ISACA KAMPALA CHAPTER

30TH MAY 2012

AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA.

DEFINITIONS

KEY CONCEPTS

APPLICATIONS

KEY CONSIDERATIONS

POINTS TO NOTE

QUESTIONS

THIS PRESENTATION HAS BEEN PREPARED FOR EDUCATIONAL PURPOSES.

ATTRIBUTION IS MADE TO PARTICULAR SOURCES OF INFORMATION WHICH SHOULD BE RE-CHECKED FOR COMPLETENESS AS CONTENT MAY HAVE BEEN REDUCED FOR THE SAKE OF BREVITY.

BIOMETRICS – AUTOMATED METHODS OF DISCOVERING AN INDIVIDUAL BASED ON MEASURABLE BIOLOGICAL AND BEHAVIOURAL CHARACTERISTICS (SOURCE- BIOMETRICS .GOV)

BIOMETRIC CHARACTERISTIC – A MEASURABLE PHYSIOLOGICAL OR BEHAVIOURAL TRAIT OF A LIVING PERSON, ESPECIALLY ONE THAT CAN BE USED TO DETERMINE OR VERIFY THE IDENTITY OF A PERSON IN ACCESS CONTROL OR CRIMINAL FORENSICS. (SOURCE-GARTNER GLOSSARY)

“BIOMETRICS FOR IDENTIFICATION AND SCREENING TO ENHANCE NATIONAL SECURITY,”

SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008.

ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL DEPARTMENTS AND AGENCIES USE COMPATIBLE METHODS AND PROCEDURES IN THE COLLECTION, STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL INFORMATION OF INDIVIDUALS IN A LAWFUL AND APPROPRIATE MANNER, WHILE RESPECTING PRIVACY AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW.

(SOURCE – BIOMETRICS.GOV)

GENERAL PHYSICAL ACCESS CONTROL – OFFICES, FINGER,THUMB.

INTERNAL AFFAIRS – IMMIGRATION, AIRPORT – IDENTIFICATION OF PASSPORTHOLDER – FINGER/PALM/FACE BIOMETRIC RECOGNITION.

ELECTORAL COMMISSION – VOTER REGISTRATION.

DRIVING PERMIT – DRIVER RECOGNITION. .

VISA APPLICATION – UK VISA.

FINANCIAL SERVICES

CREDIT REFERENCE BUREAU – COMPUSCAN MICROFINANCE ATM – IN ADDITION TO ATM CARD/PIN POINT OF SALES TERMINALS MOBILE MONEY SERVICES - ENROLLMENT

AND IDENTIFICATION AT CASHOUT

CLAIM OF IDENTITY – STATEMENT THAT A PERSON IS OR IS NOT THE SOURCE OF A REFERENCE IN A DATABASE, CAN BE POSITIVE (IN THE DATABASE), NEGATIVE (NOT IN THE DATABASE) OR SPECIFIC (I AM USER 123).

COMPARISION – PROCESS OF COMPARING A BIOMETRIC REFERENCE WITH A PREVIOUSLY STORED REFERENCE TO MAKE AN IDENTIFICATION OR VERIFICATION DECISION.

(SOURCE – BIOMETRICS.GOV)

ENROLLMENT – PROCESS OF COLLECTING A BIOMETRIC SAMPLE FROM AN END USER, CONVERTING IT INTO A BIOMETRIC REFERENCE AND STORING IT IN THE DATABASE FOR LATER COMPARISION.

EQUAL ERROR RATE (EER) – A STATISTIC USED TO SHOW BIOMETRIC PERFORMANCE. THE LOWER THE EER, THE HIGHER THE ACCURACCY OF THE SYSTEM.

