New "Insecurity in the Internet of Things" report

Florence Broderick    14 October, 2015
New Insecurity in the IoT report
You can now download the full report about Insecurity in the Internet of Things carried out by ElevenPaths’ Analyst Team. It`s available at ElevenPaths web.

Summary
In the past six months potential insecurity within the Internet of Things (IoT) has been regularly making news headlines, from hacking planes, cars, or baby monitors, to Smart TV’s insidiously listening to and broadcasting unencrypted conversations across the internet. A September advisory issued by the FBI indicated that they too had concerns over inherent security flaws in the implementation of the IoT and warned over the potential opportunity offered to cyber criminals. While to many such a warning may seem premature given the current market penetration, the IoT is currently at a peak of expectation and anticipation, essential to driving the concept forward. In enterprise the IoT is seen as an integral part of the blueprint for developing from the digital business model of today to the digitisation of the entire value chain, and in the consumer space ‘wearable’ adoption is rising rapidly. However advances in edge computing, networks, big data and analytics are still required for this truly disruptive technology to shape the future; and although widespread implementation is likely to be 5-10 years away, not addressing security flaws now will only compound the problem for an IoT connected world.

Such scope ensures that IoT should not be thought of as just a ‘Thing’ in itself; it is a collection of technologies integrated and presented to provide specific and vastly diverse applications. However in terms of manufacturing, a rapid development lifecycle is producing devices that are ‘always-online’ and often possess inherent restrictions on security measures due to size and cost; research that has indicated that as many as 70% of commonly used IoT devices contain significant vulnerabilities. Although maintaining consumer trust, regulating the quantity and nature of data to be collected and transmitted, and also tackling end-user behavioural traits likewise provide complex challenges. At this nascent stage in the lifecycle, focus on securing it is often disproportionately weighted on the end device, forgetting that it is merely a component of a larger eco-system that is only as strong as its weakest link.

Methods to subvert these technologies will depend both on the manner in which they mature, and how security is implemented on often exposed devices. Worryingly, the early indications are that the network, application and cloud security lessons of the past 20 years have often been forgotten by existing technology vendors, and not yet learnt by manufacturers pushing into a new market. While risk exposure from IoT vectors is likely to remain low in the short term for most enterprises, but risk assessments may prove it is higher than first thought. The uptick in reflective DDoS attacks in H2 2014 and composition of the ‘Lizard Stresser’ botnet already points towards the effect of an insecure IoT being maliciously re-purposed. Unanticipated information leakage from the extended IoT ecosystem may also compound the problem of data aggregation from both consumer and enterprise sources, enabling cyber criminals to unite disparate data sets for a wide range of malicious goals.

The concept of security by design must be given a higher priority in order to avoid security flaws being compounded as the IoT matures, and adopters should be alert to IoT integration in a less mature, loosely regulated environment, or risk costs spiralling later. Core principles of data, application, network, systems and hardware security remain applicable but the complexity is higher and measures must be more careful not to work against the user. The IoT will be transformational, disruptive technological movement, but carries a spectrum of risks that affect more than just the IT department.

More info about our Security Trends Reports at www.elevenpaths.com
ElevenPaths’ Analyst Team

Telefónica and ElevenPaths announce new market leading security offering following key sector agreements

Florence Broderick    8 October, 2015

In the context of the Company’s III Security Innovation Day

Telefónica and ElevenPaths announce new market leading security offering following key sector agreements

Madrid, Thursday, 8 October 2015.- Telefónica and ElevenPaths present today the company’s new cybersecurity product lines at our third Security Innovation Day conference. The improved and expanded services are a result of Telefónica signing strategic alliances with major partners and key players in the security sector including Alien Vault, BlueCoat, Intel Security, Palo Alto Networks, RSA, and Vaultive.

Thanks to the input and technological capabilities of the new partners, ElevenPaths has improved and optimised its most powerful tools including Sinfonier, Latch, SandaS or Metashield Protector.

