biometrics – practical applications and considerations
DESCRIPTION
BIOMETRICS – PRACTICAL APPLICATIONS AND CONSIDERATIONS . ISACA KAMPALA CHAPTER 30 TH MAY 2012 AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA . PRESENTATION APPROACH. DEFINITIONS KEY CONCEPTS APPLICATIONS KEY CONSIDERATIONS POINTS TO NOTE QUESTIONS. TO NOTE. - PowerPoint PPT PresentationTRANSCRIPT
ISACA KAMPALA CHAPTER
30TH MAY 2012
AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA.
DEFINITIONS
KEY CONCEPTS
APPLICATIONS
KEY CONSIDERATIONS
POINTS TO NOTE
QUESTIONS
THIS PRESENTATION HAS BEEN PREPARED FOR EDUCATIONAL PURPOSES.
ATTRIBUTION IS MADE TO PARTICULAR SOURCES OF INFORMATION WHICH SHOULD BE RE-CHECKED FOR COMPLETENESS AS CONTENT MAY HAVE BEEN REDUCED FOR THE SAKE OF BREVITY.
BIOMETRICS – AUTOMATED METHODS OF DISCOVERING AN INDIVIDUAL BASED ON MEASURABLE BIOLOGICAL AND BEHAVIOURAL CHARACTERISTICS (SOURCE- BIOMETRICS .GOV)
BIOMETRIC CHARACTERISTIC – A MEASURABLE PHYSIOLOGICAL OR BEHAVIOURAL TRAIT OF A LIVING PERSON, ESPECIALLY ONE THAT CAN BE USED TO DETERMINE OR VERIFY THE IDENTITY OF A PERSON IN ACCESS CONTROL OR CRIMINAL FORENSICS. (SOURCE-GARTNER GLOSSARY)
“BIOMETRICS FOR IDENTIFICATION AND SCREENING TO ENHANCE NATIONAL SECURITY,”
SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008.
ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL DEPARTMENTS AND AGENCIES USE COMPATIBLE METHODS AND PROCEDURES IN THE COLLECTION, STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL INFORMATION OF INDIVIDUALS IN A LAWFUL AND APPROPRIATE MANNER, WHILE RESPECTING PRIVACY AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW.
(SOURCE – BIOMETRICS.GOV)
GENERAL PHYSICAL ACCESS CONTROL – OFFICES, FINGER,THUMB.
INTERNAL AFFAIRS – IMMIGRATION, AIRPORT – IDENTIFICATION OF PASSPORTHOLDER – FINGER/PALM/FACE BIOMETRIC RECOGNITION.
ELECTORAL COMMISSION – VOTER REGISTRATION.
DRIVING PERMIT – DRIVER RECOGNITION. .
VISA APPLICATION – UK VISA.
FINANCIAL SERVICES
CREDIT REFERENCE BUREAU – COMPUSCAN MICROFINANCE ATM – IN ADDITION TO ATM CARD/PIN POINT OF SALES TERMINALS MOBILE MONEY SERVICES - ENROLLMENT
AND IDENTIFICATION AT CASHOUT
CLAIM OF IDENTITY – STATEMENT THAT A PERSON IS OR IS NOT THE SOURCE OF A REFERENCE IN A DATABASE, CAN BE POSITIVE (IN THE DATABASE), NEGATIVE (NOT IN THE DATABASE) OR SPECIFIC (I AM USER 123).
COMPARISION – PROCESS OF COMPARING A BIOMETRIC REFERENCE WITH A PREVIOUSLY STORED REFERENCE TO MAKE AN IDENTIFICATION OR VERIFICATION DECISION.
(SOURCE – BIOMETRICS.GOV)
ENROLLMENT – PROCESS OF COLLECTING A BIOMETRIC SAMPLE FROM AN END USER, CONVERTING IT INTO A BIOMETRIC REFERENCE AND STORING IT IN THE DATABASE FOR LATER COMPARISION.
