BIOMETRICS – PRACTICAL APPLICATIONS AND CONSIDERATIONS ISACA KAMPALA CHAPTER 30 TH MAY 2012 AGUMA MPAIRWE B. A(HONS), CISA, CIA, FCCA.
PRESENTATION APPROACH DEFINITIONS KEY CONCEPTS APPLICATIONS KEY CONSIDERATIONS POINTS TO NOTE QUESTIONS
TO NOTE THIS PRESENTATION HAS BEEN PREPARED FOR EDUCATIONAL PURPOSES. ATTRIBUTION IS MADE TO PARTICULAR SOURCES OF INFORMATION WHICH SHOULD BE RE-CHECKED FOR COMPLETENESS AS CONTENT MAY HAVE BEEN REDUCED FOR THE SAKE OF BREVITY.
DEFINITIONS BIOMETRICS – AUTOMATED METHODS OF DISCOVERING AN INDIVIDUAL BASED ON MEASURABLE BIOLOGICAL AND BEHAVIOURAL CHARACTERISTICS (SOURCE- BIOMETRICS. GOV) BIOMETRIC CHARACTERISTIC – A MEASURABLE PHYSIOLOGICAL OR BEHAVIOURAL TRAIT OF A LIVING PERSON, ESPECIALLY ONE THAT CAN BE USED TO DETERMINE OR VERIFY THE IDENTITY OF A PERSON IN ACCESS CONTROL OR CRIMINAL FORENSICS. (SOURCE-GARTNER GLOSSARY)
HOMELAND SECURITY PRESIDENTIAL DIRECTIVE (HSPD) – 24 “BIOMETRICS FOR IDENTIFICATION AND SCREENING TO ENHANCE NATIONAL SECURITY, ” SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008. ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL DEPARTMENTS AND AGENCIES USE COMPATIBLE METHODS AND PROCEDURES IN THE COLLECTION, STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL INFORMATION OF INDIVIDUALS IN A LAWFUL AND APPROPRIATE MANNER, WHILE RESPECTING PRIVACY AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW. (SOURCE – BIOMETRICS. GOV)
APPLICATIONS - UGANDA GENERAL PHYSICAL ACCESS CONTROL – OFFICES, FINGER, THUMB. INTERNAL AFFAIRS – IMMIGRATION, AIRPORT – IDENTIFICATION OF PASSPORTHOLDER – FINGER/PALM/FACE BIOMETRIC RECOGNITION. ELECTORAL COMMISSION – VOTER REGISTRATION. DRIVING PERMIT – DRIVER RECOGNITION. .
APPLICATIONS - UGANDA VISA APPLICATION – UK VISA. FINANCIAL SERVICES CREDIT REFERENCE BUREAU – COMPUSCAN MICROFINANCE ATM – IN ADDITION TO ATM CARD/PIN POINT OF SALES TERMINALS MOBILE MONEY SERVICES - ENROLLMENT AND IDENTIFICATION AT CASHOUT
KEY CONCEPTS CLAIM OF IDENTITY – STATEMENT THAT A PERSON IS OR IS NOT THE SOURCE OF A REFERENCE IN A DATABASE, CAN BE POSITIVE (IN THE DATABASE), NEGATIVE (NOT IN THE DATABASE) OR SPECIFIC (I AM USER 123). COMPARISION – PROCESS OF COMPARING A BIOMETRIC REFERENCE WITH A PREVIOUSLY STORED REFERENCE TO MAKE AN IDENTIFICATION OR VERIFICATION DECISION. (SOURCE – BIOMETRICS. GOV)
KEY CONCEPTS ENROLLMENT – PROCESS OF COLLECTING A BIOMETRIC SAMPLE FROM AN END USER, CONVERTING IT INTO A BIOMETRIC REFERENCE AND STORING IT IN THE DATABASE FOR LATER COMPARISION. EQUAL ERROR RATE (EER) – A STATISTIC USED TO SHOW BIOMETRIC PERFORMANCE. THE LOWER THE EER, THE HIGHER THE ACCURACCY OF THE SYSTEM. (SOURCE – BIOMETRICS. GOV)
KEY CONCEPTS FAILURE TO ACQUIRE – FAILURE OF A BIOMETRIC SYSTEM TO CAPTURE AND OR EXTRACT USABLE INFORMATION FROM A BIOMETRIC SAMPLE FAILURE TO ENROL – FAILURE OF A BIOMETRIC SYSTEM TO FORM A PROPER ENROLLMENT REFERENCE FOR AN END USER (TRAINING, SENSOR QUALITY). (SOURCE – BIOMETRICS. GOV)
