The Internet of Behaviors (IoBs) | What can it do for you in the Future?

Gartner’s 2020 strategic prediction announced that the “Internet of Behaviors”  (IoB)  is something that we will become increasingly aware of, and by 2023 they predict that the individual activities of 40% of the global population will be tracked digitally to influence our behavior.

So, what is the Internet of Behaviors? Let’s dive in.

First you need to understand that the Internet of Things (IoT) is a network of interconnected physical objects that collect and exchange data and information over the Internet.

IoTs are constantly expanding and evolving in the scope of its complexity:

  • The way in which devices are interlinked.
  • The computations that can be processed by these objects autonomously.
  • The data that is stored in the cloud (capturing data to improve internal operations, customer experience, and staff safety)

In simple terms, ‘IoB’ is all about using data that’s been collected by the ‘IoT’ to modify behaviors and ultimately end in an objective being met.

What separates the Internet of Behavior from ‘IoT’? 

The Internet of Behavior, just like ‘IoTs’, is comprised of Smart Tech and Data Analytics; the two pillars that make up the foundation for companies to start understanding customer behavior.

Behavioral Science is what takes ‘IoBs’ to the next level. By tracking purchases, facial biometrics and a whole lot more, companies can begin to map and predict behaviors, in turn allowing them to make decisions on influencing their customers, based on factual data.

One such example of this could be in your local Coffee Shop!

If all your customers have to wait in the same queue, this signifies that only one person is being served at a time. Alternatively IoBs would be able to show the number of customers who wait to be served vs. customers who churn after x amount of time. This information could then be used by the shop owners to change the shop floor plan and create additional queueing space.

By having this solution in place, not only are customers now happier about being served quickly, but the customers that previously churned are now willing to wait.

“Think of it as an amalgamation of technology, data analytics, and behavioral science. It is essentially trying to make sense of human behavior through data mining”. 

The idea of ​​analyzing data received from consumers for business purposes is not new to Zone24x7. We have researched consumer behavior and habits in the past and with our products SerendibAi and Analytics Center, we now have an automated ecosystem of analytic processes that track, collect, and attempt to interpret the vast amounts of data we generate through our online and physical activities.

With the rise of smart devices over the years it is predicted that more than 50% of the world’s population will be exposed to at least one IoB program. For now, we know for sure that IoBs turn data into information. The real question is whether it can turn this information into wisdom?

Stefan Udumalagala

Innovation Specialist

FaceAuthMe – Low friction facial biometric authentication

Authentication is a hot topic more than ever covering many aspects of our lives. It’s closer to our lives and even penetrates our most personal devices. With enough evidence that traditional methods are not enough to provide a safe, trusted authentication, there’s a need for an innovative solution that can bring extreme low friction to the end consumers.

Authentication is a hot topic

Authentication is growing to be a hot topic and an integral aspect of our daily routines, even penetrating personal aspects. Everyday, we enter passwords multiple times to turn on the laptop, use fingerprints to log in to mobile apps, receive One Time Passwords (OTP) to verify transactions. Authentication is everywhere and the need to authenticate ourselves safely and with trust , exists as fraudsters are increasing at an alarming rate.

Fraudsters are increasing at an alarming rate

Fraudsters are getting smarter everyday. From OTP hijacking, device spoofing to sophisticated social engineering schemes, they outsmart the technology. Unauthorized financial fraud losses in the UK alone across payment cards, remote banking and cheques totalled £824.8 million in 2019 while the combined worldwide figures for credit card fraud stand at an alarming $27 Billion. These circumstances demand that fraud is prevented at the earliest of customer interaction and customers are protected by better authentication methods.

Passwords are unreliable

  • Passwords are the root cause of over 80% of data breaches
  • Up to 51% of passwords are reused
  • The average user has more than 90 online accounts and mostly forget passwords
  • 1/3 of online purchases are abandoned due to forgotten passwords
  • 50% of users abandon their online banking transactions due to the hassle and friction caused by passwords
  • $70 average help desk labor cost is spent for a single password reset

(Source FIDO alliance)

One Time Passwords (OTP) are not the answer

  • SMS is not reliable. NIST strongly recommends against its use
  • Cost is higher
  • Increasing social engineering OTP scams

In device biometrics data are not secure enough

  • Dependence on device manufacturers for sensitive authentication solutions is too risky
  • Vulnerabilities of the large range of devices expose doors for fraudsters to break in
  • Many financial regulators are strongly against using in-device biometrics
  • Depending on the capabilities of the user device is a too much compromise

The world needs stronger, friendlier authentication

Mandates such as 3D Secure 2.0’s requirement for 2 factor authentication (2FA) will drive merchants and banks to adopt biometrics to make the payment experience smoother across a variety of platforms. Ubiquitous biometric sensors, present in many mobile devices, are in the forefront driving this wide adoption of biometric authentication. Yet, a widely unspoken, far unseen problem stands in the way of secure authentication. Can we extensively depend on in-device biometrics when it comes to crucial authentication processes?

Advantage of FaceAuthMeTM

Zone24x7’s facial biometrics solution FaceAuthMeTM is a secure, low friction solution that addresses the needs for Strong Customer Authentication (SCA) now and for the future. FaceAuthMeTM uses the person’s face to authenticate access using any device’s camera. This is done quickly, seamlessly, and a low-friction high secure method. FaceAuthMeTM uses sophisticated machine learning and AI algorithms that capture intelligently facial biometrics and other data of the customer to uniquely identify a genuine customer from a fraudster. FaceAuthMeTM provides a one-stop, seamless authentication experience for all authentication needs.