EQUAL ERROR RATE (EER) – A STATISTIC USED TO SHOW BIOMETRIC PERFORMANCE. THE LOWER THE EER, THE HIGHER THE ACCURACCY OF THE SYSTEM.
(SOURCE – BIOMETRICS.GOV)
FAILURE TO ACQUIRE – FAILURE OF A BIOMETRIC SYSTEM TO CAPTURE AND OR EXTRACT USABLE INFORMATION FROM A BIOMETRIC SAMPLE
FAILURE TO ENROL – FAILURE OF A BIOMETRIC SYSTEM TO FORM A PROPER ENROLLMENT REFERENCE FOR AN END USER (TRAINING, SENSOR QUALITY).
(SOURCE – BIOMETRICS.GOV)
FALSE ACCEPTANCE RATE – THE PERCENTAGE OF TIMES A SYSTEM PRODUCES A FALSE ACCEPT – AN INDIVIDUAL IS INCORRECTLY MATCHED TO ANOTHER INDIVIDUAL’S EXISTING BIOMETRIC. T2
FALSE ALARM RATE – THE PERCENTAGE OF TIMES AN ALARM IS INCORRECTLY SOUNDED ON AN INDIVIDUAL WHO IS NOT IN THE BIOMETRIC SYSTEM’S DATABASE
(SOURCE – BIOMETRICS.GOV)
FALSE REJECTION RATE – THE PRECENTAGE OF TIMES THE SYSTEM PRODUCES A FALSE REJECT. THIS OCCURS WHEN AN INDIVIDUAL IS NOT MATCHED TO HIS/HER OWN EXISTING BIOMETRIC TEMPLATE. T1
ALGORITHM – A LIMITED SEQUENCE OF INSTRUCTIONS OR STEPS THAT TELLS A COMPUTER HOW TO SOLVE A PARTICULAR PROBLEM – IMAGE PROCESSING, TEMPLATE GENERATION, COMPARISIONS E.T.C
(SOURCE – BIOMETRICS.GOV)
VERIFICATION – A TASK WHERE BIOMETRIC SYSTEM ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY BY COMPARING A SUBMITTED SAMPLE TO ONE OR MORE PREVIOUSLY ENROLLED TEMPLATES –USED TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND HAS CLAIMED AUTHORISATIONS
AM I WHO I CLAIM I AM ? – SYS ADMIN
IDENTIFICATION – A TASK WHERE A BIOMETRIC SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED AND COMPARED TO ALL TEMPLATES IN THE DATABASE – WHO AM I ? -
SOURCES – (MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS .GOV)
IDENTIFICATION: CAN BE
‘OPEN SET’ – PERSON NOT GUARANTEED TO EXIST IN THE DATABASE
‘CLOSED SET’ – PERSON IS KNOWN TO EXIST IN THE DATABASE
(SOURCE – BIOMETRICS.GOV)
FAILURE TO ENROLL RATE (FTER) = NUMBER OF UNSUCCESSFUL ENROLLMENTS/TOTAL NUMBER OF USERS ATTEMPTING TO ENROLL.
CROSS-OVER ERROR RATE (CER)—A MEASURE REPRESENTING THE PERCENT AT WHICH FRR EQUALS FAR. THIS IS THE POINT ON THE GRAPH WHERE THE FAR AND FRR INTERSECT.
THE CROSS-OVER RATE INDICATES A SYSTEM WITH GOOD BALANCE OVER SENSITIVITY AND PERFORMANCE.
