Every eight minutes an organization reported a security incident in 2013, according to recent data from 50 CERTs, technology vendors, law enforcement agencies, and computer forensics organizations worldwide. It’s impossible to know how many incidents went unreported or worse yet undetected, but the tally is certain to be significantly greater.
While the media has latched onto several high profile security incidents, the publicity spotlight has a tendency to skew what really happened to retailers who have done all the due diligence to prepare and prevent such threats. What is the reality behind these high profile events? Let’s balance them against a rational assessment of the broader facts, in the context of what we have seen when providing security assessments.
In December 2013, Target announced that it had fallen prey to a malware attack on their POS systems, resulting in the disclosure of 40 million debit and credit card details along with the names, addresses, email addresses, and phone numbers of up to 70 million customers. The attack appears to have taken place over a period of about 3 weeks between November and December 2013 – just 2 months after Target completed certification verifying compliance with the global standards for securing payment card information (PCI DSS).
Analysts have reported that attackers used a phishing attack to gain access to the credentials of one of Target’s HVAC subcontractors, which they then exploited to burrow into Target’s corporate network to embed the malware into the POS systems. Although PCI standards require data to be securely encrypted when in transit or storage, the malware probably circumvented these measures by harvesting payment card data directly out of the memory of the POS terminals – the one place where it has to be decrypted for processing.
The Reality and Recommendation
As a large retailer dealing with millions of card payments a year, Target already had robust security infrastructure in place to protect its data and its customers. Indeed post-incident commentary indicates that the attack triggered alarms in the security system on several occasions, but for reasons not clear the alarms were overlooked until a government agency finally detected the breach and notified Target. (It is not uncommon for organizations to casually dismiss certain types of security alert due to high volumes of false positives or simply the lack of resource to investigate every alarm).
The payment card industry (PCI) has almost completed its transition to “chip and pin” technology which will largely mitigate the effectiveness of this type of attack once merchants have upgraded the card readers attached to their POS systems.
April 7, 2014 the Internet started buzzing with headlines of heralding the most serious security incident ever seen, nicknamed Heartbleed. It is a play on the word “heartbeat,” referring to the vulnerable mechanism used to keep internet connections alive using the popular security software OpenSSL. Although most users had probably never heard of OpenSSL, more than two thirds of Internet sites use it to secure online browsing and transactions. Innumerable government organisations and private enterprises alike also use OpenSSL to secure remote access VPN connections, email, and various other online services. OpenSSL is even embedded within many popular network appliances, meaning that the true extent of this incident probably touches nearly every organization connected to the Internet.
The Heartbleed vulnerability allows an attacker to request random fragments of data from the server’s memory. This may not sound like much of a threat in itself, until you recognise that every username, password, credit card number, and any other sensitive data passing through server sits in memory at some point. A patient attacker could simply run an attack that harvests small chunks of data all day and all night, and then mine the results for useful nuggets. The vulnerability crept into the software about two years ago and to make matters worse, this attack leaves no forensic trail. In other words, organisations can determine if they are vulnerable, but there is no way to know if someone has exploited their vulnerability.
The Reality and Recommendation
It is very difficult to protect against an unexpected vulnerability in a popular and well-respected security product. All organisations should have already checked their systems for the presence of this vulnerability and applied the necessary patches. They should also revoke and replace any server security certificates present on vulnerable servers, and change passwords for all accounts present on vulnerable servers. As users, we should change our passwords on all affected Internet services (email, any website that requires a logon, etc), but only after checking with the site administrator that they have already applied the patch (otherwise an attacker might intercept your new password).
On May 20, 2014, Ebay announced publicly that a cyber attack had compromised a database containing encrypted passwords and other non-financial data including names, email and physical addresses, phone numbers and dates of birth of up to 145 million customers. The attack occurred between February and March 2014, when the attackers obtained the log-in credentials of a small number of employees, allowing them access to the corporate network.
While it appears that no financial data was leaked, the exposure of personally identifying information is still valuable to hackers who can exploit these details either for identity theft or further social engineering attacks. For example, many call centres rely on a customer providing their full name, address, and date of birth to verify the caller’s identity, allowing them to make account changes, obtain further information, or order products or services. Even more alarming is the potential for the attacker to break the password encryption, giving them usernames and passwords for 145 million consumers, many of which will have been re-used for other online services.