The novelty and innovative edge

No dependency on customer’s mobile phone

While most existing biometric authentication solutions heavily rely on the capabilities of customers’ mobile phones, FaceAuthMe is an off-the-device solution. There is no dependence on device manufactures, brands or 3rd party software vendors. Further, this enables FaceAuthMe to run on devices with extremely low processing footprint

Device agnostic, OS agnostic

FaceAuthMe is completely device agnostic, where it works on any device with a camera and an internet connectivity. The mobile phones, tablets, laptops or even desktops can be easily utilized in the authentication process. Further, reaping the benefits of being device and operating system agnostic, FaceAuthMe can run on non-personal device use cases such as POS terminals, ATM machines etc.

No action required from the end user

A key element in biometric based authentication is to verify if the user is live (Liveness), as fraudsters can easily impersonate a genuine customer with images or videos. In order to check liveness, most competitive solutions ask the user to do something in front of the camera such as, smiling, winking, turning the head sideways etc. Advanced machine learning and artificial intelligence algorithms in FaceAuthMe make sure that no action is required at all for liveness verification, ensuring extreme low friction.

Authenticate with just a selfie

Taking a selfie is now standard and familiar to almost all the demographics. While most existing products depend on complex, data heavy inputs such as videos and collection of image bursts, FaceAuthMe innovates the customer experience by taking just a selfie. The in-house developed artificial intelligence/ machine learning algorithms are powerful in calculating if an end user is genuine or a fraudster, just by looking at a single image.

No software/app needed – FaceAuthMeTM is not a mobile app

Many biometric solutions, that boast about biometric authentication in the existing market, depend heavily on special software applications developed to achieve the purpose. This adds a friction factor to the end customer where software needs to be downloaded and installed. Research clearly says that the penetration of mobile phone based apps is quite low (about 30%) even if the customer has a suitable mobile phone. FaceAuthMe, being a browser based application, removes this need for installing software and authenticates seamlessly.

Privacy by design and by default

FaceAuthMe considers privacy of the end customers quite seriously. Usage of pseudonymisation of customer data and encryptions used at data transfers makes sure that FaceAuthMe follows data protection by design. Its strictest privacy settings are applied by default, without any manual input from the end user. Personal data is kept for a definite period of time and it’s privacy friendly to the end customer making FaceAuthMe follow data protection privacy by default.

Summary

Being a proud Sri Lankan, inhouse developed product, FaceAuthMe is changing the status quo of how authentication is done at most secure levels. It’s innovative approaches in providing world class facial biometrics help achieve a low friction authentication while ensuring the security aspects, thus having a clear distinction with its competitors.

Thilina Bandara

Tech Lead – Cognitive Machine Learning

Data Analytics, Machine Learning. A real business need?

There aren’t many people nowadays who would not have at least heard of the term “Artificial Intelligence” or AI, with all the frenzied media hype and the many romanticized and science fiction movies around it. AI has become a house-hold term though much less a reality despite all this hype.

The greatest impediment to AI to date has been the fact that programmers need to ‘program’ (a software) and for that software to perform a certain function. It cannot therefore think and act on its own. It will only do what it has been programmed to do and in response to certain circumstances, the so-called AI that scientists kept developing over the years could only do just that – respond to a specific set of circumstances based on what it was programmed to do. What AI could not do till now was to think on its own and respond to a new type of circumstance and to gather ‘experience’. This landscape though seems to be changing now and soon may be part of the history in pursuit of real Artificial Intelligence.

With the evolution of the ICT domain, the terms “Machine Learning” and “Deep Learning” have found their way into modern tech terminology with the discussions around their use spanning across Big Data Analytics, BI (Business Intelligence), and most importantly AI (Artificial Intelligence).

Artificial Intelligence and Machine Learning?

Think of a machine that can think and respond as a human being with zero defects in nature; it would be a perfect example of an AI in real life. Add an artificial consciousness to it to make it much more perfect.

Machine Learning itself is a form of AI, perhaps the most promising form of AI to date. This enables certain algorithms to read or observe and gather knowledge and experience much the way we do and learn and evolve to a certain extent and respond to certain situations through that self-learning without executing any pre-programmed queries like an ordinary application. This type of AI aims at the improvement of computational thinking that can self-learn and advance when new data or information is presented.

Such advanced technologies have improved or enhanced many activities that require human intervention to a level where no human involvement is required. For example, if you are using Google search that is powered by complex ML algorithms, the algorithms will enable Google to come up with new search signals and aggregations to provide an intelligent user experience that is personalized. (Google’s “RankBrain Algorithm”). This is actually in existence though it is not easy to believe and we take it for granted every time we do a ‘simple’ Google search. You will have noticed that it delivers more appropriate results within a split second: this is a ML-based AI in action behind all that apparent simplicity.

Deep learning on the other hand is very similar to Machine Learning, but with the difference that it’s designed to study and learn a very specific set of information more deeply and react more intelligently to that data. This difference between ML and DL is somewhat akin to a layperson and a trained professional doctor responding to an illness: one will look at it very generally and learn and react to a certain extent while the learning and response of the other one are at a deeper or more advanced level. The actual difference here is based on the algorithm behind the learning ability which will determine the extent of the learning and the relation.

