Jason Thompson, Grab
Shahnawaz Backer, Fraud Protection Solution Specialist, F5 Networks
Why did you go into information security?
I have an inquisitive personality, I want to know a lot of things. When you want to know a lot of things, it’s not possible for you to know a lot of things. The best way to do it is enter the eld of security, then you will touch everything. So, for example, if you do application development, then you only know that domain. But in security, you can only make yourself useful if you cut across all domains.
What is something that people don’t know about modern information security?
People take it for granted that you should be able to pick up your phone and access your applications, that you should be able to make transactions with your bank, for example. But there’s an art and a science behind it, which says that this user can do only so many things. So maybe when he’s on a known mobile device he can do transfers, but not from an unknown device.
Now it’s all about adding context. When we started out, it was typically just usernames and passwords. If you look at how applications work today, they also use a whole gamut of other information like your location, your typing language, and so on.
"So, say somebody sends you an email about a watch sale.You go ahead and open the PDF, and its installs malware to steal your information."
Can you give me a further example?
We call this adaptive authentication. Based upon the risk, the authentication system manipulates itself. So, I do most of my banking in Singapore; which means the bank knows where I‘m mostly coming from, my known IP addresses, my known devices, and my login times.
But when it suddenly sees a transaction from my name coming in from Russia, it’ll know it doesn’t look right. So it’s higher risk, and the system issues a warning in the form of a two-factor authentication. So instead of static authentication, you’ll see more and more of adaptive authentication coming into the picture.
We’re seeing bigger risks now from phishing attacks. How would you stop something like that?
These attacks are trying to capitalize on the human aspects. So, say, somebody sends you an email about a watch sale. You go ahead and open the PDF, and it installs malware to steal your information.
Most of the time the bad guys are trying to leverage some weakness on the technology, and those weaknesses are patched more or less frequently by the operating system. But most people avoid the pain of installing the latest updates. So back up your data, patch your operating system.