The Reality and Recommendation
Like Target, Ebay is a responsible and tech-savvy organisation that has rigorous security infrastructure in place. They have yet to publish detail of the exact attack mechanism, however the available information suggests that attackers focused on the weakest link, which is almost always the human element. This serves as a reminder of the importance of educating staff about the threats that companies face, and reminding them how to help avoid falling prey to them. It should go without saying that anyone with an account on Ebay should immediately change their password, and the same for any other services they have used the same password.
Tough Luck or Easy Target: The Top 5 Threats
Each of these incidents attracted considerable media attention, but are they truly indicative of the current threats facing our customers? Drilling down into incidents reported in 2013 for certain key industries reveals the following top 5 threats:
1. Point Of Sale (POS) Intrusion
A remote attack against card payment systems to capture payment card data. (This does not include physical tampering such as “card skimmers”). The attack on Target falls into this category.
2. Denial of Service
An attack intended to compromise the availability of a system or network, typically by creating a “traffic jam” by flooding a network connection with spurious traffic.
3. Cyber Espionage
Unauthorised access to a system that is either linked to state-affiliated actors, or exhibits the motive of espionage.
4. Web App Attack
An attack carried out through a web application – typically by exploiting vulnerabilities in the app or using credentials stolen from a valid user.
5. Insider Misuse
An incident knowingly perpetrated by a trusted party – typically either theft or exposure of proprietary information, or facilitating an attack by a third party.
Sound Advice: Constant Due Diligence
POS Intrusions are clearly a high priority threat for retailers, and as such they should pay close attention to keeping their POS network securely isolated, keeping all antivirus and system software up to date, and using network intrusion detection and analysis tools to detect anomalous network traffic coming from the POS system. (A POS attack requires the attacker to somehow collect the harvested data, and it is this traffic that triggered internal alarms at Target).
A holistic security strategy must also encompass user education to recognise and avoid falling prey to scammers and social engineers, as even the strongest fortifications will fail if you can trick someone into handing over a key to the door.
Motorola Solutions helps retailers to establish and maintain security through a range of services including PCI compliance planning and security assessment, network design, implementation, and management services. With these provisions in place, retailers can feel more confident in protecting customer data and their networks now and in the future.
Simon Fennen is Asia-Pacific and Middle East Region Professional Services Delivery Lead, Motorola Solutions.
Learn more about WLAN Management and Security Software from Motorola Solutions.
Why setting a mobility strategy is vital
Many businesses are faced with an increasingly connected global marketplace where new business processes are needed to better fulfill their customers’ expectations. With tremendous pressure to increase customer value, the ability to remain connected is a clear competitive advantage. Mobile technology often plays a pivotal role in this transformation, where mobile computers and applications can help engage, enlighten, and evolve new opportunities with customers, partners, and employees.
Yet despite the imperative to embrace mobility, a recent study from the IBM Institute of Business Value reports that more than half of the organizations surveyed have no mobility strategies in place. Nevertheless, around 90% of global organizations plan to sustain or increase their investment in mobile technologies during the next 12 to 18 months.
Adding to the already complex nature of mobile initiatives is the speed at which technology is evolving. With bring your own device (BYOD), the internet of things (IoT), cloud computing, mobile applications, big data and analytics, technology is changing every day. This creates the demand for careful planning, design, and governance to provide a solid technology roadmap that will guide long term goals. Failure to establish and execute against a comprehensive mobility strategy can undermine the future of a business – leading to departmental technology silos and disrupting the potential for future upgrades to keep pace with new developments.
The Strategy Canvas: Everyone is in the Game
With such a technology decision at stake, it is no wonder that everyone from consulting companies to hardware providers are offering tailored services to work with customers on their mobility strategy. From mobility concept to implementation, many consulting firms have established new mobility consulting services. When you take a look at how these firms compare, it becomes clear that many of these companies fall into two categories:
• Those that capture the current state of the known market space. This allows players to clearly see the factors that the industry exists on and where the competition currently invests.
• Those that look at the future state of the market space, by reorienting focus from existing technology to alternatives, and from the best practices of the mobile technology space.
This diagram or “strategy canvas” outlines companies who are competing for consulting dollars. Those who focus on mobility like Motorola Solutions, Cisco, and Honeywell have direct competition from not only the technology companies like HP, Capgemini, and Accenture, but also from the core consulting companies like PWC and Delloitte who have customized offerings for mobility strategy. Consulting companies will give a good vision on strategy but mobility companies can offer end-to-end mobility consulting not just for planning but for the implementation and post-implementation phases. They definitely have an edge over others to partner with customer for their holistic needs in mobility space.
What is a Good Mobility Strategy?