KEY CONCEPTS FALSE ACCEPTANCE RATE – THE PERCENTAGE OF TIMES A SYSTEM PRODUCES A FALSE ACCEPT – AN INDIVIDUAL IS INCORRECTLY MATCHED TO ANOTHER INDIVIDUAL’S EXISTING BIOMETRIC. T 2 FALSE ALARM RATE – THE PERCENTAGE OF TIMES AN ALARM IS INCORRECTLY SOUNDED ON AN INDIVIDUAL WHO IS NOT IN THE BIOMETRIC SYSTEM’S DATABASE (SOURCE – BIOMETRICS. GOV)
KEY CONCEPTS FALSE REJECTION RATE – THE PRECENTAGE OF TIMES THE SYSTEM PRODUCES A FALSE REJECT. THIS OCCURS WHEN AN INDIVIDUAL IS NOT MATCHED TO HIS/HER OWN EXISTING BIOMETRIC TEMPLATE. T 1 ALGORITHM – A LIMITED SEQUENCE OF INSTRUCTIONS OR STEPS THAT TELLS A COMPUTER HOW TO SOLVE A PARTICULAR PROBLEM – IMAGE PROCESSING, TEMPLATE GENERATION, COMPARISIONS E. T. C (SOURCE – BIOMETRICS. GOV)
KEY CONCEPTS VERIFICATION – A TASK WHERE BIOMETRIC SYSTEM ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY BY COMPARING A SUBMITTED SAMPLE TO ONE OR MORE PREVIOUSLY ENROLLED TEMPLATES –USED TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND HAS CLAIMED AUTHORISATIONS AM I WHO I CLAIM I AM ? – SYS ADMIN IDENTIFICATION – A TASK WHERE A BIOMETRIC SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED AND COMPARED TO ALL TEMPLATES IN THE DATABASE – WHO AM I ? SOURCES – (MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS. GOV)
KEY CONCEPTS IDENTIFICATION: CAN BE ‘OPEN SET’ – PERSON NOT GUARANTEED TO EXIST IN THE DATABASE ‘CLOSED SET’ – PERSON IS KNOWN TO EXIST IN THE DATABASE (SOURCE – BIOMETRICS. GOV)
KEY CONCEPTS FAILURE TO ENROLL RATE (FTER) = NUMBER OF UNSUCCESSFUL ENROLLMENTS/TOTAL NUMBER OF USERS ATTEMPTING TO ENROLL. CROSS-OVER ERROR RATE (CER)—A MEASURE REPRESENTING THE PERCENT AT WHICH FRR EQUALS FAR. THIS IS THE POINT ON THE GRAPH WHERE THE FAR AND FRR INTERSECT. THE CROSS-OVER RATE INDICATES A SYSTEM WITH GOOD BALANCE OVER SENSITIVITY AND PERFORMANCE. (SOURCE ISACA)
FAR, FRR, CER COMPARISIONS – SOURCE - ISACA
GENERAL APPLICATIONS AS A PHYSICAL ACCESS CONTROL AS A MECHANISM FOR LOGICAL ACCESS CONTROL IN LOGICAL ACCESS CONTROL PART OF IDENTIFICATION AND AUTHENTICATION PROCESS
IDENTIFICATION AND AUTHENTICATION (I & A) IN LOGICAL ACCESS CONTROL SOFTWARE, IS ‘THE PROCESS OF PROVING ONE’S IDENTITY’ IDENTIFICATION – MEANS BY WHICH USER PROVIDES CLAIMED IDENTITY HELPS ESTABLISH USER ACCOUNTABILITY FIRST LINE OF DEFENSE SOURCE – CISA REVIEW MANUAL 2003
IDENTIFICATION AND AUTHENTICATION (I & A) IS A TECHNICAL MEASURE THAT PREVENTS UNAUTHORISED PEOPLE (OR UNAUTHORISED PROCESSES) FROM ENTERING A COMPUTER SYSTEM I & A TECHNIQUES: SOMETHING YOU KNOW – PASSWORD, STATIC PIN SOMETHING YOU HAVE – TOKEN CARD, PIN GENERATOR SOMETHING YOU ARE – BIOMETRIC CHARACTERISTIC SOURCE –CISA REVIEW MANUAL 2003
BIOMETRIC IDENTIFIERS PHYSIOLOGICAL & BEHAVIOURAL FINGERPRINT FINGERVEIN PALM PRINT HAND GEOMETRY
BIOMETRIC IDENTIFIERS IRIS RECOGNITION RETINA RECOGNITION VOICE RECOGNITION SIGNATURE RECOGNITION FACE RECOGNITION
BIOMETRIC IDENTIFIERS KEYSTROKE DYNAMICS DNA ? DEBATE, AS NOT PERFORMED BY AN ‘AUTOMATED’ METHOD-BIOMETRICS. GOV GAIT ? – IN DEVELOPMENT / PRACTICAL ? ?
