410 likes | 633 Views
BIOMETRICS – PRACTICAL APPLICATIONS AND CONSIDERATIONS . ISACA KAMPALA CHAPTER 30 TH MAY 2012 AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA . PRESENTATION APPROACH. DEFINITIONS KEY CONCEPTS APPLICATIONS KEY CONSIDERATIONS POINTS TO NOTE QUESTIONS. TO NOTE .
E N D
BIOMETRICS – PRACTICAL APPLICATIONS AND CONSIDERATIONS ISACA KAMPALA CHAPTER 30TH MAY 2012 AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA.
PRESENTATION APPROACH • DEFINITIONS • KEY CONCEPTS • APPLICATIONS • KEY CONSIDERATIONS • POINTS TO NOTE • QUESTIONS
TO NOTE • THIS PRESENTATION HAS BEEN PREPARED FOR EDUCATIONAL PURPOSES. • ATTRIBUTION IS MADE TO PARTICULAR SOURCES OF INFORMATION WHICH SHOULD BE RE-CHECKED FOR COMPLETENESS AS CONTENT MAY HAVE BEEN REDUCED FOR THE SAKE OF BREVITY.
DEFINITIONS • BIOMETRICS – AUTOMATED METHODS OF DISCOVERING AN INDIVIDUAL BASED ON MEASURABLE BIOLOGICAL AND BEHAVIOURAL CHARACTERISTICS (SOURCE- BIOMETRICS .GOV) • BIOMETRIC CHARACTERISTIC – A MEASURABLE PHYSIOLOGICAL OR BEHAVIOURAL TRAIT OF A LIVING PERSON, ESPECIALLY ONE THAT CAN BE USED TO DETERMINE OR VERIFY THE IDENTITY OF A PERSON IN ACCESS CONTROL OR CRIMINAL FORENSICS. (SOURCE-GARTNER GLOSSARY)
HOMELAND SECURITY PRESIDENTIAL DIRECTIVE (HSPD) – 24 • “BIOMETRICS FOR IDENTIFICATION AND SCREENING TO ENHANCE NATIONAL SECURITY,” • SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008. • ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL DEPARTMENTS AND AGENCIES USE COMPATIBLE METHODS AND PROCEDURES IN THE COLLECTION, STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL INFORMATION OF INDIVIDUALS IN A LAWFUL AND APPROPRIATE MANNER, WHILE RESPECTING PRIVACY AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW. • (SOURCE – BIOMETRICS.GOV)
APPLICATIONS - UGANDA • GENERAL PHYSICAL ACCESS CONTROL – OFFICES, FINGER,THUMB. • INTERNAL AFFAIRS – IMMIGRATION, AIRPORT – IDENTIFICATION OF PASSPORTHOLDER – FINGER/PALM/FACE BIOMETRIC RECOGNITION. • ELECTORAL COMMISSION – VOTER REGISTRATION. • DRIVING PERMIT – DRIVER RECOGNITION. • .
APPLICATIONS - UGANDA • VISA APPLICATION – UK VISA. FINANCIAL SERVICES • CREDIT REFERENCE BUREAU – COMPUSCAN • MICROFINANCE • ATM – IN ADDITION TO ATM CARD/PIN • POINT OF SALES TERMINALS • MOBILE MONEY SERVICES - ENROLLMENT AND IDENTIFICATION AT CASHOUT
KEY CONCEPTS • CLAIM OF IDENTITY – STATEMENT THAT A PERSON IS OR IS NOT THE SOURCE OF A REFERENCE IN A DATABASE, CAN BE POSITIVE (IN THE DATABASE), NEGATIVE (NOT IN THE DATABASE) OR SPECIFIC (I AM USER 123). • COMPARISION – PROCESS OF COMPARING A BIOMETRIC REFERENCE WITH A PREVIOUSLY STORED REFERENCE TO MAKE AN IDENTIFICATION OR VERIFICATION DECISION. • (SOURCE – BIOMETRICS.GOV)
KEY CONCEPTS • ENROLLMENT – PROCESS OF COLLECTING A BIOMETRIC SAMPLE FROM AN END USER, CONVERTING IT INTO A BIOMETRIC REFERENCE AND STORING IT IN THE DATABASE FOR LATER COMPARISION. • EQUAL ERROR RATE (EER) – A STATISTIC USED TO SHOW BIOMETRIC PERFORMANCE. THE LOWER THE EER, THE HIGHER THE ACCURACCY OF THE SYSTEM. • (SOURCE – BIOMETRICS.GOV)
KEY CONCEPTS • FAILURE TO ACQUIRE – FAILURE OF A BIOMETRIC SYSTEM TO CAPTURE AND OR EXTRACT USABLE INFORMATION FROM A BIOMETRIC SAMPLE • FAILURE TO ENROL – FAILURE OF A BIOMETRIC SYSTEM TO FORM A PROPER ENROLLMENT REFERENCE FOR AN END USER (TRAINING, SENSOR QUALITY). • (SOURCE – BIOMETRICS.GOV)