Alliances that reinforce ElevenPaths’ solutions

Thanks to the agreement between Telefónica and BlueCoat, filtering systems used to access Proxy SG Internet will incorporate Metashield Protector technology –ElevenPaths’ solution preventing information leaks in all document environments–, meaning all files are scanned before publication in web services. All access information generated by Proxy SG systems is accessible from Telefónica’s SandaS platform, allowing companies real time access to IT security information. Moreover, along with GIN –BlueCoat’s IP reputation service–, SandaS can run filters or blockers in http/https accesses from a single point.

With a continuously escalating threat landscape pushing cybersecurity further up the list of concerns for boardrooms and millennials alike, Palo Alto Networks is leading the charge in putting an end to successful data breaches. Within the category of cybersecurity services, Telefónica has teamed with Palo Alto Networks to develop a service that can discover mobile malware through integration with three industry-leading technologies: Palo Alto Networks next-generation security platform, which includes the WildFire – cloud-based malware analysis and prevention service-, Tacyt -the innovative cyberintelligence tool for mobile threats developed by ElevenPaths-, and Sinfonier, -the open system for real-time processing of information sources-. Through this integration, customers will be protected from malicious mobile applications on both the network and on mobile devices.

Telefónica has also partnered with RSA, and now this company’s solution, Security Analytics, will admit connection with SandaS, providing a holistic view of companies’ security and the external threats and vulnerabilities that may affect them as well as risk, governance and compliance.

For this purpose, Telefónica has partnered with Intel Security and now this company’s security event management and correlation system NITRO will be able to connect with SandaS and SandaS GRC.

SandaS can also be connected to Alien Vault’s USM platform to improve its analysis and risk control capabilities, thus increasing those capabilities already existing in the integration with earlier versions.

Telefónica, through ElevenPaths has joined Vaultive to integrate the encryption proxy service developed by the company. This protects the confidentiality of companies’ information in SaaS platforms, especially in Microsoft Office 365, with the Latch tool. This allows mobile device authorization and access to all Office 365 devices.

ElevenPaths has recently acquired GesConsultor, the technology solution specialising in management and compliance systems (Governance, Risk & Compliance, or GRC), which from now on is integrated as SandaS GRC within its product portfolio. The Telefónica subsidiary has also acquired the intellectual property of the “Handwritten Signature Capture and Verification Development System in Mobile Platforms” software, which is linked to research work with the Carlos III University of Madrid.

Telefónica is working to develop new services and security capabilities that help their clients’ businesses to be better protected against threats in the environments in which they operate. In the past year, the Company has undertaken a transformation process based on innovation through technology. br/>
As a result Telefónica España is the leading company in billing, managed devices and implemented projects. Spain’s top companies, public bodies and law enforcement forces and agencies rely on them for their cyber security.

The event will be streamed live to all Telefónica offices and will be accessible over the web at: https://securityinnovationday.elevenpaths.com/eventcontent/streaming

More information on www.elevenpaths.com

» Download press release

Click & Go, the multipurpose button

Beatriz Sanz Baños    1 October, 2015

What are Click & Go Solutions?

Click & Go solutions are Telefónica’s innovative approach aimed at providing instant IoT solutions for organizations that traditionally do business in non-connected ways. The success is built upon the golden rule of technological success: a solution where technology is imperceptible to the user and is the easiest way to get things done.

Click & Go builds bonds between customers and companies offering their services in an easy to consume manner, thus increasing recurring business due to higher rates of customer satisfaction. These solutions also offer a competitive advantage over the ‘disconnected’ competence.

The form factor of Click & Go technology are most normally customized buttons that streamline sales processes in several sectors (food, courier service, public transportation, industrial use, shopping, etc.)

How did Click & Go begin?