FINGER PRINT – SOURCE - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST), USA.
FINGERPRINT ADVANTAGES MULTIPLE FINGERS! EASY TO USE LOW STORAGE SPACE LARGE EXISTING DATABASES GLOBALLY FOR WATCHLIST CHECKS PROVEN EFFECTIVE OVER TIME DISADVANTAGES PUBLIC PERCEPTIONS – CRIMINAL CONNOTATIONS HEALTH CONCERNS – EBOLA, BIRD FLU AGE, OCCUPATION, WEIGHT GAIN, CUTS (SOURCE – BIOMETRICS. GOV)
IRIS - SOURCE - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, USA.
IRIS ADVANTAGES NO CONTACT REQUIRED HIGHLY STABLE OVER TIME DISADVANTAGES DIFFICULT TO CAPTURE- FOR SOME , TRAINING EASILY OBSCURED – REFLECTIONS FROM CORNEA, EYELIDS, EYELASHES PUBLIC FEARS OF ‘SCANNING’ THE EYE WITH LIGHT SOURCE –INFRARED LIGHT USED TO ILLUMINATE IRIS – (SOURCE FINDBIOMETRICS. COM) LIMITED EXISTING DATA FOR WATCHLIST CHECKS (SOURCE – BIOMETRICS. GOV)
FACE ADVANTAGES NO CONTACT COMMONLY AVAILABLE SENSORS – CAMERA LARGE AMOUNTS OF EXISTING DATA EASY FOR HUMANS TO VERIFY RESULTS DISADVANTAGES OBSTRUCTION OF IMAGE BY HAIR, GLASSES, HATS. CHANGE OVER TIME (SOURCE – BIOMETRICS. GOV)
VOICE ADVANTAGES PUBLIC ACCEPTANCE NO CONTACT REQUIRED SENSORS COMMON TELEPHONES, MICROPHONES DISADVANTAGES NOT SUFFICIENTLY DISTINCTIVE OVER LARGE DATABASES (SOURCE – BIOMETRICS. GOV)
DESIRABLE QUALITIES FOR EFFECTIVE BIOMETRIC TRAITS UNIQUENESS THE TWINS CHALLENGE PERMANENCE
BIOMETRIC ENROLLMENT ITERATIVE AVERAGING PROCESS. ACQUIRE BIOMETRIC SAMPLE (PHYSICAL /BEHAVIOURAL). EXTRACT UNIQUE FEATURES FROM SAMPLE FEATURES CONVERTED INTO MATHEMATICAL CODE
BIOMETRIC ENROLLMENT CREATION OF INITIAL ‘TEMPLATE’ – (DIGITAL REPRESENTATION OF THE BIOMETRIC) COMPARISION OF NEW SAMPLES WITH WHAT HAS BEEN STORED DEVELOPING FINAL TEMPLATE ENCRYPTION USE TO IDENTIFY USER (e. g. FINGERPRINT latent v Conventional – Source NIST, BIOMETROCS. GOV)
ADVANTAGES SECURE ? CONVINIENT ? CANNOT BE STOLEN ? CANNOT BE FORGOTTEN DIFFICULT TO FORGE (SOURCE SMARTCARDALLIANCE)
LIMITATIONS/VULNERABILITIES TEMPLATE SKIMMING NOT ALWAYS ACCURATE - FAR’s/ FRR’s – 10% OF POPULATION HAVE WORN/CUT/UNRECOGNISABLE FINGERPRINTS!! – SOURCE BIOMETRIC NEWSPORTAL BIOMETRIC FEATURES MAY ALTER DEGRADE WITH AGE, DISEASE, WEIGHT GAIN
LIMITATIONS/VULNERABILITIES SECURITY RISKS - CAR THEFT!! VOICE BIOMETRICS – BACKGROUND NOISE STORAGE AND TRANSMISSION QUALITY LOSS