With interconnected neural networks (a computer system sculpted basing the human brain and nervous system’s designs) and Deep Learning algorithms, Machine Learning has earned its way into modern-day business intelligence and data mining to enhance data analytics.

So how will all this affect us? Here’s how. Some examples of the applications of Machine Learning-based systems are:

  •  Improved AI – Vehicles are driving themselves with collision avoidance reducing the risk to human lives and autonomous Nano mites treating cancer cells in most complex systems in the human body such as the human nervous system.
  • Improved AI game playing – for years we are used to playing computer games with the computer as an opponent where most of its moves are predictable since they are preprogrammed. However, when an AI comes to the play backed with advanced ML the computer will be hard to predict and will give you that experience of a lifetime.
  • Complex data analysis – This will enable in-depth views of any kind of data sets regardless of the quantity or the complexity. Paving the way towards predictive and prescriptive data analytics with higher accuracy.
  • Developed InfoSec measures – there will be intelligent biometric access control which is so smart which will predict criminal behavior even before a crime takes place. (not as in the movie “Minority Report” though) We already see technologies such as “Cognitive Vision” being used to identify certain faces and objects through camera feeds.
  • Improved processes – Financial systems, banking systems, Accounting, or any data-driven system will be more efficient and with improved accuracy will give timely reports and predictions reducing any opportunity risk. Not only finance, we can expect legal court proceeding outcomes will also be predictive thanks to ML in the near future. Human judgement will easily be replaced by the machine soon.

By the time this article is getting published, you may have already witnessed the wonders these technologies can bring us. But that is just the beauty of it. Imagine if things go rogue? Yes, it will bring certain negative consequences as well. I let you take the judgement here. Businesses nowadays have already taken a step forward by adopting technologies such as Big data analytics, AI driven data science…etc. The visionary leaders behind such organizations foresee the value and the business impact such investments will bring them in the near future.

Here at Zone24x7, we work closely with such technologies building great customer centric products and services that empathize and resolve their most unique business challenges. With decades of experience in Machine Learning and Artificial Intelligence, Zone has produced a few key products/services that help any business to “Cross the chasm”;

  • The Analytics Center: A data platform to build, deploy, and manage big data solutions with AI-powered actionable advanced analytics
  • FaceAuthMe: A facial biometric authentication platform that uses advanced machine learning and AI algorithms to provide Strong Customer Authentication
  • SerendibAI: An artificial intelligence-powered cognitive vision platform that analyzes video footage to provide actionable insights
  • MATRIX24x7: An IoT driven remote monitoring and management platform that can be integrated with a range of external systems to give users centralized monitoring and troubleshooting capabilities

With these technologies any business organization will be equipped to deliver more efficient, reliable and experiential services to their clients. 

Are you ready to lead the next generation of the technology evolution of your business? It is your call now.

Thivanka Vithange

Senior Business Designer


Towards a safer and a trusted authentication

At a time where fraudsters are growing at an alarming rate, authentication is becoming a hot topic in almost all aspects of our life. It is now linked to our life more than ever. Everyday we enter passwords multiple times to turn on the laptop, use fingerprints to log in to mobile apps, receive One Time Passwords (OTP) numerous times to verify transactions. But are they providing enough security while providing a low friction experience?

Why is authentication a hot topic?

Authentication is growing to be a hot topic in almost all aspects of our life. From turning on the mobile phone when we get up, to doing an online credit card transaction, authentication has become an important aspect of our life. Authentication is now linked to our life more than ever. Everyday we enter passwords multiple times to turn on the laptop, use fingerprints to log in to mobile apps, receive One Time Passwords (OTP) numerous times to verify transactions. Authentication is everywhere and the need to authenticate ourselves safely and with trust is felt by everyone. The reason is the increase of fraudsters at an alarming rate.

It is an open secret in the authentication context that fraudsters are getting smarter everyday. From OTP hijacking, device spoofing to sophisticated social engineering schemes, fraudsters are finding better ways to outsmart the technology. Unauthorized financial fraud losses in the UK alone across payment cards, remote banking and cheques totalled £824.8 million in 2019 (UK Finance 2020) while the combined worldwide figures for credit card fraud stand at an alarming $27 Billion and rising according to the Nilson report (The Nilson Report 2019). These circumstances demand that fraud is prevented at the earliest of customer interaction and customers are protected by better authentication methods.

Strong Customer Authentication (SCA)

In the context of banking and financial services, strong authentication uses multiple methods of factors, to verify the identity of the user.

  1. Possession – Something the user has such as the personal mobile device, a hardware token
  2. Knowledge – Something the user knows and shared between the user and the financial entity, such as a password, a pin or an answer to a security question
  3. Inherence – Something the user is such as their  biometrics i.e. behaviour, fingerprint, face, voice.

As the number of authentication factors increases, it becomes difficult for the fraudsters to impersonate legitimate users as multiple tactics need to be deployed for a targeted attack. If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards for Europe.

Why is Inherence the best 2nd factor authentication

The number of organizations moving into SCA for user authentication is increasing to fight fraud. But one common understanding between all these organizations is that traditional authentication methods, of knowledge factor, are proving to be less effective in the authentication process. According to VISA passwords are dying and thus less promoted. A customer survey done in the USA has concluded that out of abandonments of online purchases, 49% are due to  the fact that customers can’t remember their passwords.