Click &Go’s debut came through Telefónica’s close business relationship with home delivery food company Telepizza. Both companies were already seeking new ways of combining communication and technology. Telefónica has constantly sought innovative uses for cellular communication. Nowadays normally when we talk about the IoT we refer to non m2m (cellular) technologies such as Bluetooth LE, LPWA, WiFi, RF mesh networks or RFID. The use cases for m2m was limited to certain areas and applications and the ultimate goal has been to broaden the field of application.

To test the concept and streamline the use Telefónica is launching pilot programmes with selected clients from different business areas in order to test the best way of interacting with consumers in their everyday tasks using technology in a simple way.

What are the possibilities of Click & Go?

All Click & Go devices have a similar underlying hardware technology. At the core they have a pre-programmed welded SIM set to send service requests to a predetermined destination. In the case of Telepizza, the buttons resemble a fridge magnet,  being actual physical replicas of the mobile app. Simply pressing the button for 3 seconds (to avoid accidental ordering) triggers the user’s favourite order to be requested. A tiny LED and an SMS give the user confirmation that the order is on its way. Recurring orders are one of the main sources of business for home delivery food restaurants. Helping customers have a simple method of placing their favourite order is a great way of increasing brand loyalty and ease the overall process for clients.

What type of solutions does Telefónica envision as fitting into the Click & Go model?

The hardware is based on the Arduino compatible Thinking Things Open module that is designed for simple integrated cellular connectivity. Click & Go is the result of months of R&D from the same innovation team that developed the modular Thinking Things kit.

Two new buttons use the same underlying motherboard used for Telepizza and have recently reached the market:

  • SEUR One Click, enables automatic pick up of courier packages wherever the button is located by simply pressing the button. It is aimed at easing operations for companies of all size (from SMEs to Large Organizations) that require urgent delivery courier services.
  • Cabify, is a simplified taxi ordering service that prints out a receipt upon pressing the button requesting a taxi with the car model, license plate, driver name and expected time of arrival for the client’s safety. Thanks to Telefónica’s Global SIM, it will be available in Spain, México, Peru and Chile.

Why is Click & Go a ‘killer’ solution?

There are several advantages that turn it into a fabulous solution for companies looking for new ways of promoting their most popular services in an attractive and new way:

  • Click & Go buttons do not require connecting to a smartphone, WiFi or Bluetooth initial setup but are truly set-and-forget independent devices thanks to their embedded SIM card
  • They are adaptable for several use cases, types of businesses and industries as the examples already in use clearly prove
  • They are reduced in size and easy to turn into attractive elements (e.g. fridge magnets)
  • The battery provides these buttons with a long lifetime require no maintenance
  • Click & Go buttons are prepared for OTA (Over the Air) updates thanks to their cellular ‘heart’
  • They do not require a steep learning curve (programmed using Arduino)

How Telefónica collaborates with the GSMA to define a project use case scenarios using lean startup”?

Florence Broderick    29 September, 2015
The entrepreneurs of startups were the first ones to adopt the Lean Startup method when Eric Ries published in 2011 his book The Lean Startup. Big companies like Telefónica were soon enough the next ones to apply Lean Startup. Now we have witnessed how an industrial forum like the GSMA (GSM Association), the Personal Data Program in particular, adopts a hypothesis validation model to build successful products and services.

Use case in industrial forums and standardization bodies are generally defined by the forum members without market validation, and then, following a waterfall model, the technical solution for those use cases is defined.

Mobile Connect 

Telefónica has been deeply involved in the Mobile Connect project since February 2014. Mobile Connect is a GSMA cross-operator proposition to simplify people’s digital lives, offering a simple and safe identification service that offers the user total control over their privacy. The authentication is significantly more secure than typical username/password schemes as access to the account is secured via the user’s mobile device.

The Lean Startup methodology is a pilar of our innovation process since 2012, hence all our innovation projects apply this methodology. Consequently, Mobile Connect has been developed following the Lean Startup method.

