Monthly archive for March 2018

The Cost of Compliance – how can you turn this into an advantage?

 

 

Over the last 3 years we’ve seen many firms in the financial sector scrambling to meet the compliance requirements of multiple regulations that have been introduced.  The revised Markets in Financial Instruments Directive known as MiFID II went live on January 3 this year following the 2016 publication of the FCA’s Market Abuse Regulation, and the EU’s GDPR enforcement deadline May 25 is just around the corner.

These are just three of the new regulations entering the financial sector and between them they contain significant and wide-spread legislative reform.  Multiple aspects are covered, from trading to recording and monitoring of data, transparency around research costs, new product governance rules and increased personal data protection.  These regulations also carry the potential for heavier fines for non-compliance.  GDPR is an example of this with maximum fines of up to 4% of annual global turnover or €20 Million (£17 Million) for serious breaches compared to the £500,000 maximum applied by the ICO.

As regulations in the financial sector continue to grow in number and complexity, companies need to continue substantial investment to meet their obligations.  For many organisations, the required increase in compliance initiatives, systems and process changes will become unsustainable as staffing commitments continue to grow.  In some institutions this strain is already felt with compliance staffing numbers now matching front office staff one-to-one.

We believe that the increase of regulations can provide many opportunities for organisations to see a return on investment from these ‘enforced’ initiatives if they take a forward-thinking approach.  We’ve implemented many different solutions for businesses to meet their compliance obligations and the most rewarding are those that use the data they’re collecting.  Companies collect and store huge amounts of data and this will continue to increase as more regulations are introduced.  Organisations should be making use of innovative technology to mine this data to achieve significant business insight which can be applied to operating and growth strategies.

 

One of the requirements being enforced by many regulations is the collection and storage of communication information which must be readily available at the request of authorities or clients.  To ensure regulation requirements are met, actively monitoring this communication information is important for the early detection of possible compliance breaches.  However, the struggle for many companies is in identifying how to successfully transform this communication information into data that makes sense.  Analysis of this data in context to business events and incidents can provide powerful insights which can be applied to important business decisions.  The key to unlocking this potential value lies in the use of NLP (natural language processing) and Machine Learning.  With the use of NLP and Machine Learning these ‘soon-to-be’ terabytes of communication can be monitored and analysed to provide near real-time insights, not to mention exceeding any expectations the FCA or investors would have.

For example, Lloyd’s Banking Group employs NLP in conjunction with ML techniques to identify fraudulent phone calls and Deutsche bank has shown that NLP-based techniques can provide significant improvement to quantitative investing models and stock price prediction.  Amazon has also employed NLP to huge success with their Alexa-enabled devices. According to industry estimates sold approximately 11 million Alexa-enabled devices by the end of 2016, or roughly 70 percent of the existing market at the time for virtual assistant products.

Further-more, NLP-based sentiment analysis techniques can be applied to stored communications records, reports, and even social media or other web content to effectively determine whether those sources contain positive or negative expressions.  We have been working with organisations who record and store their communication information to provide them with real-time monitoring and analysis of this data through the use of NLP and Machine Learning.  This not only ensures companies remain compliant with early detection alerts of potential breaches, but results in further benefits such as the deep understanding and monitoring of what their clients and associates think about them, their products and services.  Analysed in the context of business as usual, it could assist in pre-empting margin calls for example, this is extremely powerful.

Hiroshi Sasaki, our Head of NLP at Synetec, is highly experienced in building the knowledge bases behind NLP utilizing active learning, text mining and LUI (language user interface), he says,

“Using NLP can turn your compliance costs into a business opportunity by giving you significant business insights. Through readily available and improved transcription technologies, NLP and machine learning we can accurately identify topics, behaviour and the related sentiment. Who said what, how they said it and where they said it!”

Hiroshi completed a Master’s Degree in Computational Linguistics at the Nara Institute of Science and Technology in 2003 and has previously worked for Toshiba in their Research and Development Centre in Japan.  Hiroshi’s projects focussed on how to reduce the cost of manual data labelling that is required for ML and he is very interested in effectively applying these techniques to real business problems.

There are several components that need to be understood to truly make NLP work for you and your business, including Topic, Behaviour and Sentiment Identification.  These areas provide huge benefits in the use of NLP techniques to mine your data effectively and we’ll be writing about each of these in future posts, so stay tuned.

 

Synetec is a solutions provider certified in many diverse development technologies, such as Microsoft and AWS, delivering integration and development solutions since 2000.

We work with a number of the UK’s most respected financial institutions to deliver a range of innovative solutions. We have expertise in working with both established businesses as well as start-ups and extreme growth businesses.

 

Written by Natasha Walters

Enterprise Web applications security

Challenges

We take security seriously and therefore we invest time into researching latest possible vulnerabilities and how to overcome such problems. Even if a company has state of the art software security in place there are still possible channels to breach the system. The most prevailing channel is human factor.