Source : (VISA 2017)

As customers are now becoming more comfortable with new forms of biometric authentication methods, common frustrations of forgetting passwords will be soon a thing-in-the-past. Inherence based authentication methods such as facial biometric authentication are proving to be faster, safer and easier compared to the traditional use of passwords or PINs, which are difficult to remember and easy to steal. 

The above survey has further revealed that more than 65% of the customers are already familiar with inherence based authentication. But out of many inherence based authentication methods, which would be the best?

Face is the way forward

Whilst there’s no silver bullet in the authentication world, there are many promising solutions. Above all Fingerprint identification, Facial biometric and behavioral biometrics play a key role. Organizations are yet to embrace behavior biometrics into their solutions due to the inherent issues such as not enough empirical validations and privacy issues. For instance strong relations to cognitive function may uncover undesirable aspects for public disclosure information, such as illnesses. 

Further we’ve seen prominent organizations such as Apple moving away from fingerprint based authentication methods lately for facial biometric based solutions. According to Apple the chances of a random face unlocking your phone are 1 in 1,000,000 while the risk of a random finger unlocking your phone is 1 in 50,000 (Apple 2020). This claims that Face is 20x secure than the fingerprint. Unless you have an identical twin, Face can be the way forward.

FaceAuthMeTM – a secure, low friction solution

Zone24x7’s facial biometrics solution FaceAuthMeTM is a secure, low friction solution that addresses the needs for Strong Customer Authentication now and for the future. FaceAuthMeTM uses the person’s face to authenticate access using any device’s camera. This is done quickly, seamlessly, and a low-friction high secure method. FaceAuthMeTM uses sophisticated machine learning and AI algorithms that capture intelligently facial biometrics and other data of the customer to uniquely identify a genuine customer from a fraudster. From secure access control to when a customer is making a risky transaction or using their credit card (e.g. to pay for an airline ticket), organizations are required to authenticate customers using SCA. FaceAuthMeTM provides a one-stop, seamless authentication experience for all of these authentication needs. If you want to find out more about FaceAuthMeTM or request a demo, please follow us here.

References

Thilina Bandara

Tech Lead – Cognitive Machine Learning


Applications for RFID in the new normal

Due to the ongoing global pandemic situation, health has become a global concern and a priority. People are paying much attention to social distancing, limiting the time spent within communities and contactless access to daily activities. In this backdrop, RFID becomes a key enabler for many types of solutions. RFID is not new to the world. However it can be a novel experience for general society. Therefore it is important to identify how businesses and communities could adopt RFID to maintain their ordinary lifestyle with emphasis for safety and social distancing. Here are some areas where RFID could help.

Implementing product tracking systems (Logistics and supply chain)

When promoting RFID for product trackers in logistics and supply chain management, it limits the usage of human resources. Additionally, it ensures social distancing.

Also by using RFID we have the ability to take inventory without touching the goods. As RFID enables contactless controlling of assets, It helps to reduce the communicability of pathogenic diseases. Therefore RFID can be used in workplaces and organizations as an effective precaution. 

Contactless payment

Utilizing RFID for contactless payments decreases interaction with notes and cards. Moreover, RFID reduces the time a person spends to make a payment and reduces exposure.

Attendance tracking

Attendance tracking has become another area that can apply RFID solutions. Even though most of the employees in many companies are working from home these days, some offices/companies are kept open practicing social distancing within the premises. A quick swipe of the RFID based badge/ID can be much safer than using fingerprint recognition attendance tracking.

Asset Tracking

RFID presents opportunities to track assets used and shared by multiple people. This kind of continuous tracking can be used to manage the risk of spreading the disease and helps rapid identification and decontamination of equipment, tools which have come in contact with an infected person. Simultaneously, it will help to analyse the spreading of the virus within a communicable area. 

Interactive marketing

When RFID is combined with interactive marketing, it becomes smarter and safer. Business owners can use remote scanners to read RFID tags placed on different products, enabling them to record a variety of information including quantities of various stock items and their exact locations.These tags contain unique product numbers. If consumers pay for the goods with a loyalty card, businesses can link the purchases to the recorded RFID data and use that information for marketing purposes by mapping out consumers’ buying patterns. By using these data retail stores can make improvements.

Since 2011, Zone 24×7, design, implement and integrate custom RFID solutions with core business operations, for the efficient management of merchandise & business assets. We also partner with clients to maximize returns from their existing RFID investments.

We are focusing on ;

  • Inventory & Item Level Visibility
  • Asset Tracking
  • Evaluation And Selection Of RFID Tags, Labels and Hardware Infrastructure
  • RFID Middleware/Software
  • RFID-based Localization

You can get in touch with our RFID products/solution from here

As we all are in the fight against COVID 19, we can use technology to overcome our struggles. For that, applications based on RFID play a major role in easing our day to day tasks.

Lehindu Atapattu

Trainee Associate Digital Marketing


How Business Analyst can add value in the SSDLC

Introduction

Overview

The role of the Business Analyst (BA) is generally understood as the stakeholder who is responsible for managing the software requirements. While it briefly adds who a business analyst is, the real role goes beyond that. BA implies from the brainstorming phase of the project to its decomposition. In each of these phases, BA plays a vital and diversified role in bringing an idea to life. However, the way in which the BA views the security aspects of software is the focus of this article.