Lean Startup is basically the combination of Steve Blank’s Customer Development methodology and Agile Development. As we have been applying Agile Software Development since 2006 at Telefónica (specifically in Telefónica R&D), our engineers, and in particular those that have experience as scrum masters, are the ones that have adapted themselves best to Lean Startup.

Due to the deep experience with agile that the Mobile Connect team has, the Customer Development iterations were perfectly synchronized with the Agile Software Development cycles. This allowed us to design the fastest and cheapest prototype needed in each iteration to validate, or invalidate, the project hypotheses.

Also, the Mobile Connect innovation project team at Telefónica considered the use cases defined hypothesis that needed to be validated in the market before building the solution. Therefore, they got out of the building to have face to face conversations with potential customers. In fact, after carrying out 42 interviews their first hypothesis around the customer segment proved to be wrong, so they had to pivot to another customer segment.

The team focused on the problems the customers had and then on how could Mobile Connect solve these problems according to the customers’ needs and feedback. What’s more, during this process customers really interested in the service and willing to pay for it were identified and involved in the process.

Thus Lean Startup helped identifying and defining the use cases based on clear evidences and validated learnings around the customers. As a consequence, the Personal Data Program has created workgroups that organise sessions with different service providers to identify and understand the painful problems they are facing in order to work on solutions around those problems.

A successful way to transfer an innovation project to the business unit

One of the biggest challenges we face at big companies is how to successfully transfer an innovation project to the business or product units. Actually this is something we have had the opportunity to discuss with several companies in different innovation forums and also in last year’s Lean Startup Conference in San Francisco, and there is a general agreement on that.

The most delicate moment in the life of an innovation project is when it is time to scale up and get transferred into a business unit or product line. Having stakeholders in the business unit or product line is critical, but not enough to make a successful transition.

In our experience those innovation projects that apply Lean Startup survive better to that transition because they are in a position to bring to the table tangible credibility in the form of validated market traction and even customers.

In the case of Mobile Connect we have been able to transfer successfully to the business unit the innovation project for its deployment and commercialization. In fact, this solution is going to be deployed in Argentina, Spain, Mexico and Peru this autumn and more countries are coming next year.

Moreover, the way we have done this transfer has also been different: we have not only transferred the product but also the team plus prospective customers.

This has allowed us to transfer not only the knowhow of the product, the product development knowhow and the customers, but also the complete business model knowledge as well as the market contacts and the experience achieved by the team during this time. That is, who are the customers, how should the solution be commercialized, the way to get to the customers, the pitch, the sales process, etc.

In other words, we have transferred what one of our external mentors, Mario López de Ávila, calls the complete “product toolkit”.

Besides, all the aforementioned evidences and knowledge about both the market and the customers as well as the contacts network has enabled us to smoothly transfer the team of R&D engineers to the business unit. Because that knowledge they brought to the business unit has given this team of technical people credibility among their new colleagues.

Evil FOCA is now Open Source

Florence Broderick    22 September, 2015

We are really happy to announce that Evil FOCA is now Open Source. We have received lots of comments and feedback about how you are using Evil FOCA, or how you would like to improve it; thousands of people are downloading Evil FOCA in a monthly basis.

Although Evil FOCA has always been free of charge, now we want to make the next step: Evil FOCA is now Open Source released under the GNU Public License 3.0. It is available in our GitHub repository: https://github.com/ElevenPaths/EvilFOCA

Our main objective with the Open Source release is that the community will be able to improve and keep Evil FOCA one of the best networking pen-testing tools. Please check our Evil FOCA’s website in order to know more about it.

What is Evil Foca and what is it able to?

Evil FOCA is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks.

The tool is capable of carrying out various attacks such as:

  • MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
  • MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
  • DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
  • DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
  • DNS Hijacking.

