ISACA KAMPALA CHAPTER

utterlypanoramicΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

60 εμφανίσεις

ISACA KAMPALA CHAPTER


30
TH

MAY 2012


AGUMA MPAIRWE
B.A(HONS),CISA,CIA,FCCA
.



DEFINITIONS



KEY CONCEPTS



APPLICATIONS



KEY CONSIDERATIONS



POINTS TO NOTE



QUESTIONS







THIS PRESENTATION HAS BEEN PREPARED FOR
EDUCATIONAL PURPOSES.



ATTRIBUTION IS MADE TO PARTICULAR
SOURCES OF INFORMATION WHICH SHOULD
BE RE
-
CHECKED FOR COMPLETENESS AS
CONTENT MAY HAVE BEEN REDUCED FOR THE
SAKE OF BREVITY.



BIOMETRICS



AUTOMATED METHODS OF
DISCOVERING AN INDIVIDUAL BASED ON
MEASURABLE BIOLOGICAL AND BEHAVIOURAL
CHARACTERISTICS
(SOURCE
-

BIOMETRICS .GOV)



BIOMETRIC CHARACTERISTIC


A
MEASURABLE PHYSIOLOGICAL OR
BEHAVIOURAL TRAIT OF A LIVING PERSON,
ESPECIALLY ONE THAT CAN BE USED TO
DETERMINE OR VERIFY THE IDENTITY OF A
PERSON IN ACCESS CONTROL OR CRIMINAL
FORENSICS.
(SOURCE
-
GARTNER GLOSSARY)


“BIOMETRICS FOR IDENTIFICATION AND SCREENING TO
ENHANCE NATIONAL SECURITY,”



SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008.



ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL
DEPARTMENTS AND AGENCIES USE COMPATIBLE
METHODS AND PROCEDURES IN THE COLLECTION,
STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC
AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL
INFORMATION OF INDIVIDUALS IN A LAWFUL AND
APPROPRIATE MANNER, WHILE RESPECTING PRIVACY
AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW.


(SOURCE


BIOMETRICS.GOV)





GENERAL PHYSICAL ACCESS CONTROL


OFFICES, FINGER,THUMB.



INTERNAL AFFAIRS


IMMIGRATION, AIRPORT


IDENTIFICATION OF PASSPORTHOLDER


FINGER/PALM/FACE BIOMETRIC RECOGNITION.



ELECTORAL COMMISSION


VOTER
REGISTRATION.



DRIVING PERMIT


DRIVER RECOGNITION.


.





VISA APPLICATION


UK VISA.


FINANCIAL SERVICES



CREDIT REFERENCE BUREAU


COMPUSCAN


MICROFINANCE


ATM


IN ADDITION TO ATM CARD/PIN


POINT OF SALES TERMINALS


MOBILE MONEY SERVICES
-

ENROLLMENT
AND IDENTIFICATION AT CASHOUT



CLAIM OF IDENTITY


STATEMENT THAT A
PERSON IS OR IS NOT THE SOURCE OF A
REFERENCE IN A DATABASE, CAN BE POSITIVE
(IN THE DATABASE), NEGATIVE (NOT IN THE
DATABASE) OR SPECIFIC (I AM USER 123).



COMPARISION



PROCESS OF COMPARING A
BIOMETRIC REFERENCE WITH A PREVIOUSLY
STORED REFERENCE TO MAKE AN
IDENTIFICATION OR VERIFICATION DECISION.



(SOURCE


BIOMETRICS.GOV)



ENROLLMENT



PROCESS OF COLLECTING A
BIOMETRIC SAMPLE FROM AN END USER,
CONVERTING IT INTO A BIOMETRIC
REFERENCE AND STORING IT IN THE
DATABASE FOR LATER COMPARISION.



EQUAL ERROR RATE (EER)


A STATISTIC USED
TO SHOW BIOMETRIC PERFORMANCE. THE
LOWER THE EER, THE HIGHER THE
ACCURACCY OF THE SYSTEM.