Understanding about Data Protection Standards and Regulations

To start with, BA’s understanding of the software security standards and it’s applicability plays a bigger role. There are different data protection standards and regulations available in the world. GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), ISO27001 (International Organization for Standards on Information Security Standard) are some of them. These standards and regulations significantly impact the SDLC (Software Development Life Cycle) and corresponding IT-development processes of organizations that plan to roll out information systems’ projects. They also increase the complexity of the functional, non-functional, and technical designs associated with the various business and technical layers outlined in systems. It is a software engineering responsibility to follow basic data protection principles. However, as a BA, it is better to have an understanding of at least a few of these standards and regulations, because the data protection requirements need to be addressed in the planning stage of the SDLC and documented to avoid significant cost overruns and rework later in the SDLC process. 

Accordingly, based on the client, the type of the project, and region the software is being developed, the standards which need to adhere may differ. However, upon the selection of one, more or none of the above standards, the specific security-related aspects will differ as well. Hence, the focus of this article is given to how a BA can involve in a generic Secure Software Development Life Cycle (SSDLC) without being specific to the aforementioned security standards. Yet, it must be highlighted that, if a project was undertaken under such a specific security standard, the respective specific security concerns must be addressed by the BA and the rest of the team members.

The SDLC Vs SSDLC

The SDLC is a framework that interprets the process used by organizations to develop an application from its initiation to its closure.

That being said, In general, SDLC includes the following phases:

  1. Planning and requirements gathering
  2. Architecture and designing
  3. Implementation/Coding
  4. Testing 
  5. Release and maintenance

Simply, the SSDLC will be derived by applying software security aspects to each stage of the SDLC. Business Analyst’s involvement in the SSDLC is further detailed out in the subsequent sections 

Generic Security Touch-points

As discussed in the overview, once software security aspects are applied to each phase of the SDLC, it’s considered as SSDLC. Therefore, security touch-points are introduced at each level of the SDLC phases.

The involvement of the security touch-points can be easily demonstrated by the

Gary McGraw’s influential touch-point model as follows,

(Swsec.com, 2020)
Among these security touchpoints, the focus is given to the involvement of the BA.

BA’s Involvement in The SSDLC

Security enforced planning and
modeling techniques

By praising the selected SDLC methodology; planning, and modeling techniques shall be carried out by deriving the scope into multiple modules and sub-modules which allows easy maintenance and easy management of them. More the modules and sub-modules were derived and separated, more the security of each module can be enforced individually (Rather following all-in-one concepts) for a better-combined security output once all the modules are functioning in a single place. Accordingly, the Business functional architecture of the system shall be designed to fulfill the aforementioned context.

A sample section of the Business functional architecture is attached below for a further illustration

Security Requirements Specification

Security Requirements in SRS

All the requirements elicited for the project will be documented in the Software requirement specification (SRS) document format. Functional and Non-functional requirements captured will be elaborated as spec points under each SRS maintained for each module. 

A sample section of the SRS document is attached below for a further illustration 

Accordingly, as part of the functional and non-functional requirements gathering process, security requirements shall also be captured and documented the SRS,

A sample depiction of a security requirement is attached below for a further illustration 

Security Requirements in User Stories

Apart from the SRS, user stories documents will also be maintained for each sprint. Therefore, security requirements shall also be covered either as user stories or scenarios under the user stories to ensure focus on the security

A sample depiction of a security scenario of a user story is attached below for a further illustration

Abuse-Case identification

As an initial requirement gathering step, Use-Case diagrams will be used to identify interactions among actors in a system. In the same mechanism, Abuse cases (also called misuse cases) shall also be identified by modeling adversarial actions to the system

A sample depiction of an abuse-case is attached below for a further illustration

Evil User Stories

Evil user stories are equal to the standard user stories, yet they express what an evil-minded user (abusive user) would do in the system instead of what a standard user would do. These stories highlight what the system is not expecting a user to do. By understanding what a hostile user would do in the product, acceptance criteria and the scenarios can be developed against it to better defend against them.

A sample depiction of an evil user story is attached below for a further illustration

Security Enforced KB Articles

Once the development is done and ready to be deployed, in order to enforce the security in release and the maintenance; procedures and documentation will be used such as Deployment guides, user guides, support team guides, etc.

Thamal De Silva

Senior Business Analyst

Kalindu Jayathilaka

Consultant – Business Solutions


A New Take on Caching

Any application out there in the world, especially production level applications possess a huge amount of data. These are obviously stored in a secure location. But every time the application is in need of using these data, it has to access those storages. This practice arouses a few inconveniences when the data is required faster or frequently. Also, when reading data becomes an expensive operation, it is quite inconvenient for the application to function robustly. If you’re looking to overcome this inconvenience, caching is your solution.

Caching enables you to access your stored data much faster. The data which is stored in a cache can be from the direct data source or generated by processing the data in a request. Hence, in subsequent requests the application does not have to access the data source or reprocess the data. Instead, it can simply access the cache and serve the request smoothly and much faster.

Using caching as is, has a small problem with it. The cache will be available to use as long as the application is up and running. The moment the application restarts, the cache will be empty and you will lose the data which was previously in the cache. The solution for this is using a cache which can persist.

A persistent cache stores the data in the file system or the system memory. In a situation where the application stops or crashes, the data in the cache will not be lost. Instead, it will be stored in the file system or the system memory, waiting to be loaded back to the new cache created after the restarting of the application. This ensures that the application will pick up from the same state as it was before crashing/stopping.