The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Within the MITM (Man in the middle) attacks in IPv4 and IPv6 Evil FOCA considers the following techniques:

  • ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.
  • DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil FOCA converts the machine in a fake DHCP server on the network. 
  • Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil FOCA generates this type of packets, placing itself between the gateway and victim.
  • SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil FOCA undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.
  • Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service. 
  • Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.
  • DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a non-existent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the non-existent MAC.
  • DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.
  • DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Who are you going to believe, me or your own eyes? The dilemma of managed security

Florence Broderick    18 September, 2015
Organizations are facing a context of increasingly complex IT threats jeopardizing the everyday development of production processes. We are referring to persistent advanced attacks, zero-day threats, industrial espionage, hacktivism, etc. and at the same time the need to play by the rules (legislation and regulations) in security matters.

The challenge for organizations is to balance the tough demands of production processes and the management of the increasing complexity of threats with the intelligence and scaling required in each case. This makes necessary, not only the deployment of tools to deal with these threats, but also to have security experts or to outsource this service to specialized third parties that have trained staff and the appropriate tools to manage their security. The problem in this case is that organizations lose visibility and control over their own security.

At ElevenPaths, we believe that it is possible to go one step further in this never-ending cat-and-mouse game. The outsourced “traditional” security management is based on the operation of security tools such as firewalls, antivirus software, intrusion detectors, etc., and a SIEM (Security Information and Event Management) as a tool for collecting and correlating events generated by these security tools. The SIEM detects and alerts the operator when a security incident takes place, but the organization loses visibility of its own security and immediacy to respond.

The new approach to outsourced security management should enable the organization to have an immediate knowledge of the incident and a unified view of its security, allowing also an immediate and accurate response to the threats and the minimization of their impact on the business. This solution should also integrate both the information from all the tools used in the organization itself and external information. The organization should also benefit from a comprehensive and collective knowledge that enables it to anticipate incidents that are already happening or have happened to others.

The first step is to improve the incident detection by SIEMs. SandaS processes information received by SIEMs with a set of proprietary algorithms that detect activities that may go unnoticed for SIEMs.

The state-of-the-art dashboard enables the organization to access real-time data on its security and monitor the status of its security by the minute and how it is being managed.

Detecting an incident is not enough, a standardized classification and criticality assignment is necessary. The criticality level can be customized through SandaS according to the organization’s specific context and the affected elements. Moreover, it automatically notifies the relevant actors in that context for a more agile and efficient processing and resolution. It can even automatically execute resolution or remediation actions, thus optimizing resources.

SandaS is supported by multiple components of the ElevenPaths security platform, such as the Big Data processing framework Sinfonier, which enables the integration of internal and external sources, such as external events detected by other cybersecurity services. This allows for potential incidents to be detected faster and as closely as possible to the organization context, as well as the prevention or reduction of their impact.

Moreover, the most innovative feature of SandaS is its collaborative approach. With its global scale and the large volume of data that it handles from a variety of sources, it gets a comprehensive knowledge of suspicious evidence across its network. Thanks to this intelligence, it infers potential threats, immediately detects incidents that are already taking place and, above all, prevents them from happening in those organizations where they have not yet materialized.

To complete this view of security management, it would be required to link it to the business. It is necessary to assess the risk that threats and vulnerabilities pose for the business, as well as being able to manage the compliance with the many regulations, standards and policies. This enables us to make better decisions on the management of incidents and the definition of processes, procedures and policies for preventing and managing incidents.

This is why we have recently expanded our solution with GRC (Governance, Risk and Compliance) capabilities through the acquisition of the GesConsultor platform, which integrates into our family of products as SandaS GRC.

To find out more about the tool, check out the following video:

In upcoming posts we will get into more details on the functionality offered by the various components of SandaS and SandaS GRC which are offered through Telefonica’s Managed Security Services.