(SOURCE ISACA)
AS A PHYSICAL ACCESS CONTROL
AS A MECHANISM FOR LOGICAL ACCESS CONTROL
IN LOGICAL ACCESS CONTROL PART OF IDENTIFICATION AND AUTHENTICATION PROCESS
IN LOGICAL ACCESS CONTROL SOFTWARE, IS ‘THE PROCESS OF PROVING ONE’S IDENTITY’
IDENTIFICATION – MEANS BY WHICH USER PROVIDES CLAIMED IDENTITY
HELPS ESTABLISH USER ACCOUNTABILITY
FIRST LINE OF DEFENSE
SOURCE – CISA REVIEW MANUAL 2003
IS A TECHNICAL MEASURE THAT PREVENTS UNAUTHORISED PEOPLE (OR UNAUTHORISED PROCESSES) FROM ENTERING A COMPUTER SYSTEM
I & A TECHNIQUES: SOMETHING YOU KNOW – PASSWORD, STATIC PIN SOMETHING YOU HAVE – TOKEN CARD, PIN
GENERATOR SOMETHING YOU ARE – BIOMETRIC
CHARACTERISTIC SOURCE –CISA REVIEW MANUAL 2003
PHYSIOLOGICAL & BEHAVIOURAL
FINGERPRINT
FINGERVEIN
PALM PRINT
HAND GEOMETRY
IRIS RECOGNITION
RETINA RECOGNITION
VOICE RECOGNITION
SIGNATURE RECOGNITION
FACE RECOGNITION
KEYSTROKE DYNAMICS
DNA ? DEBATE, AS NOT PERFORMED BY AN ‘AUTOMATED’ METHOD-BIOMETRICS.GOV
GAIT ? – IN DEVELOPMENT / PRACTICAL ??
ADVANTAGESMULTIPLE FINGERS!EASY TO USELOW STORAGE SPACELARGE EXISTING DATABASES GLOBALLY FOR WATCHLIST CHECKSPROVEN EFFECTIVE OVER TIMEDISADVANTAGESPUBLIC PERCEPTIONS – CRIMINAL CONNOTATIONSHEALTH CONCERNS – EBOLA, BIRD FLUAGE, OCCUPATION, WEIGHT GAIN, CUTS (SOURCE – BIOMETRICS.GOV)
ADVANTAGESNO CONTACT REQUIREDHIGHLY STABLE OVER TIMEDISADVANTAGESDIFFICULT TO CAPTURE- FOR SOME , TRAININGEASILY OBSCURED – REFLECTIONS FROM CORNEA, EYELIDS, EYELASHESPUBLIC FEARS OF ‘SCANNING’ THE EYE WITH LIGHT SOURCE –INFRARED LIGHT USED TO ILLUMINATE IRIS – (SOURCE FINDBIOMETRICS .COM)LIMITED EXISTING DATA FOR WATCHLIST CHECKS (SOURCE – BIOMETRICS.GOV)
ADVANTAGESNO CONTACTCOMMONLY AVAILABLE SENSORS – CAMERALARGE AMOUNTS OF EXISTING DATAEASY FOR HUMANS TO VERIFY RESULTS
DISADVANTAGESOBSTRUCTION OF IMAGE BY HAIR, GLASSES, HATS.CHANGE OVER TIME
(SOURCE – BIOMETRICS.GOV)
ADVANTAGESPUBLIC ACCEPTANCENO CONTACT REQUIREDSENSORS COMMON TELEPHONES, MICROPHONES
DISADVANTAGESNOT SUFFICIENTLY DISTINCTIVE OVER LARGE DATABASES
(SOURCE – BIOMETRICS.GOV)
UNIQUENESS
THE TWINS CHALLENGE
PERMANENCE
ITERATIVE AVERAGING PROCESS.
ACQUIRE BIOMETRIC SAMPLE (PHYSICAL /BEHAVIOURAL).
EXTRACT UNIQUE FEATURES FROM SAMPLE
FEATURES CONVERTED INTO MATHEMATICAL CODE
CREATION OF INITIAL ‘TEMPLATE’ – (DIGITAL REPRESENTATION OF THE BIOMETRIC)
COMPARISION OF NEW SAMPLES WITH WHAT HAS BEEN STORED
DEVELOPING FINAL TEMPLATE
ENCRYPTION
USE TO IDENTIFY USER (e.g. FINGERPRINT latent v Conventional – Source NIST,
BIOMETROCS.GOV)
SECURE ?
CONVINIENT ?
CANNOT BE STOLEN ?