(SOURCE


BIOMETRICS.GOV)




FAILURE TO ACQUIRE


FAILURE OF A
BIOMETRIC SYSTEM TO CAPTURE AND OR
EXTRACT USABLE INFORMATION FROM A
BIOMETRIC SAMPLE



FAILURE TO ENROL


FAILURE OF A
BIOMETRIC SYSTEM TO FORM A PROPER
ENROLLMENT REFERENCE FOR AN END USER
(TRAINING, SENSOR QUALITY).



(SOURCE


BIOMETRICS.GOV)



FALSE ACCEPTANCE RATE


THE PERCENTAGE
OF TIMES A SYSTEM PRODUCES A FALSE
ACCEPT


AN INDIVIDUAL IS INCORRECTLY
MATCHED TO ANOTHER INDIVIDUAL’S
EXISTING BIOMETRIC. T2



FALSE ALARM RATE


THE PERCENTAGE OF
TIMES AN ALARM IS INCORRECTLY SOUNDED
ON AN INDIVIDUAL WHO IS NOT IN THE
BIOMETRIC SYSTEM’S DATABASE



(SOURCE


BIOMETRICS.GOV)



FALSE REJECTION RATE


THE PRECENTAGE OF
TIMES THE SYSTEM PRODUCES A FALSE
REJECT. THIS OCCURS WHEN AN INDIVIDUAL
IS NOT MATCHED TO HIS/HER OWN EXISTING
BIOMETRIC TEMPLATE. T1



ALGORITHM



A LIMITED SEQUENCE OF
INSTRUCTIONS OR STEPS THAT TELLS A
COMPUTER HOW TO SOLVE A PARTICULAR
PROBLEM


IMAGE PROCESSING, TEMPLATE
GENERATION, COMPARISIONS E.T.C


(SOURCE


BIOMETRICS.GOV)



VERIFICATION



A TASK WHERE BIOMETRIC SYSTEM
ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY
BY COMPARING A SUBMITTED SAMPLE TO ONE OR
MORE PREVIOUSLY ENROLLED TEMPLATES

USED
TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND
HAS CLAIMED AUTHORISATIONS



AM I WHO I CLAIM I AM
?


SYS ADMIN



IDENTIFICATION



A TASK WHERE A BIOMETRIC
SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY
OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED
AND COMPARED TO ALL TEMPLATES IN THE
DATABASE


WHO AM I
?
-



SOURCES


(MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS
.GOV)


IDENTIFICATION: CAN BE



‘OPEN SET’


PERSON NOT GUARANTEED TO
EXIST IN THE DATABASE



‘CLOSED SET’


PERSON IS KNOWN TO EXIST
IN THE DATABASE



(SOURCE


BIOMETRICS.GOV)


FAILURE TO ENROLL RATE (FTER) = NUMBER
OF UNSUCCESSFUL ENROLLMENTS/TOTAL
NUMBER OF USERS ATTEMPTING TO ENROLL.



CROSS
-
OVER ERROR RATE (CER
)

A MEASURE
REPRESENTING THE PERCENT AT WHICH FRR
EQUALS FAR. THIS IS THE POINT ON THE GRAPH
WHERE THE FAR AND FRR INTERSECT.



THE CROSS
-
OVER RATE INDICATES A SYSTEM WITH
GOOD BALANCE OVER SENSITIVITY AND
PERFORMANCE.


(SOURCE

ISACA)






AS A PHYSICAL ACCESS CONTROL



AS A MECHANISM FOR LOGICAL ACCESS
CONTROL



IN LOGICAL ACCESS CONTROL PART OF
IDENTIFICATION AND AUTHENTICATION
PROCESS




IN LOGICAL ACCESS CONTROL SOFTWARE, IS
‘THE PROCESS OF PROVING ONE’S IDENTITY’



IDENTIFICATION


MEANS BY WHICH USER
PROVIDES CLAIMED IDENTITY



HELPS ESTABLISH USER ACCOUNTABILITY



FIRST LINE OF DEFENSE



SOURCE


CISA REVIEW MANUAL 2003



IS A TECHNICAL MEASURE THAT PREVENTS
UNAUTHORISED PEOPLE (OR UNAUTHORISED
PROCESSES) FROM ENTERING A COMPUTER
SYSTEM


I & A TECHNIQUES:


SOMETHING YOU
KNOW



PASSWORD, STATIC
PIN


SOMETHING YOU
HAVE



TOKEN CARD, PIN
GENERATOR


SOMETHING YOU
ARE



BIOMETRIC
CHARACTERISTIC


SOURCE

CISA REVIEW MANUAL 2003



PHYSIOLOGICAL & BEHAVIOURAL



FINGERPRINT



FINGERVEIN



PALM PRINT



HAND GEOMETRY





IRIS RECOGNITION



RETINA RECOGNITION



VOICE RECOGNITION



SIGNATURE RECOGNITION



FACE RECOGNITION






KEYSTROKE DYNAMICS



DNA ? DEBATE, AS NOT PERFORMED BY AN
‘AUTOMATED’ METHOD
-
BIOMETRICS.GOV



GAIT ?


IN DEVELOPMENT / PRACTICAL ??




ADVANTAGES


MULTIPLE FINGERS!


EASY TO USE


LOW STORAGE SPACE


LARGE EXISTING DATABASES GLOBALLY FOR
WATCHLIST CHECKS


PROVEN EFFECTIVE OVER TIME

DISADVANTAGES


PUBLIC PERCEPTIONS


CRIMINAL
CONNOTATIONS


HEALTH CONCERNS


EBOLA, BIRD FLU


AGE, OCCUPATION, WEIGHT GAIN, CUTS


(SOURCE


BIOMETRICS.GOV)





ADVANTAGES


NO CONTACT REQUIRED


HIGHLY STABLE OVER TIME

DISADVANTAGES


DIFFICULT TO CAPTURE
-

FOR SOME ,
TRAINING


EASILY OBSCURED


REFLECTIONS FROM
CORNEA, EYELIDS, EYELASHES


PUBLIC FEARS OF ‘SCANNING’ THE EYE WITH
LIGHT SOURCE

INFRARED LIGHT USED TO
ILLUMINATE IRIS


(
SOURCE FINDBIOMETRICS .COM)


LIMITED EXISTING DATA FOR WATCHLIST
CHECKS


(
SOURCE


BIOMETRICS.GOV)





ADVANTAGES


NO CONTACT


COMMONLY AVAILABLE SENSORS


CAMERA


LARGE AMOUNTS OF EXISTING DATA


EASY FOR HUMANS TO VERIFY RESULTS


DISADVANTAGES


OBSTRUCTION OF IMAGE BY HAIR, GLASSES,
HATS.


CHANGE OVER TIME



(SOURCE


BIOMETRICS.GOV)




ADVANTAGES


PUBLIC ACCEPTANCE


NO CONTACT REQUIRED


SENSORS COMMON TELEPHONES,
MICROPHONES


DISADVANTAGES


NOT SUFFICIENTLY DISTINCTIVE OVER LARGE
DATABASES



(SOURCE


BIOMETRICS.GOV)




UNIQUENESS



THE TWINS CHALLENGE



PERMANENCE




ITERATIVE AVERAGING PROCESS.



ACQUIRE BIOMETRIC SAMPLE (PHYSICAL
/BEHAVIOURAL).



EXTRACT UNIQUE FEATURES FROM SAMPLE



FEATURES CONVERTED INTO MATHEMATICAL
CODE


CREATION OF INITIAL ‘TEMPLATE’


(DIGITAL
REPRESENTATION OF THE BIOMETRIC)



COMPARISION OF NEW SAMPLES WITH WHAT
HAS BEEN STORED



DEVELOPING FINAL TEMPLATE



ENCRYPTION



USE TO IDENTIFY USER



(
e.g. FINGERPRINT latent v Conventional


Source NIST,
BIOMETROCS.GOV)




SECURE ?



CONVINIENT ?



CANNOT BE STOLEN ?



CANNOT BE FORGOTTEN



DIFFICULT TO FORGE



(SOURCE SMARTCARDALLIANCE)


TEMPLATE SKIMMING



NOT ALWAYS ACCURATE
-

FAR’s/ FRR’s





10% OF POPULATION HAVE
WORN/CUT/UNRECOGNISABLE
FINGERPRINTS!!


