detecting threats.  Business understanding and context are key to increasing value.

Get both host and network based data to have best chance of detecting attacks

Identify threat activity

  • what is the modus operandi
  • who / what are most critical people and data assets
  • what patterns and correlations of ‘weak’ signals in normal IT activities would represent abnormal activity?
  • what in my environment is different / new / changed
  • what deviations are there from the norm

Sample fingerprints of an Advanced Threat.

Remediate and Automate

  • Where else do I see the indicators of compromise
  • Remediate infected systems
  • Fix weaknesses, including employee education
  • Turn the Indicators of Compromise into real time search to detect future threats

– Splunk Enterprise Security (2.4 released next week – 20 something april)

– Predefined normalisation and correlation, extensible and customisable

– F5, Juniper, Cisco, Fireeye etc all partners and integrated well into Splunk.

Move away from talking about security events to all events – especially with advanced threats, any event can be a security event..

I have a further meeting with some of the Splunk security specialists tomorrow so will provide a further update later.

Overall Splunk seems to tick a lot of boxes and looks certainly taps into the explosion of data we must correlate and understand in order to maintain our environment and spot subtle, intelligent security threats.

K

 

Gone to the dark side..

Of companies and operating systems..  As a long term Window and Linux user with very little experience of Macs I recently made the move to the word of Apple.  While this is outside of the scope of my usual posts that tend to relate to enterprise security and architecture, I thought I would share as this is a pretty fundamental shift in my personal computing world.

I’m still not a fan of Apple as a company as I’m fundamentally against the whole ethos of locking people into a specific ecosystem with the clear intention of letting you only use that companies products and making it very hard to shift away once all your music etc is in iTunes / iWhatever.

However as a piece of hardware I totally love the Mac Book Pro, and the retina screen is amazing.

First impressions of the O/S are that it is OK, I seem to be getting around alright, and the ability to drop to a Linux command line is a great help.  The multi touch mouse pad is excellent, as is the ability to use it to ‘right click’ on links etc.  which is a great help!

So far I’ve installed Chrome, M$ office for Mac, Parallels, VLC, a few utilities and photo editing software.

I’m also pleasantly surprised by the battery life, given that this is a fairly powerful i7 CPU, Nvidia graphics (with automatic switching to Intel) etc.  even with the screen reasonably bright, and running a couple of virtual machines it still lasts several hours on the battery.

Overall so far very impressed, amazing screen, excellent battery life, great performance even when running multiple VMs, I think in part due to the decent SSD, and all in a lovely, relatively light weight aluminium package.  As mentioned still not really a fan of Apple as a company, but then how many large profit driven businesses really care about anything other than maximising profit? But I am a convert to the Mac Book as a useful and great to use tool.

I’ll likely post the odd update during the year as I get more used to the O/S and start exploring the performance and features of the device.

K

Been a while.. and 2013 plans

I realised it has been getting on for three months since my last blog post.. Getting back into writing posts has been on my mind for a few weeks, but things in life have been extremely hectic recently!  Briefly life has involved getting engaged, planning a rather cool wedding and honeymoon, redecorating an entire house, and not to mention starting a new job.

Work wise I am now a Senior Security Architect for WorldPay which is pretty much exactly the role I have been aiming to get for some time.  As with most roles the first few weeks have been a hectic time of getting to know the company, policies and processes, people as well as rapidly picking up constructive work.

I thought I’d start this years blogs with an overview of some of my plans relating to work and learning for 2013.  Obviously as it’s now nearly the end of February I am using ‘start’ or the year fairly loosely!

So looking ahead for the year, what are my plans / projects for 2013?

1. Complete my Masters project;  Due to everything that has been happening I requested as have been granted an extension until May of this year to complete my project.  I have completed and passed the rest of my Masters, so this is the final piece between me and being awarded the post graduate degree.  With continuing to get to grips with my new role and everything else that is going on, this will be a challenge, but something I need to complete.