Most companies consider mobility strategy as an extension of their information technology needs. However, this approach is not a long term solution, and one that can lead to higher operating costs as the organization’s mobility needs evolve. Over time, the proliferation of silos of applications and incompatible hardware and software creates ongoing support legacies. For example, many hospitals are currently adopting BYOD for clinicians, but haven’t considered options for data capture to enhance workflow. Many logistics companies are looking for speed and accuracy by deploying mobility devices but haven’t well thought out of process reengineering prior to automation.
Mobility strategy should be viewed as a practice involving the ongoing alignment of user needs, business goals, and evolving mobility technologies. It is the plan by which we intend to achieve a major outcome, which includes the people, process (workflow), tools, etc. intended to be used. Further, a mobility strategy must be flexible enough to adapt to meet user expectations today, while able to leverage new technologies in the future.
According to the IDC Mobile Enterprise & Professional Services survey, more than 40% of U.S. enterprises are either exploring a mobility road map & strategy or are looking to do so within the next 2 years. Many businesses are already actively building their mobile strategies, raising the bar for the rest, creating increasing pressure to develop a portfolio of mobility capabilities or risk falling behind in the market trends. Organizations that are left behind are sure to get shut out by their competitors who are stepping up to the challenge.
Everyone is Visioning: Current Market Analysis
Top consulting firms and IT companies are defining customized offerings for mobility strategy planning via focused workshops. A “Visioning Event” is a common term used in quality management consulting to define and agree on a prioritized plan of action. Such workshops typically range from one to five days, not including the research and preparation to provide the required inputs, and yield the basis of a mobility strategy and investment plan that has the full support of the executive team.
Motorola likes to think of a Visioning workshop as a collaborative process to drive alignment between stakeholders and establish priorities to achieve a future state vision for mobility. The methodology is based on a holistic framework that helps drill down from concept, to priority, to architecture, to work plan and honing in on the value to be achieved.
In my experience, a collaborative approach helps customers build a unified strategy in scenarios where they are paralyzed by conflicting demands of disparate business units, and where they fail to achieve their full potential as their disparate business units pursue independent strategies.
The good news is, as part of the Motorola Solutions Professional Services team, I have seen how a well-defined portfolio can alleviate these issues in order to progressively align with the customer’s business lifecycle. MSI’s 6-step process can help go beyond immediate mobility needs, and plan for the future.
Archana Paralkar is a mobility assessment & visioning workshop practice lead with Professional services, Motorola Solutions.
To find out more about how Mobility assessments & visioning workshops can yield value for your business, please feel free to contact Archana directly at firstname.lastname@example.org.
AppForum 2014 is back by popular demand, and of course you and your team want to attend. But standing between you and an all out appfest with the industry’s crème de la crème is the bane of your existence, that ever-growing hurdle that can stop an excellent idea before it even gets off the white board: Manager Approval.
Since AppForum 2014 is rapidly approaching, we’re offering a way to make it easy for you to get the A-OK on attending. Below is a ready-made conference request template for your cutting and pasting pleasure. It highlights the not-to-be-missed aspects of AppForum 2014 so that the power behind the corporate purse can easily see the value that your company will receive in exchange for letting the app developers loose from the office for three days.
Go ahead and revise the following email template as you deem necessary . . .
"Oh Exalted One,
The company’s application developers are hearing good things about AppForum 2014 and seek your permission to attend this event in Schaumburg, Illinois. First off, AppForum 2014 is FREE. There is no cost at all to register and attend. Plus, if we register now, we can enter for a chance to win two nights FREE at the Renaissance Schaumburg conference hotel, plus paid travel expenses up to $350. We are talking about a truly minimal financial outlay for the entire team to attend.
AppForum 2014 also offers incredible learning opportunities. You know how critical it is for the team to keep current on the most recent innovations. At AppForum 2014 industry-renowned app developers will lead sessions about the latest game-changing technologies, especially Android and RhoMobile. There is no better way for our team to explore the direction that industry trends are taking and determine the next best thing we should all be thinking about.
The team is also champing at the bit to enter the overnight HackaThon. Those so-called app developers over at [INSERT THE NAME OF YOUR RIVAL COMPETITOR HERE] have thrown down the gauntlet, and we are keen to teach them all a well-earned lesson about superior brain power and teamwork. HackaThon winners get a Parrott AR.Drone 2.0 Elite Edition, which is a totally sweet grand prize. We’d love the chance to win the drone as we beat the socks off our competitors.
In addition to a slew of learning sessions on a variety of topics, AppForum 2014 is also offering a Boot Camp for app developers. All of us could use a refresher on the basics, and the team n00bs can gain a deeper understanding of Android, RhoMobile and Microsoft development.