Human contribution

One of the main such vulnerabilities is email. An employee can be tricked to open email which has a sender with the company email or even by using intentional typographical errors and thinking it is coming from a colleague. For example, everyone in our company has email with domain @synetec.co.uk, but malicious email could have domain @symetec.co.uk or @synetec.com.  Such email can have an attachment with name Invoice_001 or Order_001, but in fact by opening the file the user downloads a malicious software which can encrypt files and demand ransom, called ransomware or send silently key strokes and revealing passwords. The same can be achieved by clicking on a link which redirects a user to a malicious website and downloads the eavesdropping software.  Unfortunately, this cannot be overcome by software, but only by using common sense and training.

Applications channels

The most common web application vulnerability channels are:

  • XSS – allowing attacker to inject malicious JavaScript code and change behavior of the website
  • CSRF – allowing attacker to trick a browser to buy something expensive or even execute a trade
  • SQL injection – allowing attacker to execute malicious SQL and affect database server

The technologies we use help us to overcome such problems. For example, Angular 5 blocks XSS attack by treating all input as entrusted and sanitize the input, i.e. prevent execution of unknown JavaScript. The similar feature comes out of the box using ASP.NET MVC and Razor pages. CSRF is also built in Angular pipeline as well as ASP.NET Core by issuing X-XSRF-TOKEN and including it into POST requests automatically. SQL injection is taken care of by using Entity Framework by parameterizing queries, because queries are not constructed using string manipulations and concatenation.

There is other attack prevention ensuring security through obscurity.

  • Custom error pages
  • Redirect to a home page for non-existent route
  • HTTP- only cookie
  • Removed response headers revealing server/framework/technology information
  • Set X-Frame-Options header to SameOrigin or even better to Deny.
  • Browser’s own protection and set X-XSS-Protection to “1;mode=block”
  • X-Content-Type-Options : nosniff – this prevent browser guessing and run any file as JavaScript
  • If not using Entity Framework parameterize commands
  • Encrypt sensitive parts of the web.config using aspnet_regiis –pe
  • Tracing turned off
  • SSL for whole site including login page
  • Removed any tokens on logout
  • Local redirect instead of redirects only
  • Encoded strings passed in URL

 

Our solution

In architecting applications we decided to take approach leaning towards micro services by which each user interface whether it is web, mobile or desktop application, or another service can share common functionality. In order to securing resources‘ access there was a need to implement it in a manner once a user is logged in one can access various authorizer resources without need to be authenticated for each separate service.

It is quite common to use cookies with session identifier while the session is stored on a server and the cookie is sent automatically by a browser with every request. These can be secured by sending them only over HTTPS and not to be manipulated by JavaScript. However, they have several drawbacks.

  • ID stored in cookie must be used by a server to look up for a session leading to overhead in the large systems
  • They do not carry information defining what a user is authorized to do and again this has to be looked up by the server
  • They relate only to one system and cannot be used to authorize between desktop applications or between other services or APIs

For this reason, we adopted cookie containing a token shared amongst services called JSON Web Token (JWT) which tackle the problems with session ID cookies. These are supported by ASP.NET Core and works well with Identity Framework which is modern ASP.NET Membership system.

JWT is industry standard RFC 7519 used for identification between two parties using claims (https://tools.ietf.org/html/rfc7519).  It allows server to identify information without storing state on the server. The token itself is comprised of:

  • Header – contains algorithm and token type – base64 URL encoded
  • Payload or also called claims – this is data being secured– base64 URL encoded
  • Signature – hash verifying that the token was issued by a particular service

Each part in JWT is separated by period [Header].[Payload].[Signature]

Payload is digitally signed with algorithm in header using secret key  which ensures that the token was not tampered between the parties and can be further encrypted using JSON Web Encryption. As opposite to cookie carrying session ID, JWT is self contained and can carry information such as

  • Who issued the token
  • Who can use the token
  • When token expires
  • When token was created
  • What user can do

Conclusively, the JWT is modern solution to nowadays problems which increases security and efficiency of the system using it. It is a standard way of transporting security information which is easily implemented in complex enterprise solutions.

 

Written by Radovan Luptak

The team gets bowled away

The team here at Synetec place a high importance on down time and having a few laughs together. We recently went bowling and the competitive beasts evolved from the professional and conscientious code monkeys that we know Mon – Fri business hours…. It seems bowling takes some skill and it’s those who say they haven’t played before that you have to be careful of on the leader board. Well done all.

 

RECENT POSTS

RECENT JOBS

ADDRESS

509 The Print Rooms
164-180 Union Street
London, SE1 0LH
Phone: 0208 1444 206
Website: synetec.co.uk
Email: info@synetec.co.uk

DISCLAIMER

Important: The information contained in this website is for general information purposes only. Any reliance you place on such information is therefore strictly at your own risk. Synetec Ltd endeavour to keep it up to date and correct.
All images are copyrighted to their respective owners.
Bitnami