(SOURCE – BIOMETRICS.GOV)

FAILURE TO ACQUIRE – FAILURE OF A BIOMETRIC SYSTEM TO CAPTURE AND OR EXTRACT USABLE INFORMATION FROM A BIOMETRIC SAMPLE

FAILURE TO ENROL – FAILURE OF A BIOMETRIC SYSTEM TO FORM A PROPER ENROLLMENT REFERENCE FOR AN END USER (TRAINING, SENSOR QUALITY).

(SOURCE – BIOMETRICS.GOV)

FALSE ACCEPTANCE RATE – THE PERCENTAGE OF TIMES A SYSTEM PRODUCES A FALSE ACCEPT – AN INDIVIDUAL IS INCORRECTLY MATCHED TO ANOTHER INDIVIDUAL’S EXISTING BIOMETRIC. T2

FALSE ALARM RATE – THE PERCENTAGE OF TIMES AN ALARM IS INCORRECTLY SOUNDED ON AN INDIVIDUAL WHO IS NOT IN THE BIOMETRIC SYSTEM’S DATABASE

(SOURCE – BIOMETRICS.GOV)

FALSE REJECTION RATE – THE PRECENTAGE OF TIMES THE SYSTEM PRODUCES A FALSE REJECT. THIS OCCURS WHEN AN INDIVIDUAL IS NOT MATCHED TO HIS/HER OWN EXISTING BIOMETRIC TEMPLATE. T1

ALGORITHM – A LIMITED SEQUENCE OF INSTRUCTIONS OR STEPS THAT TELLS A COMPUTER HOW TO SOLVE A PARTICULAR PROBLEM – IMAGE PROCESSING, TEMPLATE GENERATION, COMPARISIONS E.T.C

(SOURCE – BIOMETRICS.GOV)

VERIFICATION – A TASK WHERE BIOMETRIC SYSTEM ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY BY COMPARING A SUBMITTED SAMPLE TO ONE OR MORE PREVIOUSLY ENROLLED TEMPLATES –USED TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND HAS CLAIMED AUTHORISATIONS

AM I WHO I CLAIM I AM ? – SYS ADMIN

IDENTIFICATION – A TASK WHERE A BIOMETRIC SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED AND COMPARED TO ALL TEMPLATES IN THE DATABASE – WHO AM I ? -

SOURCES – (MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS .GOV)

IDENTIFICATION: CAN BE

‘OPEN SET’ – PERSON NOT GUARANTEED TO EXIST IN THE DATABASE

‘CLOSED SET’ – PERSON IS KNOWN TO EXIST IN THE DATABASE

(SOURCE – BIOMETRICS.GOV)

FAILURE TO ENROLL RATE (FTER) = NUMBER OF UNSUCCESSFUL ENROLLMENTS/TOTAL NUMBER OF USERS ATTEMPTING TO ENROLL.

CROSS-OVER ERROR RATE (CER)—A MEASURE REPRESENTING THE PERCENT AT WHICH FRR EQUALS FAR. THIS IS THE POINT ON THE GRAPH WHERE THE FAR AND FRR INTERSECT.

THE CROSS-OVER RATE INDICATES A SYSTEM WITH GOOD BALANCE OVER SENSITIVITY AND PERFORMANCE.

(SOURCE ISACA)

AS A PHYSICAL ACCESS CONTROL

AS A MECHANISM FOR LOGICAL ACCESS CONTROL

IN LOGICAL ACCESS CONTROL PART OF IDENTIFICATION AND AUTHENTICATION PROCESS

IN LOGICAL ACCESS CONTROL SOFTWARE, IS ‘THE PROCESS OF PROVING ONE’S IDENTITY’