2. Improve my knowledge of secure, always available multi-site data centre networking; Network security is one of my key focus areas, and this links nicely with the environment I am currently tasked with ensuring the security of.

3. Continue to lead and contribute to the Cloud Security Alliance Security as a Service working group.  This has become a major project for me that I have been leading for nearly a couple of years now.  This is another one that also ties in nicely with my WorldPay role as I will also be covering cloud security and strategy as one of my responsibilities.

4. Various smaller / side tasks including getting round to taking my TOGAF exam, attending various useful industry conferences such as RSA and Infosec (work budgets permitting of course), along with being successful in my new role and progressing at WorldPay.  This may of course lead to further projects this year depending on the tasks I need to achieve as part of my role, I’ll obviously keep you posted around any of these I can publicly discuss.

I’ll keep you all posted with my progress around these projects / tasks, along with other interesting things that happen during the year.  Hears to a productive and interesting 2013.

K

Consumerism of IT..

I have recently been asked a few times, by multiple companies, for my thoughts on the trend for consumerism of IT, and more importantly what it means for IT departments.  This is likely due to consumerism being up there as one of what seem to be the top three buzz terms at the moment;

– Cloud

– Consumerism of IT

– BYOD (Bring Your Own Device)

Putting cloud to one side for a moment as I like to cover that separately, consumerism of IT and BYOD are to me very linked so let’s discuss them both together.

First I’ll briefly cover what consumerism and BYOD are, then in a subsequent post I’ll give my thoughts on their current and future impacts on IT (or ICT as is now becoming the more common term) departments.

What is Consumerism of IT?

–         Consumerism of IT is concerned with the blurring of the lines between consumer and business IT devices.  Obvious examples include smartphones that can easily provide access to both personal and work emails from a single device, and tablet PCs such as the iPad that can be used for viewing and updating business presentations and emails along with consuming media and accessing the internet as a personal device.  The fact that devices like these have been driving change in the business world via their use as consumer devices is leading to the consumerism of IT.

What is BYOD?

–         BYOD refers to the moves of some businesses / IT departments to allow users to bring their own equipment such as a laptop rather than using company owned laptops.  As an example; this is often part of a program where the company would provide a budget for the staff to purchase a laptop, with certain rules such as 3 year extended support must be bought, the staff would then be able to use the laptop as both their own personal device and as their business laptop.  This can also often applies to other devices such as tablets and most commonly phones / smartphones.

While technically the two things can be taken in isolation it is the consumerism that aids BYOD in many circumstances – if smartphones couldn’t easily sync to business and personal email systems at the same time there would be limited desire from users to make use of a BYOD phone policy. However this ability enables users to carry a single rather than multiple phones so has obvious benefits to them while also offering business benefits such as lower costs and reduced management overhead.

K

Linus Torvalds interview on BBC website

Linux creator Linus Torvalds was recently awarded the Millennium Technology Prize by his home country of Finland.  Shortly before receiving the award he gave an interesting interview to the BBC titled;

Linus Torvalds: Linux succeeded thanks to selfishness and trust

The interview can be found on the BBC News website here;

http://www.bbc.co.uk/news/technology-18419231

K

Your smartphone is your PC!

Well nearly..

You can now run a full version of Ubuntu on your Android phone;

http://news.cnet.com/8301-1035_3-57424335-94/androids-new-ally-against-the-iphone-ubuntu/?tag=nl.e703

While phones are clearly not yet as powerful as laptops, they are becoming powerful enough to run standard productivity applications and web browsers etc which accounts for the majority of non gaming PC / Mac use.

This clearly marks a leap forward in that direction as well, allowing you to run what is in reality a fully fledged O/S with full versions of Open Office etc.

Plug your phone into a TV or monitor, use a Bluetooth keyboard and you are all set with a mini PC..

Luckily enough I’m about at the end of my current contract so will be swapping to an HTC one X in the near future.  I’ll download and give this mobile Ubuntu version a try then report back.

The future with your PC in your pocket, literally, is almost here!

K