KEY CONCEPTS • FALSE ACCEPTANCE RATE – THE PERCENTAGE OF TIMES A SYSTEM PRODUCES A FALSE ACCEPT – AN INDIVIDUAL IS INCORRECTLY MATCHED TO ANOTHER INDIVIDUAL’S EXISTING BIOMETRIC. T2 • FALSE ALARM RATE – THE PERCENTAGE OF TIMES AN ALARM IS INCORRECTLY SOUNDED ON AN INDIVIDUAL WHO IS NOT IN THE BIOMETRIC SYSTEM’S DATABASE • (SOURCE – BIOMETRICS.GOV)
KEY CONCEPTS • FALSE REJECTION RATE – THE PRECENTAGE OF TIMES THE SYSTEM PRODUCES A FALSE REJECT. THIS OCCURS WHEN AN INDIVIDUAL IS NOT MATCHED TO HIS/HER OWN EXISTING BIOMETRIC TEMPLATE. T1 • ALGORITHM – A LIMITED SEQUENCE OF INSTRUCTIONS OR STEPS THAT TELLS A COMPUTER HOW TO SOLVE A PARTICULAR PROBLEM – IMAGE PROCESSING, TEMPLATE GENERATION, COMPARISIONS E.T.C • (SOURCE – BIOMETRICS.GOV)
KEY CONCEPTS • VERIFICATION – A TASK WHERE BIOMETRIC SYSTEM ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY BY COMPARING A SUBMITTED SAMPLE TO ONE OR MORE PREVIOUSLY ENROLLED TEMPLATES –USED TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND HAS CLAIMED AUTHORISATIONS • AM I WHO I CLAIM I AM ? – SYS ADMIN • IDENTIFICATION – A TASK WHERE A BIOMETRIC SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED AND COMPARED TO ALL TEMPLATES IN THE DATABASE – WHO AM I ? - • SOURCES – (MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS .GOV)
KEY CONCEPTS IDENTIFICATION: CAN BE • ‘OPEN SET’ – PERSON NOT GUARANTEED TO EXIST IN THE DATABASE • ‘CLOSED SET’ – PERSON IS KNOWN TO EXIST IN THE DATABASE • (SOURCE – BIOMETRICS.GOV)
KEY CONCEPTS • FAILURE TO ENROLL RATE (FTER) = NUMBER OF UNSUCCESSFUL ENROLLMENTS/TOTAL NUMBER OF USERS ATTEMPTING TO ENROLL. • CROSS-OVER ERROR RATE (CER)—A MEASURE REPRESENTING THE PERCENT AT WHICH FRR EQUALS FAR. THIS IS THE POINT ON THE GRAPH WHERE THE FAR AND FRR INTERSECT. • THE CROSS-OVER RATE INDICATES A SYSTEM WITH GOOD BALANCE OVER SENSITIVITY AND PERFORMANCE. • (SOURCE ISACA)
GENERAL APPLICATIONS • AS A PHYSICAL ACCESS CONTROL • AS A MECHANISM FOR LOGICAL ACCESS CONTROL • IN LOGICAL ACCESS CONTROL PART OF IDENTIFICATION AND AUTHENTICATION PROCESS
IDENTIFICATION AND AUTHENTICATION (I & A) • IN LOGICAL ACCESS CONTROL SOFTWARE, IS ‘THE PROCESS OF PROVING ONE’S IDENTITY’ • IDENTIFICATION – MEANS BY WHICH USER PROVIDES CLAIMED IDENTITY • HELPS ESTABLISH USER ACCOUNTABILITY • FIRST LINE OF DEFENSE • SOURCE – CISA REVIEW MANUAL 2003
IDENTIFICATION AND AUTHENTICATION (I & A) • IS A TECHNICAL MEASURE THAT PREVENTS UNAUTHORISED PEOPLE (OR UNAUTHORISED PROCESSES) FROM ENTERING A COMPUTER SYSTEM • I & A TECHNIQUES: • SOMETHING YOU KNOW – PASSWORD, STATIC PIN • SOMETHING YOU HAVE – TOKEN CARD, PIN GENERATOR • SOMETHING YOU ARE – BIOMETRIC CHARACTERISTIC • SOURCE –CISA REVIEW MANUAL 2003
BIOMETRIC IDENTIFIERS • PHYSIOLOGICAL & BEHAVIOURAL • FINGERPRINT • FINGERVEIN • PALM PRINT • HAND GEOMETRY
BIOMETRIC IDENTIFIERS • IRIS RECOGNITION • RETINA RECOGNITION • VOICE RECOGNITION • SIGNATURE RECOGNITION • FACE RECOGNITION
BIOMETRIC IDENTIFIERS • KEYSTROKE DYNAMICS • DNA ? DEBATE, AS NOT PERFORMED BY AN ‘AUTOMATED’ METHOD-BIOMETRICS.GOV • GAIT ? – IN DEVELOPMENT / PRACTICAL ??