Check out the linked white paper to get an understanding of a few of the existing solutions for persistent caches and some of their limitations.

Furthermore, the linked white paper introduces an approach that can be taken to solve the limitations that arise from existing solutions. It is noteworthy to mention that the introduced approach is a customization done due to certain stipulations. Check out the white paper to get to know what those stipulations are. If you have similar stipulations, the introduced approach is the perfect fit for you to implement a persistent cache.

The following are the different types of caches built using this customization.

  • Basic Persistent Cache
  • Persistent Cache with TTL (Time-to-Live)
  • Persistent Cache with Per Row TTL
  • Persistent Loading Cache


The white paper extensively discusses each of these types and other related documentation needed to get you started. Before that let’s have a look at the features of this customization.

  • Any object type can be used as the key or value without depending on the library specific wrapper objects.
  • Does not require external configuration files.
  • Can specify a common TTL or a per-row TTL.
  • Loading cache features with TTL.
  • TTL can be specified as any timeunit using Java 8’s ChronoUnit.
  • Features like batch storing of data and saving keys/values if they are absent.


To wrap up, here we have introduced a customization for a feature rich persistent caching which can be used when a caching mechanism is needed with persistence. To get a comprehensive understanding of this approach do check out the white paper linked below.

Read More >

Let us know what you think of this approach.
Happy coding!

Mariam Zaheer

Software Engineer


Choosing the Right Algorithm at the Right Time – The Science of Impactful Product Recommendations

With the evolution of technology, online retail shopping has come into action, playing a major role in the modern world. A personalized recommendation system aims at identifying products that are of most relevance to a user, based on their past interactions.

This enhances a user’s intention to browse more products and makes them more likely to buy these products, effectively increasing business revenue and user experience. Hence, it is of vital importance that the evaluation of recommendations in such a context provides an end user output based on criteria which is selected in a way that maximizes business revenue and user experience. This chosen ‘most optimal criteria’ may vary due to different user preferences, seasons, and many other factors. Therefore, selecting the most optimal criteria has to be done very thoroughly, for which an effective and efficient evaluation technique is essential.


Where Do You Stand?


In this fast-moving modern world, People tend to buy online due to their busy schedules and easement and any outdated organization that doesn’t support this will be left behind. In a post Covid-19 world, online retailing and e-commerce without a doubt will increase immensely, forcing almost every organization to use online retailing for survival. Recommendation systems play a very important role in this, helping out with revenue and user experience. All the leading retailers worldwide use modern recommendation systems. It is definite that online retailers that use primitive recommendation systems will not be competitive enough to survive among the others who already use standard recommendation systems.


Multi Armed Bandit

Evaluation of recommendations can be categorized into two: offline evaluation and online evaluation. An example for offline evaluation is the Multivariate Testing Method which allows exploration of the most optimal criteria within a specific period of time, but afterward serves recommendations using the winning criteria. Hence it only provides a single cycle of exploration to exploitation, and does not allow automated further exploration cycles. This leads to a requirement of manual intervention once the criteria pass its optimal performance. These limitations bring out the necessity of online evaluation that supports automated multiple exploration cycles, which leads us to Multi Armed Bandit. The Multi Armed Bandit problem is a concept where a fixed limited set of resources are to be allocated among competing choices in a manner that maximizes their expected gain.


Multi Armed Bandit In A Retail Context

The endless expansion of e-commerce has led retailers to advertise their products by displaying. This is done via recommendation after considering various factors. Recommendation systems are growing progressively in the field of online retail due to their capability in offering personalized experiences to unique users. They make it easier for users to access the content they are interested in, which results in a competitive advantage for the retailer. Hence it is necessary to have smart recommendation systems. Recommendation systems using Multi Armed Bandit are capable of continuous learning, that is continuously exploring winning criteria and exploiting them without manual intervention.


What We At Zone24x7 Do

We excel in offering smart recommendation systems. We are well experienced in coming up with recommendation systems that give out different results to the user each day by processing massive loads of data in the intelligent back-end. We have studied every possible way to do that and selected 3 effective algorithms to the MAB problem, which are in summary:

  • Epsilon Greedy Algorithms
  • Upper Confidence Bound Algorithms (UCB)
  • Thompson Sampling


We chose Thompson Sampling for the retail recommendation system and it has been one of the highest performing solutions due to less cumulative regret. It is also the highest cost-effective solution when it comes to implementation.

Multi Armed Bandit can be recognized as the core ideology of the online evaluation system and only a brief explanation about it is given here.

To read more on this:

Read More >


Key Services, Platforms & Products :

Big Data Analytics | Data Science | Analytics Center

Umesh Perera

Software Engineer


IoT Security Testing – Identifying the Scope

IoT (Internet of Things); Where it stands now?

A couple of years back only a handful of people who were involved in the subject knew what IoT is all about. IoT or Internet of Things you should know by now. It’s revolutionized the way we interact with the day-to-day devices and of course technology is very common and IoT will be the next big thing in the coming years. If you want to ensure that, simply google the IoT predictions. Here I am not going to talk about what IoT all about.

There are thousands if not maybe millions of articles on the same subject on the Internet. So in case if you are sitting in the IT industry for several years by now, I hope that you might get crossed with IoT at some point in your career by now. Or if you are a newbie who just entered the arena, my advice is that it’s worth paying some attention to the subject.