IDENTIFICATION – MEANS BY WHICH USER PROVIDES CLAIMED IDENTITY

HELPS ESTABLISH USER ACCOUNTABILITY

FIRST LINE OF DEFENSE

SOURCE – CISA REVIEW MANUAL 2003

IS A TECHNICAL MEASURE THAT PREVENTS UNAUTHORISED PEOPLE (OR UNAUTHORISED PROCESSES) FROM ENTERING A COMPUTER SYSTEM

I & A TECHNIQUES: SOMETHING YOU KNOW – PASSWORD, STATIC PIN SOMETHING YOU HAVE – TOKEN CARD, PIN

GENERATOR SOMETHING YOU ARE – BIOMETRIC

CHARACTERISTIC SOURCE –CISA REVIEW MANUAL 2003

PHYSIOLOGICAL & BEHAVIOURAL

FINGERPRINT

FINGERVEIN

PALM PRINT

HAND GEOMETRY

IRIS RECOGNITION

RETINA RECOGNITION

VOICE RECOGNITION

SIGNATURE RECOGNITION

FACE RECOGNITION

KEYSTROKE DYNAMICS

DNA ? DEBATE, AS NOT PERFORMED BY AN ‘AUTOMATED’ METHOD-BIOMETRICS.GOV

GAIT ? – IN DEVELOPMENT / PRACTICAL ??

ADVANTAGESMULTIPLE FINGERS!EASY TO USELOW STORAGE SPACELARGE EXISTING DATABASES GLOBALLY FOR WATCHLIST CHECKSPROVEN EFFECTIVE OVER TIMEDISADVANTAGESPUBLIC PERCEPTIONS – CRIMINAL CONNOTATIONSHEALTH CONCERNS – EBOLA, BIRD FLUAGE, OCCUPATION, WEIGHT GAIN, CUTS (SOURCE – BIOMETRICS.GOV)

ADVANTAGESNO CONTACT REQUIREDHIGHLY STABLE OVER TIMEDISADVANTAGESDIFFICULT TO CAPTURE- FOR SOME , TRAININGEASILY OBSCURED – REFLECTIONS FROM CORNEA, EYELIDS, EYELASHESPUBLIC FEARS OF ‘SCANNING’ THE EYE WITH LIGHT SOURCE –INFRARED LIGHT USED TO ILLUMINATE IRIS – (SOURCE FINDBIOMETRICS .COM)LIMITED EXISTING DATA FOR WATCHLIST CHECKS (SOURCE – BIOMETRICS.GOV)

ADVANTAGESNO CONTACTCOMMONLY AVAILABLE SENSORS – CAMERALARGE AMOUNTS OF EXISTING DATAEASY FOR HUMANS TO VERIFY RESULTS

DISADVANTAGESOBSTRUCTION OF IMAGE BY HAIR, GLASSES, HATS.CHANGE OVER TIME

(SOURCE – BIOMETRICS.GOV)

ADVANTAGESPUBLIC ACCEPTANCENO CONTACT REQUIREDSENSORS COMMON TELEPHONES, MICROPHONES

DISADVANTAGESNOT SUFFICIENTLY DISTINCTIVE OVER LARGE DATABASES

(SOURCE – BIOMETRICS.GOV)

UNIQUENESS

THE TWINS CHALLENGE

PERMANENCE

ITERATIVE AVERAGING PROCESS.

ACQUIRE BIOMETRIC SAMPLE (PHYSICAL /BEHAVIOURAL).

EXTRACT UNIQUE FEATURES FROM SAMPLE

FEATURES CONVERTED INTO MATHEMATICAL CODE

CREATION OF INITIAL ‘TEMPLATE’ – (DIGITAL REPRESENTATION OF THE BIOMETRIC)

COMPARISION OF NEW SAMPLES WITH WHAT HAS BEEN STORED

DEVELOPING FINAL TEMPLATE

ENCRYPTION

USE TO IDENTIFY USER (e.g. FINGERPRINT latent v Conventional – Source NIST,

BIOMETROCS.GOV)

SECURE ?

CONVINIENT ?

CANNOT BE STOLEN ?