FINGER PRINT – SOURCE - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST), USA.
FINGERPRINT ADVANTAGES • MULTIPLE FINGERS! • EASY TO USE • LOW STORAGE SPACE • LARGE EXISTING DATABASES GLOBALLY FOR WATCHLIST CHECKS • PROVEN EFFECTIVE OVER TIME DISADVANTAGES • PUBLIC PERCEPTIONS – CRIMINAL CONNOTATIONS • HEALTH CONCERNS – EBOLA, BIRD FLU • AGE, OCCUPATION, WEIGHT GAIN, CUTS • (SOURCE – BIOMETRICS.GOV)
IRIS - SOURCE - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, USA.
IRIS ADVANTAGES • NO CONTACT REQUIRED • HIGHLY STABLE OVER TIME DISADVANTAGES • DIFFICULT TO CAPTURE- FOR SOME , TRAINING • EASILY OBSCURED – REFLECTIONS FROM CORNEA, EYELIDS, EYELASHES • PUBLIC FEARS OF ‘SCANNING’ THE EYE WITH LIGHT SOURCE –INFRARED LIGHT USED TO ILLUMINATE IRIS – (SOURCE FINDBIOMETRICS .COM) • LIMITED EXISTING DATA FOR WATCHLIST CHECKS • (SOURCE – BIOMETRICS.GOV)
FACE ADVANTAGES • NO CONTACT • COMMONLY AVAILABLE SENSORS – CAMERA • LARGE AMOUNTS OF EXISTING DATA • EASY FOR HUMANS TO VERIFY RESULTS DISADVANTAGES • OBSTRUCTION OF IMAGE BY HAIR, GLASSES, HATS. • CHANGE OVER TIME • (SOURCE – BIOMETRICS.GOV)
VOICE ADVANTAGES • PUBLIC ACCEPTANCE • NO CONTACT REQUIRED • SENSORS COMMON TELEPHONES, MICROPHONES DISADVANTAGES • NOT SUFFICIENTLY DISTINCTIVE OVER LARGE DATABASES • (SOURCE – BIOMETRICS.GOV)
DESIRABLE QUALITIES FOR EFFECTIVE BIOMETRIC TRAITS • UNIQUENESS • THE TWINS CHALLENGE • PERMANENCE
BIOMETRIC ENROLLMENT • ITERATIVE AVERAGING PROCESS. • ACQUIRE BIOMETRIC SAMPLE (PHYSICAL /BEHAVIOURAL). • EXTRACT UNIQUE FEATURES FROM SAMPLE • FEATURES CONVERTED INTO MATHEMATICAL CODE
BIOMETRIC ENROLLMENT • CREATION OF INITIAL ‘TEMPLATE’ – (DIGITAL REPRESENTATION OF THE BIOMETRIC) • COMPARISION OF NEW SAMPLES WITH WHAT HAS BEEN STORED • DEVELOPING FINAL TEMPLATE • ENCRYPTION • USE TO IDENTIFY USER • (e.g. FINGERPRINT latent v Conventional – Source NIST, BIOMETROCS.GOV)
ADVANTAGES • SECURE ? • CONVINIENT ? • CANNOT BE STOLEN ? • CANNOT BE FORGOTTEN • DIFFICULT TO FORGE • (SOURCE SMARTCARDALLIANCE)
LIMITATIONS/VULNERABILITIES • TEMPLATE SKIMMING • NOT ALWAYS ACCURATE - FAR’s/ FRR’s – • 10% OF POPULATION HAVE WORN/CUT/UNRECOGNISABLE FINGERPRINTS!! – SOURCE BIOMETRIC NEWSPORTAL • BIOMETRIC FEATURES MAY ALTER DEGRADE WITH AGE, DISEASE, WEIGHT GAIN
LIMITATIONS/VULNERABILITIES • SECURITY RISKS - CAR THEFT!! • VOICE BIOMETRICS – BACKGROUND NOISE • STORAGE AND TRANSMISSION QUALITY LOSS
