Tag Archives: cloud services

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”

How Much Cyber Risk Should You Take?

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.

How Not to Innovate (and How to): IBM v. Facebook, Amazon

You don’t often see a CEO squash a great quarter with an analyst call script designed to batter his company’s stock price. Yet, that’s what Mark Zuckerberg recently did—to his great credit.

One of the biggest challenges for public companies is to make investors prioritize long-term value over short-term profits. So, rather than running a victory lap after beating Wall Street’s expectations for the third quarter, Zuckerberg laid out a long-term strategy that drove loads of investors away.

To understand why this was a smart move, look at Amazon.com and IBM.

Few CEOs have been more audacious than Amazon CEO Jeff Bezos in managing Wall Street. Bezos told investors 17 years ago, “It’s all about the long term. . . . Our goal is to move quickly to solidify and extend our current position while we begin to pursue the online commerce opportunities in other areas…. We will continue to make investment decisions in light of long-term market leadership considerations rather than short-term profitability considerations or short-term Wall Street reactions.”

Bezos has, ever since, eschewed profitability to invest in—and deliver—innovation and growth in ever-expanding retail categories and adjacent markets, including tablets, phones, original content and cloud services.

In return, Amazon attracted investors who believed in his long-term time horizon, as evidenced by Amazon’s astronomical price-to-earnings-ratio and a market cap that stands at nearly $140 billion. Amazon’s costs have risen to eat up all revenues — but the stock price has rocketed.

At some point, Bezos will have to deliver profits commensurate with Amazon’s scale, but, for now, investors continue to give him wide latitude to invest for the long term.

Contrast Bezos’ approach with that of his counterparts at IBM. In 2006, IBM CEO Sam Palmisano told investors that IBM would focus on earnings per share, ahead of growing IBM’s business. Palmisano’s rationale, as he recently told Harvard Business Review, was that IBM was a “mature business” that needed to respond to the demands of shareholders who “wanted more margin expansion and cash generation than top-line growth.” Palmisano dubbed his plan Roadmap 2010 and committed to increase earnings per share from $6 to $10 by 2010.In return, IBM amassed like-minded investors who drove up IBM’s share price in lockstep with earnings growth. Roadmap 2010 was so successful with investors that Palmisano and his successor, Ginni Rometty, doubled down on it with Roadmap 2015—which called for IBM to deliver $20 per share by 2015.

While investors loved them, Roadmaps 2010 and 2015 took IBM far off course in meeting the needs of its customers and employees. The problem is that while IBM might well be a mature company, it competes in an industry that was far from mature in 2006, and is even less mature today. Rather than accepting old age, IBM needs to be as agile as startups and growth-minded goliaths—like Amazon. But Palmisano and Rometty locked IBM into a set of investors and expectations that left less and less room for agility.

Rather than staying on top of the rapid advances in information technology products and services redefining its industry—and every one of its target markets—IBM management had to focus on financial and business reengineering to increase earnings for its investors, as promised.

One industry insider summed up IBM’s predicament this way: “They are paying the price for moving to services—which was smart—but not investing in the fundamentals to support services, e.g., recruiting, training, staffing, etc. They kept their earnings afloat by financial engineering, such as loading up on debt to fund buybacks.”

IBM paid a high price for not innovating. It suffered declining revenues for the last 10 quarters—to the point where Rometty had to abandon Roadmap 2015.

The superiority of Amazon’s long-term market leadership approach over IBM’s short-term profitability considerations is evident in the two giants’ battle over cloud services.

Who could have imagined in 1997 that one of the next big things in IT services would be cloud services, and that Amazon would be the dominant player in that space? If anyone should have foreseen and owned the cloud, it should have been IBM—given its deep client relationships and long history of running data and networking centers for corporate clients.

Yet, BusinessWeek estimates that Amazon Web Services is one of the fastest-growing software businesses in history:

The growth of Amazon’s cloud business is unprecedented, at least when compared to other business software ventures. It’s grown faster after hitting the $1 billion revenue mark than Microsoft, Oracle, and Salesforce.com. You would need to turn to Google—which had the advantage of the vast consumer market—to find a business that grew faster.

Amazon has also vanquished IBM in head-to-head competition, including for a high-profile 10-year, $600 million contract for cloud services to the CIA.

