Ja­son Thomp­son, Grab

Shah­nawaz Backer, Fraud Pro­tec­tion So­lu­tion Spe­cial­ist, F5 Net­works

HWM (Singapore) - - CONTENTS - By Alvin Soon Pho­tog­ra­phy Zaphs Zhang

Why did you go into in­for­ma­tion se­cu­rity?

I have an in­quis­i­tive per­son­al­ity, I want to know a lot of things. When you want to know a lot of things, it’s not pos­si­ble for you to know a lot of things. The best way to do it is en­ter the eld of se­cu­rity, then you will touch ev­ery­thing. So, for ex­am­ple, if you do ap­pli­ca­tion de­vel­op­ment, then you only know that do­main. But in se­cu­rity, you can only make your­self use­ful if you cut across all do­mains.

What is some­thing that peo­ple don’t know about mod­ern in­for­ma­tion se­cu­rity?

Peo­ple take it for granted that you should be able to pick up your phone and ac­cess your ap­pli­ca­tions, that you should be able to make trans­ac­tions with your bank, for ex­am­ple. But there’s an art and a sci­ence be­hind it, which says that this user can do only so many things. So maybe when he’s on a known mo­bile de­vice he can do trans­fers, but not from an un­known de­vice.

Now it’s all about adding con­text. When we started out, it was typ­i­cally just user­names and pass­words. If you look at how ap­pli­ca­tions work to­day, they also use a whole gamut of other in­for­ma­tion like your lo­ca­tion, your typ­ing lan­guage, and so on.

"So, say some­body sends you an email about a watch sale.You go ahead and open the PDF, and its in­stalls mal­ware to steal your in­for­ma­tion."

Can you give me a fur­ther ex­am­ple?

We call this adap­tive au­then­ti­ca­tion. Based upon the risk, the au­then­ti­ca­tion sys­tem ma­nip­u­lates it­self. So, I do most of my bank­ing in Sin­ga­pore; which means the bank knows where I‘m mostly com­ing from, my known IP ad­dresses, my known de­vices, and my lo­gin times.

But when it sud­denly sees a trans­ac­tion from my name com­ing in from Rus­sia, it’ll know it doesn’t look right. So it’s higher risk, and the sys­tem is­sues a warn­ing in the form of a two-fac­tor au­then­ti­ca­tion. So in­stead of static au­then­ti­ca­tion, you’ll see more and more of adap­tive au­then­ti­ca­tion com­ing into the pic­ture.

We’re see­ing big­ger risks now from phish­ing at­tacks. How would you stop some­thing like that?

These at­tacks are try­ing to cap­i­tal­ize on the hu­man as­pects. So, say, some­body sends you an email about a watch sale. You go ahead and open the PDF, and it in­stalls mal­ware to steal your in­for­ma­tion.

Most of the time the bad guys are try­ing to lever­age some weak­ness on the tech­nol­ogy, and those weak­nesses are patched more or less fre­quently by the op­er­at­ing sys­tem. But most peo­ple avoid the pain of in­stalling the lat­est up­dates. So back up your data, patch your op­er­at­ing sys­tem.

Newspapers in English

Newspapers from Singapore

© PressReader. All rights reserved.