CANNOT BE FORGOTTEN

DIFFICULT TO FORGE

(SOURCE SMARTCARDALLIANCE)

TEMPLATE SKIMMING

NOT ALWAYS ACCURATE - FAR’s/ FRR’s –

10% OF POPULATION HAVE WORN/CUT/UNRECOGNISABLE FINGERPRINTS!! – SOURCE BIOMETRIC NEWSPORTAL

BIOMETRIC FEATURES MAY ALTER DEGRADE WITH AGE, DISEASE, WEIGHT GAIN

SECURITY RISKS - CAR THEFT!!

VOICE BIOMETRICS – BACKGROUND NOISE

STORAGE AND TRANSMISSION QUALITY LOSS

MULTIMODAL BIOMETRICS – USE OF MORE THAN ONE BIOMETRIC IDENTIFIER FOR INCREASED ACCURACCY

COMBINATION OF BIOMETRICS WITH PINS AND TOKENS

SMARTCARDS – ICC, MEMORY, STORAGE OF BIOMETRIC TEMPLATES TO AVOID VERIFICATION AT LONG DISTANCE HOST

(SOURCE –VARIOUS)

AUDIT CONTROLS IN MATCHING TEMPLATES GENERATED TO OTHER DATA – CRIMINAL RECORDS, FINANCIAL DEFAULT HISTORIES

IS AUDIT GUIDELINE ISACA G36 PRIVACY CONCERNS INTRUSIVENESS OF DATA COLLECTION HEALTH CONCERNS SKILL OF SYSTEM USE BY STAFF ROBUSTNESS OF TECHNOLOGY – RELIABLE COST OF DEPLOYMENT LEGISLATIVE AND REGULATORY COMPLIANCE RESISTANCE TO CHANGE/USE

COST –BENEFIT CONSIDERATIONS

PRACTICALITY AND EFFICIENCY – AIRPORT QUEUES, VOTING PROCESSES.

ACCURACCY – FAR, FRR, EER

CULTURE – GLOBAL COMPANIES!

NON-CO-OPERATION, HEALTH CONCERNS (SOURCE NIST, BIOMETRICS.GOV)

WILL IMAGES BE COMPACT ENOUGH FOR EFFECTIVE TRANSMISSION ACROSS NETWORKS WITHOUT DEGRADATION?

WILL IMAGES/TEMPLATES BE COMPACT ENOUGH FOR STORAGE ON SMART CARD?

INTEROPERABILITY AND STANDARDISATION – IMMIGRATION FACE CAMERA AND FINGER PRINT CAPTURE TO SINGLE APPLICATION/DEVICE

(SOURCE NIST)

INTEROPERABILITY – ACROSS GOVERNMENT AGENCIES

PRIVACY CONCERNS

DATA SHARING - ACROSS JURISDICTIONS ?

LEGAL IMPLICATIONS ?

DATA STORAGE REQUIREMENTS

QUESTIONS?

CIO MAGAZINE - http://www.cio.com/article/573113/Using_Biometric_Access_Systems_Dos_and_Don_ts?page=3&taxonomyId=3092

BIOMETRICS.GOV http://www.biometrics.gov/ 2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND CONTROL

ASSOSCIATION. GARTNER IT GLOSSARY - http://www.gartner.com/it-glossary/biometrics/ MULTIMODAL BIOMETRICS – BIOMETRIC NEWS PORTAL

http://www.biometricnewsportal.com/multimodal-biometrics.asp NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND ENHANCED

FINGERPRINT DESCRIPTIONS- http://www.nist.gov/itl/iad/biometric-120611.cfm SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE –

http://www.smartcardalliance.org/pages/publications-smart-cards-and-biometrics IRIS SCANNERS AND RECOGNITION – http://www.findbiometrics.com/iris-

recognition/ AN OVERVIEW OF BIOMETRIC RECOGNITION

http://biometrics.cse.msu.edu/info.html ISACA AUDIT GUIDELINE 36 – BIOMETRICS http://www.isaca.org/Knowledge-

Center/Standards/Pages/IS-Auditing-Guideline-G36-Biometric-Controls.aspx