Connected Health, or IoT as your best lifeline

Beatriz Sanz Baños    15 September, 2015

IoT started mainly as a way of automating industrial and mechanical processes that relied heavily on human intervention. Yet one of the biggest yearnings of mankind has always been to imitate and foresee human behaviour (from where robotics was born). Most recently we interact with computers that are so small we can literally wear them (being wearables the most advanced iteration yet of consumer electronics).

Going to the doctor has always been something mainly human, carried out by highly qualified professionals that are deemed custodians of a great deal of society’s wellbeing. Technology was a sidekick assistant that provided insight to complicated diagnoses and help in health premises.

Now that technological advances are pushing the limits further and further into what devices can do to aid and even replace doctors and nurses, the Science of Health has entered a new connected era. eHealth allows imagining a future where our society – inevitably aging due to plummeting birth rates – will be in the ‘expert hands’ of the IoT as much or even more than it will be in the hands of human doctors and nurses.

‘Expecting’ to be connected

Expectant mothers have an unbelievable amount of information at their disposal that exponentially surpasses the data that their own mothers had when pregnant. The IoT in recent times has meshed with fashion designers to manufacture pregnancy fashionwear that is both well designed and picks up relevant information for pregnant mothers. Blake Uretsky, a Cornwell University undergraduate in Fiber Science and Apparel Design, has developed a fashion collection named the “B” Maternity Wearables. The garments have silver fibres that connect to a concealed sensor that monitors heart rate, body temperature, blood rate, and respiration levels relaying data to the smartphone. Uretsky combination of sleek design and practical technology have awarded her several industry prizes and grants to boost her career as a designer.

Fitness wearables mix well with eHealth

Uretsky’s work is an example of how universities are deeply involved in investigating and developing IoT solutions for the health industry. Spanish Universidad de Santiago’s CiTIUS Center is researching in the field of cardiology. They have developed technology to have always on technology tracking heart electrical activity and enable alerts of anomalies in real time. This technology is expected to be included in wearables and has received the recognition of the Journal of Biomedical and Health Informatics publishing the research.

Fitness wearable devices (especially pedometers and HRMs) have offered a solid testing ground for creating valid use case of how to pick up vitals in movement and store and retrieve relevant data over the Internet. A new generation of bracelets will transfer this gained knowledge to the eHealth industry.

The complexity of adding eHealth data is to separate the relevant from the irrelevant for medical purposes. The moment someone walks into a medical centre or if the medical rapid response team receives a health alert from a patient’s wearable, these professionals should already have the patient’s relevant medical vitals (streamed over the Internet). This huge pool of data must be adequately treated in terms of security and privacy and must be accessible at the same time by other health centres the patient might visit.

The eHealth Industry in figures

34 million healthcare wearables will be sold this year in an $867 million dollar market. Adoption rate and user enthusiasm exceeds other technologies and up to 80% of polled consumers believe “wearable technology can make healthcare more convenient” and most believe wearable tech has “improved their health and fitness” according to an infographic by Boston Technology.

Fitness and Wellness as testing grounds for eHealth devices has blended both uses and this mix is here to stay. Sleep sensors, hearing aids, HRM Monitors, postural trainers, health patches, insulin pumps, PERS devices and even defibrillators will stop being limited to hospitals and health centers and become consumer electronics anyone can buy with a medical prescription in some cases (maybe provided by a Big Data backend instead of a ‘real’ doctor).

ElevenPaths acquires Gesconsultor (Gesdatos), the leading Governance, Risk & Compliance platform Spain

Florence Broderick    14 September, 2015

  • GesConsultor will be offered internationally as part of Telefónica’s security services portfolio.
  • The platform enables organisations to support business strategy, improve operating performance, mitigate operational risks and ensure regulatory compliance.
  • GOVERTIS (recently rebranded and previous owner of GESCONSULTOR /GESDATOS), will become Premium distributor and provide special consultancy services.