SOURCE BIOMETRIC NEWSPORTAL



BIOMETRIC FEATURES MAY ALTER DEGRADE
WITH AGE, DISEASE, WEIGHT GAIN





SECURITY RISKS
-

CAR THEFT!!



VOICE BIOMETRICS


BACKGROUND NOISE



STORAGE AND TRANSMISSION QUALITY LOSS






MULTIMODAL BIOMETRICS


USE OF MORE
THAN ONE BIOMETRIC IDENTIFIER FOR
INCREASED ACCURACCY



COMBINATION OF BIOMETRICS WITH PINS
AND TOKENS



SMARTCARDS


ICC, MEMORY, STORAGE OF
BIOMETRIC TEMPLATES TO AVOID
VERIFICATION AT LONG DISTANCE HOST



(SOURCE

VARIOUS)






AUDIT CONTROLS IN MATCHING TEMPLATES
GENERATED TO OTHER DATA


CRIMINAL
RECORDS, FINANCIAL DEFAULT HISTORIES


IS AUDIT GUIDELINE ISACA G36


PRIVACY CONCERNS


INTRUSIVENESS OF DATA COLLECTION


HEALTH CONCERNS


SKILL OF SYSTEM USE BY STAFF


ROBUSTNESS OF TECHNOLOGY


RELIABLE


COST OF DEPLOYMENT


LEGISLATIVE AND REGULATORY COMPLIANCE


RESISTANCE TO CHANGE/USE




COST

BENEFIT CONSIDERATIONS



PRACTICALITY AND EFFICIENCY


AIRPORT
QUEUES, VOTING PROCESSES.



ACCURACCY


FAR, FRR, EER



CULTURE


GLOBAL COMPANIES!



NON
-
CO
-
OPERATION, HEALTH CONCERNS


(SOURCE NIST, BIOMETRICS.GOV)



WILL IMAGES BE COMPACT ENOUGH FOR
EFFECTIVE TRANSMISSION ACROSS
NETWORKS WITHOUT DEGRADATION?



WILL IMAGES/TEMPLATES BE COMPACT
ENOUGH FOR STORAGE ON SMART CARD?



INTEROPERABILITY AND STANDARDISATION


IMMIGRATION FACE CAMERA AND FINGER
PRINT CAPTURE TO SINGLE
APPLICATION/DEVICE


(SOURCE NIST)








INTEROPERABILITY


ACROSS GOVERNMENT
AGENCIES



PRIVACY CONCERNS



DATA SHARING
-

ACROSS JURISDICTIONS ?



LEGAL IMPLICATIONS ?



DATA STORAGE REQUIREMENTS






QUESTIONS?



CIO MAGAZINE
-

http://www.cio.com/article/573113/Using_Biometric_Access_Systems_Dos_a
nd_Don_ts?page=3&taxonomyId=3092


BIOMETRICS.GOV
http://www.biometrics.gov/


2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND
CONTROL ASSOSCIATION.


GARTNER IT GLOSSARY
-

http://www.gartner.com/it
-
glossary/biometrics/


MULTIMODAL BIOMETRICS


BIOMETRIC NEWS PORTAL
http://www.biometricnewsportal.com/multimodal
-
biometrics.asp


NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND
ENHANCED FINGERPRINT DESCRIPTIONS
-

http://www.nist.gov/itl/iad/biometric
-
120611.cfm


SMARTCARD AND BIOMETRICS
-

SMARTCARD ALLIANCE


http://www.smartcardalliance.org/pages/publications
-
smart
-
cards
-
and
-
biometrics


IRIS SCANNERS AND RECOGNITION


http://www.findbiometrics.com/iris
-
recognition/


AN OVERVIEW OF BIOMETRIC RECOGNITION
http://biometrics.cse.msu.edu/info.html


ISACA AUDIT GUIDELINE 36


BIOMETRICS
http://www.isaca.org/Knowledge
-
Center/Standards/Pages/IS
-
Auditing
-
Guideline
-
G36
-
Biometric
-
Controls.aspx