CANNOT BE FORGOTTEN
DIFFICULT TO FORGE
(SOURCE SMARTCARDALLIANCE)
TEMPLATE SKIMMING
NOT ALWAYS ACCURATE - FAR’s/ FRR’s –
10% OF POPULATION HAVE WORN/CUT/UNRECOGNISABLE FINGERPRINTS!! – SOURCE BIOMETRIC NEWSPORTAL
BIOMETRIC FEATURES MAY ALTER DEGRADE WITH AGE, DISEASE, WEIGHT GAIN
SECURITY RISKS - CAR THEFT!!
VOICE BIOMETRICS – BACKGROUND NOISE
STORAGE AND TRANSMISSION QUALITY LOSS
MULTIMODAL BIOMETRICS – USE OF MORE THAN ONE BIOMETRIC IDENTIFIER FOR INCREASED ACCURACCY
COMBINATION OF BIOMETRICS WITH PINS AND TOKENS
SMARTCARDS – ICC, MEMORY, STORAGE OF BIOMETRIC TEMPLATES TO AVOID VERIFICATION AT LONG DISTANCE HOST
(SOURCE –VARIOUS)
AUDIT CONTROLS IN MATCHING TEMPLATES GENERATED TO OTHER DATA – CRIMINAL RECORDS, FINANCIAL DEFAULT HISTORIES
IS AUDIT GUIDELINE ISACA G36 PRIVACY CONCERNS INTRUSIVENESS OF DATA COLLECTION HEALTH CONCERNS SKILL OF SYSTEM USE BY STAFF ROBUSTNESS OF TECHNOLOGY – RELIABLE COST OF DEPLOYMENT LEGISLATIVE AND REGULATORY COMPLIANCE RESISTANCE TO CHANGE/USE
COST –BENEFIT CONSIDERATIONS
PRACTICALITY AND EFFICIENCY – AIRPORT QUEUES, VOTING PROCESSES.
ACCURACCY – FAR, FRR, EER
CULTURE – GLOBAL COMPANIES!
NON-CO-OPERATION, HEALTH CONCERNS (SOURCE NIST, BIOMETRICS.GOV)
WILL IMAGES BE COMPACT ENOUGH FOR EFFECTIVE TRANSMISSION ACROSS NETWORKS WITHOUT DEGRADATION?
WILL IMAGES/TEMPLATES BE COMPACT ENOUGH FOR STORAGE ON SMART CARD?
INTEROPERABILITY AND STANDARDISATION – IMMIGRATION FACE CAMERA AND FINGER PRINT CAPTURE TO SINGLE APPLICATION/DEVICE
(SOURCE NIST)
INTEROPERABILITY – ACROSS GOVERNMENT AGENCIES
PRIVACY CONCERNS
DATA SHARING - ACROSS JURISDICTIONS ?
LEGAL IMPLICATIONS ?
DATA STORAGE REQUIREMENTS
QUESTIONS?
CIO MAGAZINE - http://www.cio.com/article/573113/Using_Biometric_Access_Systems_Dos_and_Don_ts?page=3&taxonomyId=3092
BIOMETRICS.GOV http://www.biometrics.gov/ 2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND CONTROL
ASSOSCIATION. GARTNER IT GLOSSARY - http://www.gartner.com/it-glossary/biometrics/ MULTIMODAL BIOMETRICS – BIOMETRIC NEWS PORTAL
http://www.biometricnewsportal.com/multimodal-biometrics.asp NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND ENHANCED
FINGERPRINT DESCRIPTIONS- http://www.nist.gov/itl/iad/biometric-120611.cfm SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE –
http://www.smartcardalliance.org/pages/publications-smart-cards-and-biometrics IRIS SCANNERS AND RECOGNITION – http://www.findbiometrics.com/iris-
recognition/ AN OVERVIEW OF BIOMETRIC RECOGNITION
http://biometrics.cse.msu.edu/info.html ISACA AUDIT GUIDELINE 36 – BIOMETRICS http://www.isaca.org/Knowledge-
Center/Standards/Pages/IS-Auditing-Guideline-G36-Biometric-Controls.aspx