          Madrid, 14 September 2015.- ElevenPaths, innovative security solutions specialist for Telefónica, has acquired technology from GesConsultor the leading Governance, Risk & Compliance (GRC) platform in Spain – including its Gesdatos privacy module. This platform manages the legal requirements for safety and risk management of an organisation, in a unified and efficient way, integrating and orchestrating its key processes around three strategic areas: Corporate Governance, Risk Management and Regulatory Compliance.

With the integration of GesConsultor, ElevenPaths enriches its portfolio of Managed Security services to provide a GRC solution using its own technology, which will have a high growth potential and which it previously covered using third party solutions. To this end, the company has incorporated the solution development team into its workforce.

This solution will be sold as part of Telefónica’s security services offer through all local operators, and via its Premium Distributor, GOVERTIS (the newly rebranded founding company behind the GesConsultor platform), along with other specialised services as the solution rolls out, in full compliance with international standards and best practice.

There are currently more than 10,000 organisations which are managed via the Regulatory Compliance platform, and more than 180 associate partners using the solution. It has been widely implemented in Spain and is now expanding into Latin America.

The solution helps organisations in the public and private sectors, which are currently facing enormous challenges, in the running of their production and support processes. They must ensure their safety, properly manage risk, comply with internal policies and obligations imposed on them by legislators, regulators and customers, and direct the whole organisation to meet the objectives set. This requires the use of tools which will enable them to manage these needs, and requires professional experts who will use these tools in a way as to transform the organisation.

The solution provides the following high-level functions:

  • Enterprise Architecture Modelling, offering a true representation of the organisation, providing the level of detail required for Risk Management and Regulatory Compliance, and to specify organisational structures, information systems and the infrastructure required to operate them, for services and business processes.
  • Centralisation of Information on Regulatory Compliance, in order to manage the governing measures arising from multiple requirements of the legislative (Organic Law on Data Protection, the Spanish Security Guidelines, the Spanish Interoperability Guidelines, Critical Infrastructure, etc.), international standards (ISO 27001, ISO 27002, ISO 20000, ISO 22301, PCI-DSS, etc.), and industry regulatory frameworks or the organisation’s own.
  • Risk Management, incorporating a risk processing engine based on ISO 31000 with full support for frameworks such as ISO 27005, NIST SP 800-30 or COBIT 5 for Risk. In addition, it has a specific module for the MAGERIT methodology, aligned with National Security Guidelines and Critical Infrastructure legislation based on the PILAR application.

The acquisition allows ElevenPaths to enhance its solutions with GRC capabilities, which will now be integrated into its family of products as SandaS GRC.

For further information: 

The End of Internet as we know it

Beatriz Sanz Baños    8 September, 2015

This post is part one of a two post series that will explore how communications are not only affected by the paradigm shift of connecting everything but a driving force of the age of IoT.

The globalisation of Internet in the last decade of the twentieth century was expected to bring a world where everyone was connected. As is usually the case, technological disruption has turned Internet into something completely different to what it was initially designed for. It is no longer a place where computational devices combine and connect so people can make use of them. Now everything taps into the Internet: people, computers and above all the rest of ‘things’ that were previously isolated and are now the main actors of this Internet of Everything.

In the beginning there was m2m

Machine to Machine (m2m) communications are commonly described as electronic devices that communicate in order to carry out a set of tasks using existing cellular mobile communications networks.

Vending machines, fuel tanks, vehicle telematics, or smart meters have developed into solid business models thanks to the flexibility of m2m.

As devices grow smaller they require less power (battery) they can be located in remote, and isolated places and require less data exchange. The m2m is slowly merging and blending into something bigger (where individual elements are by contrast smaller and simpler) and fully embracing an Internet of Things.

It might seem that the head start of already having a solid business in the voice and data business would grant a huge advantage to Mobile Communications Network providers and make it impossible to compete against this apparently winning hand in the natural evolution of the Internet of Things where any device can tap into the cloud with a radio frequency communication model which is no longer only cellular based allowing new players in the fight to obtain a part of IoT communications market, still up for grabs.