SOLUTIONS MULTIMODAL BIOMETRICS – USE OF MORE THAN ONE BIOMETRIC IDENTIFIER FOR INCREASED ACCURACCY COMBINATION OF BIOMETRICS WITH PINS AND TOKENS SMARTCARDS – ICC, MEMORY, STORAGE OF BIOMETRIC TEMPLATES TO AVOID VERIFICATION AT LONG DISTANCE HOST (SOURCE –VARIOUS)
AUDIT AND CONTROL IMPLICATIONS AUDIT CONTROLS IN MATCHING TEMPLATES GENERATED TO OTHER DATA – CRIMINAL RECORDS, FINANCIAL DEFAULT HISTORIES IS AUDIT GUIDELINE ISACA G 36 PRIVACY CONCERNS INTRUSIVENESS OF DATA COLLECTION HEALTH CONCERNS SKILL OF SYSTEM USE BY STAFF ROBUSTNESS OF TECHNOLOGY – RELIABLE COST OF DEPLOYMENT LEGISLATIVE AND REGULATORY COMPLIANCE RESISTANCE TO CHANGE/USE
PRACTICAL CONSIDERATIONS COST –BENEFIT CONSIDERATIONS PRACTICALITY AND EFFICIENCY – AIRPORT QUEUES, VOTING PROCESSES. ACCURACCY – FAR, FRR, EER CULTURE – GLOBAL COMPANIES! NON-CO-OPERATION, HEALTH CONCERNS (SOURCE NIST, BIOMETRICS. GOV)
PRACTICAL CONSIDERATIONS WILL IMAGES BE COMPACT ENOUGH FOR EFFECTIVE TRANSMISSION ACROSS NETWORKS WITHOUT DEGRADATION? WILL IMAGES/TEMPLATES BE COMPACT ENOUGH FOR STORAGE ON SMART CARD? INTEROPERABILITY AND STANDARDISATION – IMMIGRATION FACE CAMERA AND FINGER PRINT CAPTURE TO SINGLE APPLICATION/DEVICE (SOURCE NIST)
PRACTICAL CONSIDERATIONS INTEROPERABILITY – ACROSS GOVERNMENT AGENCIES PRIVACY CONCERNS DATA SHARING - ACROSS JURISDICTIONS ? LEGAL IMPLICATIONS ? DATA STORAGE REQUIREMENTS
. QUESTIONS?
REFERENCES CIO MAGAZINE http: //www. cio. com/article/573113/Using_Biometric_Access_Systems_Dos_a nd_Don_ts? page=3&taxonomy. Id=3092 BIOMETRICS. GOV http: //www. biometrics. gov/ 2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND CONTROL ASSOSCIATION. GARTNER IT GLOSSARY - http: //www. gartner. com/it-glossary/biometrics/ MULTIMODAL BIOMETRICS – BIOMETRIC NEWS PORTAL http: //www. biometricnewsportal. com/multimodal-biometrics. asp NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND ENHANCED FINGERPRINT DESCRIPTIONShttp: //www. nist. gov/itl/iad/biometric-120611. cfm SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE – http: //www. smartcardalliance. org/pages/publications-smart-cards-andbiometrics IRIS SCANNERS AND RECOGNITION – http: //www. findbiometrics. com/irisrecognition/ AN OVERVIEW OF BIOMETRIC RECOGNITION http: //biometrics. cse. msu. edu/info. html ISACA AUDIT GUIDELINE 36 – BIOMETRICS http: //www. isaca. org/Knowledge. Center/Standards/Pages/IS-Auditing-Guideline-G 36 -Biometric. Controls. aspx
Скачать презентацию BIOMETRICS PRACTICAL APPLICATIONS AND CONSIDERATIONS ISACA KAMPALA
46aaa4c154b40fe2aeef3e87e9f8f11c.ppt