Security of an IoT device

Let me dig into the subject now. Day by day, second by second every application and every device connected to the internet is becoming more vulnerable to hackers. The reason is it’s a constant battle where hackers are trying to steal valuable information and people who developed them releasing patches to close the holes in their systems. Why? Ultimately it’s all about money and business. There will be a time where cybersecurity knowledge for a local police officer is mandatory. When it comes to IoT devices, this will be far more critical as they are all about your private data or devices where you get services for your own needs. This leads developers/testers to have a serious thought on the security (physical, firmware and software) of the device.

There are considerable differences when ensuring the security of web/mobile applications to IoT devices. Here onwards, I’ll talk about the areas where you should concentrate on when identifying the scope for an IoT security testing initiative. If you are someone who is engaged in an IoT project and who is also playing the role of developer, QA or just an enthusiast about the subject, the content below will be a valuable piece for your arsenal on the cybersecurity domain.

  • Process matters

    The basics should exist where you will start with scope identification. Then you should start with the threat modeling and map the attack surface. With this, you will be able to see the bigger picture. And you will be able to easily identify the rest what describes below.
  • Hardware (Physical) security

    This will be something new for you in case you only dealt with the application security so far. When you are ensuring the security of the hardware, there are several aspects that you should concentrate on.
    1. Does the device have places that are exposed to human interaction?

      For example, If there is a display (front-end) that exists and applications are usable then we are mostly talking about android (mobile) application security testing. If there is no real estate to display something or having a display just for informational purposes, then you completely out of that headache.
    2. Does the device contain any physical ports?

      Here you need to make sure that if the device having physical ports what are they used for and for what purpose they used. You need to make sure that unnecessary physical ports do not exist. If there are USB ports, then you need to make sure the accessibility of the device by using those. USB debugging should be false unless a hacker will be able to get the root access and do whatever he wishes.
    3. How does the device get access to the internet? Is that through Ethernet or WiFi?

      You need to find out whether a device can connect to the internet via both Ethernet and WiFi or only using a single medium. Based on that your testing methods will get change.
    4. What are the other connectivity methods?

      And at last, if the device connects to Bluetooth, Zigbee or another wireless communication medium, then you need to make sure required security measures are addressed when implementing them. Also, evaluate whether the device trusted the data before accepting them. When it comes to physical security, we have to think about how the device is intended to be accessed from outside. Then close all the access points other than the intended channel. Also if the device store any passwords or any other sensitive data, it is required to make sure that the hardware exists will not expose those data to an outsider (tamper mechanisms).

      If you are interested in this particular subject, it’s better to get more familiar with secure microcontrollers, secure key storage, encryption for physical data channels (pin pad cables, inter IC communication links) and tamper switches. And last, the hardware security standards. It’s worth getting to know the kind of standards your hardware following (Ex- MISRA C). Once you make sure of the above aspects in terms of the coverage on hardware security, you are pretty much safe.

  • Firmware security

    This is the most important piece of your IoT device. This will control all that matters from sensors to the operating system. So having a look at installed firmware on your device is mandatory and if you missed it then you probably missing the big fish of your IoT security testing initiative. There are three major areas in firmware security.
    1. Invest more time on debugging interfaces (USB/Serial/JTAG/SWI)
    2. Protect your bootloader
    3. Implement continuous monitoring on both devices and firmware sides. In addition to the above, please be aware of the firmware level attacks. Below are the possible areas you should consider,
  • Vulnerabilities in third-party components and libraries.

    When developing the firmware there are many third-party libraries and components developers use. So not only scanning via an automated tool but getting a list of all of them and manually validating is critical.
  • Injection attacks where a hacker can alter the firmware logic.

    Then the injection attacks, this is a broader subject. What you need to ensure is if the IoT device can directly interact with the user interface and user can input data via a provided application or even when interacting with the operating system you need to make sure all the fields are properly validated so the user cannot perform injection attacks. Based on the technology the method of injection attacks getting different. If you deal with an application then it can be SQL or NoSQL attacks.

    If you dealing with the OS it can be command injections where you can alter the firmware logic so that you disrupt the normal functions of the device. So it’s very important that making sure your IoT device having a very good defense (on-boot/periodic firmware integrity check) on these types of attacks.
  • Sensitive information at rest and transit

    When talking about sensitive data or PII (Personally Identifiable Information) whether they exist or not in your IoT device will depend on which purpose they intended to be used. It can be even inside your body which monitors your health condition or operating at home or operating publically. What you need to worry about is making sure what kind of data passing through and stores in your device. Can they be classified as sensitive information? If yes, you need to make sure two things. How they transit within the device or to the outside and how they stored.