The scramble to stay in the game

However, new access technologies are not only managing to make a dent in the big players’ market share but they are transforming the game completely becoming the de-facto standard.

After recognizing that many of the new communicational uses proposed by the challenging players supersede and improve existing MNO services and solutions, the Mobile Communications Operators are following to paths to adapt and not lose strategic business share:

  • Adapting existing communications technologies
  • Bank on some of the new Technologies to not fall behind

A first look at Low Power Wide Area Network

The most massive uses of m2m remain unlocked. Certain needs that are emerging are complicated to address by current technologies due to steep price or energy requirements. Local network access or mesh-type connectivity fulfil requirements these untapped uses require such as low battery consumption and optimization for low data transfers, yet they lack a global cellular approach.

An IoT specific radio technology solution is emerging to address the shortcomings of both previous generation technologies. LPWA combines low cost hardware, excellent coverage with strong propagation and ultra-low power requirements, extending battery life for years.

In the second instalment: “The Future of the Internet of Things relies on communication disruption” we will delve into the solutions the industry is proposing and how traditional CSPs are scrambling to secure their privileged position as the market evolves.

Based on the upcoming whitepaper “New and traditional communication providers’ response to the IoT burst” (publishing date to be announced) by Javier Collazo and Beatriz Solana Méndez de Vigo.

Introducing Mobile Connect – the new standard in digital authentication

Florence Broderick    8 September, 2015

The Mobile Operators hold the future of digital authentication in our hands, and so do our customers. The consumers will no longer need to create and manage multiple user names and passwords as the authentication and identification solution being developed will use the subscriber’s mobile phone number or mobile user name and information contained in the secure SIM card.

What is Mobile Connect? 
Mobile Connect is a GSMA (Global System for Mobile Communications Association) cross-operator proposition where users can authenticate with third party applications via a user account linked with their mobile phone number. The authentication provider for Mobile Connect is the user’s mobile network operator, and authentication is more secure than typical username/password schemes as access to the account is secured via the user’s mobile device.

Service Provider and/or Developers, such as digital retailers, financial institutions, online providers or governments, can use the Mobile Connect service on their applications to authenticate users. As Mobile Connect offers various levels of security for authentication, ranging from low-level website access to highly-secure bank-grade authentication, the Service Provider/Developer can choose the one most suited to its application.

Telefónica (lead by ElevenPaths as part of the Global Security Unit), along with other leading mobile operators, is pioneering the development of “Mobile Connect”, participating actively in several multioperator initiatives in both, Europe and Latam regions.

How does it look like?
Just think how many websites and applications you use regularly for which you need a user name and password. The more we use the Internet services, the more log-in details we have to remember. With Mobile Connect, there’s no need for passwords or usernames, making logging in so much easier. Although logging in through social networks can remove the need for passwords, many people worry their personal information will be used without their permission. With Mobile Connect, no information is made available to service providers without the user’s consent, making logging in more private.

With Mobile Connect, you are authenticated through your mobile phone, rather than through personal information. This makes authentication in safer and more secure.

Mobile Connect is the new simple, secure and private way to log-in.





How does it work?
The technology behind Mobile Connect is built on the widely adopted technology of OpenID Connect. Authentication is provided by the operator to the website with no person information shared without the consumer’s permission.

The Mobile Connect Logical Architecture reuses many of the Operator assets and introduces a small number of new components in order to deliver Mobile Connect.

The following diagram illustrates the key logical components that will need to be provided for, or impacted by, the deployment of Mobile Connect services.

The GSMA is working with leading mobile operators globally and in-county with a broader set of ecosystem players, such as governments, banks and retailers, to help roll out mobile-enabled digital identity solutions.

Visit gsma.com/personaldata to keep up to date with the latest developments in Mobile Connect, the secure and universal log-in solution.