AppForum 2014 will also give the team a chance to connect with the developer community outside the four walls of the office. It lets us get out from behind the screen to hear about other developer’s tips and tricks, and about the tools and technologies that they use. We also hear that Bruce Willins, Joe White, Mark Kirstein, and Chuck Bolen will all be at App Forum 2014; we’d all benefit from even five minutes with any one of these industry thought leaders.
Since AppForum 2014 is right around the corner (Sept. 8-10), we would appreciate receiving approval at your earliest opportunity.
Many thanks for your consideration,
[INSERT YOUR NAME/TEAM HERE]”
Do yourself a favor—use this letter template and secure permission to attend AppForum 2014 so you can register today. Perhaps the boss will even decide to join you . . .
Ritesh Gupta is Senior Manager of worldwide Technical Operations at Motorola Solutions.
Need further convincing? Read the Top 5 Reasons to Attend AppForum 2014 here.
This is the fifth in a series of blogs discussing technologies and trends in voice picking and multi-modal warehousing solutions.
Voice-Plus multi-modal devices are helping warehouse professionals bring the productivity gains of voice recognition technology to a widening range of applications.
Over the last few years, it’s been my observation that picking productivity has been significantly improved by voice direction and recognition technology that enables workers to communicate interactively with the Warehouse Management System (WMS). Study after study confirms that voice technology has made a significant impact on warehouse productivity. This is especially true in hands-free, voice-driven piece-picking and replenishment processes. By and large, most voice recognition users are satisfied with the value voice picking technology has helped them unlock in their warehouse operations. According to a recent Aberdeen Group report, approximately 80 percent of voice users plan on continuing to use and/or enhancing their voice technologies.
The Benefits of Voice
In the beginning of the voice recognition era, voice-aided order picking was the hot button. With wearable voice technology, workers could be directed to exact locations, told exactly what items to pick, verbally verify their actions, and were then directed to the next location. Empowering workers with wearable mobile computers with optional voice direction capabilities helped drive an increase in productivity, accuracy and ultimately ROI.
But because they were focused primarily on purely voice-driven order picking, first generation voice technology devices were mostly computers dedicated to speech only. Typical devices had no screen, no scanner interface, and no keyboard. That meant there were some limitations into the range of workflows that could be supported by early voice directed solutions. Furthermore, speech recognition technology was most adopted by and suited specifically to piece-related processes, as opposed to carton- or pallet-related activities.
Despite these issues, warehousing professionals were understandably eager to add the productivity benefits of voice recognition hardware and software to other processes, especially those that required identification and data capture that could be transported directly to the WMS. A study by Voice Information Associates (VIA) projects an annual 30% increase in the use of voice for non-picking applications between 2010 and 2017, which significantly outpaces the growth projected for voice picking alone over the same period.
There was also another consideration driving new requirements for the next generation of voice solutions: the desire for shared devices. In a modern and uber-efficient warehouse, the same devices are often used for different functionalities from shift to shift. Rather than purchase devices dedicated to a single modality like speech recognition for picking and then a different set of devices for cycle counting and put-away, companies wanted singular multi-modal devices that could perform different tasks and run multiple software applications, depending on when and how they are being used.
The solution is today’s new class of versatile “voice-plus” multi-modal devices that are now available in many different form factors. Using these devices, workers can effortlessly move across a wide range of processes that include replenishment, receiving, put away, quality assurance, trailer loading and many more whether within a single shift (in the case of task interleaving) or across multiple shifts. Furthermore, the new multi-modal devices are designed not only for piece-level activities, but also enable the growing movement toward pallet-level activity, including significant time spent in forklift cages. Available in wearable, handheld and vehicle-mounted form factors, these devices combine the efficiency of voice-recognition hardware and software with the scanners, screens and keyboards needed for fast, flexible, accurate data capture and reporting.
Lower TCO, Higher ROI
The bottom line benefits to upgrading voice-only devices to voice-plus devices are substantial. The ability to use a single device for multiple uses beyond just voice picking alone can significantly lower total cost of ownership, which combines with the productivity gains of multi-modal technology to increase ROI. So when the question is: Should voice-recognition technology be left to its own devices in the warehouse? The answer is: Not anymore.
Mark Wheeler is the Director of Supply Chain Solutions - North America for Motorola Solutions
Read other blogs by supply chain expert Mark Wheeler.
Are you ready to pick a new direction now? Motorola Solutions is ready to help you improve your operation.