    When data in transit especially from the backend server to the IoT device and vice versa or when passing the data to some other third-party peripherals it should be secured. Make sure the channel was secured. And make sure they use not only TLS is enough but also the version. Anything below TLS version 1.2 considered not recommended by the industry now. When storing data you should verify PII data stored in plaintext or ciphertext (result on encryption performed on the plain text).
  • DoS attacks

    Another important aspect that you should look at is the DoS (Denial of Service) attacks targeting the firmware. With this hacker can crash the system by utilizing all the available memory. In such a situation please make sure proper mechanisms are enforced concerning the security of the firmware.
  • Key management on client-side

    Another important point when it comes to firmware security is the key management of your IoT device. As you know when a device service or an application communicating with its backend server it uses a secret key to establish the connection. So, in this case, it could be a service running on the firmware. So please make sure where the key is stored on the device and how it stored. Was that the same key used all the time or any key rotation mechanism is implemented. This is very important since a hacker can steal the secret key and do whatever he wants after that.
  • Open ports and services (To the network)

    Finally, you should be aware of what are the open ports and services to the network. Any unnecessary ports should be closed. For example, if the device allows port 23, someone can get into the device via Telnet and take control of it unless proper security mechanisms are not enforced.
  • Software security

    If your IoT device dealing with some applications on top of the firmware then this section matters. Some devices may not have any software which is directly running with the firmware but some may have software that will interact with the firmware and the device (This will depend on the service your IoT device provides). If it uses any software, that means mostly we talking about android applications. You should primarily look on below,

    1. Vulnerabilities exist in the APK
    2. Data in transit and at rest
    3. Injection attacks via input fields
    4. Authentication and authorization mechanisms.

    Here I would not be going to describe each in detail as most covered in the previous sections. But here the applicability is about the software applications. So that you should separately test each area.

Conclusion


In conclusion, before you start everything as I mentioned in the beginning, planning matters where you will perform a deep dive into the overall architecture and then to the threat model. By doing that you will identify where your device stands in terms of the security and how well you should enforce the corresponding security mechanisms. If you consider the areas that I highlighted above when identifying the scope in your IoT security testing, you have a good start to a secure IoT device.

If you have time for preparation, It’s better to study common IoT infrastructures and components first to get some understanding of individual components. Then it will also help to design and study testing procedures relevant to them.

So fasten your seatbelt and start securing your IoT device if already not. You will save lots of money for your business and maybe you will be the one who saves the business ultimately. And besides, I would like to write down that if you are to become a security test professional and you were succeeded in performing your IoT security testing work, please be aware that you enlightened your security testing journey with an area that the future represents…

Chandima Athapattu

Chandima Athapattu is a Lead QA Engineer at Zone24x7.


Woes of a Fleet Support Engineer During a Pandemic

Synopsis

Pandemics such as COVID-19 lead many organizations to request their employees around the world to adapt to work from home (WFH), while attempting to run operations in unaffected regions as efficiently as possible. This is especially true for organizations that have large global transport and logistics operations. Technology such as wearables and handheld smart devices are a crucial part of any such operation today. The upkeep of this technology is heavily dependent on tech support engineers, who are expected to investigate and remediate user queries and potential breakdowns from all over the world. This operation is commonly known as Remote Monitoring and Troubleshooting (RMT).

This article discusses the challenges faced by such support engineers during WFH periods and how the right tool could have solved these problems.

Off-the-Shelf EMM Software (a.k.a MDM) are Failures as RMT Solutions

* EMM – Enterprise Mobility Management * MDM – Mobile Device Management * RMT – Remote Monitoring and Troubleshooting

Due to misinformed decisions of organizations, many support engineers are stuck with off the shelf EMM tools for supporting Remote Monitoring and Troubleshooting (RMT) requests. Unified Endpoint Management(UEM) tools serve the need of tasks such as O.S and application updates, security compliance and lock downs; but miserably fall short when it comes to remote monitoring and troubleshooting.
Why? Because every organization’s uniqueness reflects in their devices, software as well as how they use them. Being able to troubleshoot such devices and applications require bespoke solutions. Such bespoke solutions are not the focus of UEMs, as they don’t focus on offering all the details required for a support engineer to perform RCA (Root Cause Analysis). As a result, they are forced to resort to very cumbersome methods of obtaining the information they need, such as Remote Desktop, or using a mix of their own scripts and dashboards, which are highly insecure and unstable.


Remote Desktop is a Cumbersome Bandwidth Bandit

Due to the lack of information and remote control for troubleshooting, whenever a ticket is opened, support engineers have got used to resorting to remote desktop access to the end device to get the data and control that they need to solve a problem. Remote desktop is heavily dependent on a stable and consistently fast network connection, which is not something that you can expect from someone working from home.


Domestic Data Rates Are Exorbitantly Higher

Organization’s generally opt for unmetered leased lines for their internet connectivity. When support engineers work from home, they are forced to use domestic connections which are metered, and result in sending the operational costs through the roof.


Can’t Look Away for a Second, but You Have To

One of the biggest perks of working from home, is the fact that you get to be around your loved ones. But, support engineers who need to keep their eyes on a terminal or a display are under a lot of tension whenever they are away from it even for a second. At the same time, being away for a short time is not something that can be fully avoided. This is a lose-lose situation for the organization as well the employee. The support engineer faces anxiety of failing to meet SLAs because he/she didn’t see the incident on time and the organization suffers the consequences.

MATRIX24x7 The Solution

1

2

3

4

A Tailor Made Solution Vs. Ready Made Software

  • Free yourself from the fixed functionality and rigidity of off the shelf, ready-made applications.
  • Mold the platform to your requirements vs. adapting to it.

A Partner Vs. A Vendor

  • Empathetically driven towards gaining a full understanding of the business and operation prior to solutioning.
  • Access to our best tech and domain experts vs. business sales intermediaries.

This is exactly what MATRIX24x7 is. An RMT platform that can deliver tailor made solutions, and a partner that operates as the CTO of your support operation.

Heshan Perera

Associate Architect / Manager – IoT Platform