What’s more Amazon’s initial success has drawn other deep-pocketed competitors like Google and Microsoft.  The resulting price war might have more dire consequences for IBM, which does not have Amazon’s long-term investment flexibility.

So, when Zuckerberg prepared for his recent earnings call, he could have easily crafted a story that short-term investors would have loved. Facebook beat expectations for both top-line revenue and bottom-line profits. It also made great strides in showing that it would dominate in the mobile space—a transition about which many observers (including me) had been skeptical. Facebook’s share price would surely go for a nice ride if Zuckerberg simply focused on monetizing his social network.

Instead, Zuckerberg took a page from Bezos’ playbook and laid out five and 10-year visions with aspirations far beyond the core Facebook network. He told investors that he would build a series of other billion-user products—before starting to monetize them. What’s more, he said that Facebook would build the next major computing platform, which he believes will revolve around augmented reality. And he made it clear that this vision required significant investment and that, like Bezos, he would prioritize long-term market leadership over short-term profitability: “We’re going to prepare for the future by investing aggressively.”

The subsequent drop in share price meant that a lot of investors got the message, and left.

Zuckerberg still needs to deliver on his long-term strategy. But he left little doubt about his intentions and made sure that his investors were working on the same assumptions. That’s smart.

Analytics at the Next Level: Transformation Is in Sight

Although insurance companies are embracing analytics in many forms to a much higher degree than other businesses, adoption by the insurance industry is still only in its adolescent stage. Deployment is broad but inconsistent. The use of analytics may be about to mature considerably, though, based on a recent series of mergers and acquisitions.

Currently, while a majority of large carriers use predictive modeling in one of more lines of business, and mostly in personal lines auto, a smaller percentage use it in their commercial auto and property units. Insurers recognize predictive analytics as a critical tool for improving top-line growth and profitability while managing risk and improving operational efficiency. Insurers believe predictive analytics can create competitive advantage and increase market share.

Fueling even greater excitement – and soon to be driving transformational innovation – is the recent surge of M&A activity by both new and nontraditional players, which have combined risk management and sophisticated analytics expertise with robust and diverse industry database services. The list of recent deals includes:

  • CoreLogic’s 2014 purchase of catastrophe modeling firm Eqecat, following its 2013 acquisition of property data provider Marshall & Swift/Boeckh; a significant minority interest in Symbility, provider of cloud-based and smartphone/tablet-enabled property claims technology for the property and casualty insurance industry; and the credit and flood services units of DataQuick.
  • Statutory and public data provider SNL Insurance’s 2014 purchase of business intelligence and analytics firm iPartners, which serves P&C and life companies.
  • Verisk Analytics’ 2014 acquisition of EagleView Technology, a digital aerial property imaging and measurement solution.
  • LexisNexis Risk Solutions’ 2013 acquisition of Mapflow, a geographic risk assessment technology company with solutions that complement the data, advanced analytics, supercomputing platform and linking capabilities offered by LexisNexis.

Other 2013/2014 transactions that have broad implications for the insurance analytics and information technology ecosystem include:

  • Guidewire Software, a provider of core management system software and related products for property and casualty insurers, acquired Millbrook, a provider of data management and business intelligence and analytic solutions for P&C insurers.
  • IHS, a global leader in critical information and analytics, acquired automotive information database provider R.L. Polk, which owns the vehicle history report provider Carfax. 
  • FICO, a leading provider of analytics and decision management technology, acquired Infoglide Software, a provider of entity resolution and social network analysis solutions used primarily to improve fraud detection, security and compliance.
  • CCC Information Services, a database, software, analytics and solutions provider to the auto insurance claims and collision repair markets, acquired Auto Injury Solutions, a provider of auto injury medical review solutions. This transaction follows CCC’s acquisition of Injury Sciences, which provides insurance carriers with scientifically based analytic tools to help identify fraudulent and exaggerated injury claims associated with automobile accidents.
  • Mitchell International, a provider of technology, connectivity and information solutions to the P&C claims and collision repair industries, plans to acquire Fairpay Solutions, which provides workers’ compensation, liability and auto-cost-containment and payment-integrity services. Fairpay will expand Mitchell’s solution suite of bill review and out-of-network negotiation services and complements its acquisition of National Health Quest in 2012.