SOLUTIONS • MULTIMODAL BIOMETRICS – USE OF MORE THAN ONE BIOMETRIC IDENTIFIER FOR INCREASED ACCURACCY • COMBINATION OF BIOMETRICS WITH PINS AND TOKENS • SMARTCARDS – ICC, MEMORY, STORAGE OF BIOMETRIC TEMPLATES TO AVOID VERIFICATION AT LONG DISTANCE HOST • (SOURCE –VARIOUS)
AUDIT AND CONTROL IMPLICATIONS • AUDIT CONTROLS IN MATCHING TEMPLATES GENERATED TO OTHER DATA – CRIMINAL RECORDS, FINANCIAL DEFAULT HISTORIES IS AUDIT GUIDELINE ISACA G36 • PRIVACY CONCERNS • INTRUSIVENESS OF DATA COLLECTION • HEALTH CONCERNS • SKILL OF SYSTEM USE BY STAFF • ROBUSTNESS OF TECHNOLOGY – RELIABLE • COST OF DEPLOYMENT • LEGISLATIVE AND REGULATORY COMPLIANCE • RESISTANCE TO CHANGE/USE
PRACTICAL CONSIDERATIONS • COST –BENEFIT CONSIDERATIONS • PRACTICALITY AND EFFICIENCY – AIRPORT QUEUES, VOTING PROCESSES. • ACCURACCY – FAR, FRR, EER • CULTURE – GLOBAL COMPANIES! • NON-CO-OPERATION, HEALTH CONCERNS • (SOURCE NIST, BIOMETRICS.GOV)
PRACTICAL CONSIDERATIONS • WILL IMAGES BE COMPACT ENOUGH FOR EFFECTIVE TRANSMISSION ACROSS NETWORKS WITHOUT DEGRADATION? • WILL IMAGES/TEMPLATES BE COMPACT ENOUGH FOR STORAGE ON SMART CARD? • INTEROPERABILITY AND STANDARDISATION – IMMIGRATION FACE CAMERA AND FINGER PRINT CAPTURE TO SINGLE APPLICATION/DEVICE • (SOURCE NIST)
PRACTICAL CONSIDERATIONS • INTEROPERABILITY – ACROSS GOVERNMENT AGENCIES • PRIVACY CONCERNS • DATA SHARING - ACROSS JURISDICTIONS ? • LEGAL IMPLICATIONS ? • DATA STORAGE REQUIREMENTS
. • QUESTIONS?
REFERENCES • CIO MAGAZINE -http://www.cio.com/article/573113/Using_Biometric_Access_Systems_Dos_and_Don_ts?page=3&taxonomyId=3092 • BIOMETRICS.GOV http://www.biometrics.gov/ • 2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND CONTROL ASSOSCIATION. • GARTNER IT GLOSSARY - http://www.gartner.com/it-glossary/biometrics/ • MULTIMODAL BIOMETRICS – BIOMETRIC NEWS PORTAL http://www.biometricnewsportal.com/multimodal-biometrics.asp • NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND ENHANCED FINGERPRINT DESCRIPTIONS- http://www.nist.gov/itl/iad/biometric-120611.cfm • SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE – http://www.smartcardalliance.org/pages/publications-smart-cards-and-biometrics • IRIS SCANNERS AND RECOGNITION – http://www.findbiometrics.com/iris-recognition/ • AN OVERVIEW OF BIOMETRIC RECOGNITION http://biometrics.cse.msu.edu/info.html • ISACA AUDIT GUIDELINE 36 – BIOMETRICS http://www.isaca.org/Knowledge-Center/Standards/Pages/IS-Auditing-Guideline-G36-Biometric-Controls.aspx