Based on these acquisitions and the other trends driving the use of analytics, it will be increasingly possible to:

  • Integrate cloud services, M2M, data mining and analytics to create the ultimate insurance enterprise platform.
  • Identify profitable customers, measure satisfaction and loyalty and drive cross/up-sell programs.
  • Capitalize on emerging technologies to improve pool optimization, create dynamic pricing models and reduce loss and claims payout.
  • Encourage “management by analytics” to overcome departmental or product-specific views of customers, update legacy systems and reduce operating spending over the enterprise.
  • Explore external data sources to better understand customer risk, pricing, attrition and opportunities for exploring emerging markets.                       

As the industry is beginning to understand, the breadth of proven analytics applications and the seemingly unlimited potential to identify even more, coupled with related M&A market activity that will drive transformational innovation, indicates that the growing interest in analytics will be well-rewarded. Those that are paying the most attention will become market leaders.

Stephen will be Chairing Analytics for Insurance USA, Chicago, March 19-20, 2014.

Insurers Rearm To Fight Professional Fraudsters

Many insurers are redesigning their strategies to deliver systems that forestall attempted fraud, adapt to changing fraud techniques, and are applied at all points of interaction between a policyholder and an insurer. This change is driven by the alarming increase in professional fraud networks in the last five years and the realization that an effective fraud strategy can provide a competitive advantage in the currently very difficult market conditions.

A number of technologies have now matured to a level where, when used in combination, they offer insurers highly effective means of detecting and preventing even the most sophisticated fraud schemes. As a result, these technologies—which include predictive analytics, link analysis, text mining, in-memory database, and cloud services—will become significant areas of investment for insurers during the next 12–24 months.

A recent Ovum report, Tackling Insurance Fraud, discusses the reasons behind the increased focus on insurance fraud and explains how a range of technologies can be applied to implement a comprehensive and effective insurance fraud system.

Professional fraudsters use sophisticated schemes—such as staged or induced auto accidents, life insurance owned by strangers, or false hit-and-run claims—to illegally obtain significant sums from insurers. Professional fraud schemes often involve complex networks of criminal players within medical services providers, auto repair centers, hospitals, insurance agents, or even insurance companies. The volume of organized professional fraud is low in comparison with that of opportunist fraud by amateurs, but the sums being claimed illegally by an individual group can amount to many tens of thousands of dollars and, in some cases, millions.

The vast majority of insurers have already invested, to some degree, in fraud technology. Although this investment has delivered benefits, it has tended to take a piecemeal approach. Investment is usually focused only on the claims phase. Technology used today is generally not sufficient to address the growing problem of professional insurance fraud.

The continued fragility of many developed economies means that insurance markets will remain extremely competitive for at least the next 36 months, with only muted premium growth, limited room for rate increases, and investment returns that will remain volatile. So, insurers are urgently seeking ways to significantly and sustainably reduce both administration and claims costs. As claims payments typically account for 80% of an insurer's costs (excluding administration costs), reducing them by decreasing the level of fraudulent payouts can have a significant impact on a carrier’s cost base and margins.

With the Association of British Insurers (ABI) estimating that fraud currently adds approximately £50 to each auto policy, an effective fraud strategy can drive significant competitive advantage in a tough market by allowing insurers to reduce premium levels. An effective fraud strategy can also bring additional service benefits. In particular, simplifying and expediting the processing of legitimate claims increases the likelihood that a policy-holder will renew a policy.

There is no single “silver bullet” technology that can fully address the issue of complex insurance fraud. However, technology areas such as predictive analytics, text mining, link analysis, in-memory databases, and cloud services, together with fraud technologies commonly used today (such as rules-based systems and anomaly detection) can be combined to create highly effective systems that detect even the most sophisticated and complex fraud schemes. These systems are able to detect and adapt even to previously unknown fraud techniques that may be employed by professional fraudsters.

To date, most insurers have focused their fraud strategies on the claims process. While this is a critical point at which to detect potential fraud, the effectiveness of a fraud strategy, particularly in avoiding organized criminal fraud, can be significantly enhanced by using technology across the entire insurance product lifecycle. It is now possible to apply technology in real time, at multiple points at which insurers and policyholders interact. For example, the use of link analysis can stop fraud by identifying applicants with connections to others that have either committed fraud or are suspected of doing so.

Professional fraudsters can be very sophisticated. Insurers need to keep rearming themselves if they are to win the battle and help themselves thrive in a tough market.