BIOMETRICS - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

BIOMETRICS

Description:

security risks - car theft ... failure to acquire failure of a biometric system to capture and or extract usable information from a biometric sample failure to ... – PowerPoint PPT presentation

Number of Views:979
Avg rating:3.0/5.0
Slides: 42
Provided by: Tosh404
Learn more at: https://engage.isaca.org
Category:

less

Transcript and Presenter's Notes

Title: BIOMETRICS


1
BIOMETRICS PRACTICAL APPLICATIONS AND
CONSIDERATIONS
  • ISACA KAMPALA CHAPTER
  • 30TH MAY 2012
  • AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA.

2
PRESENTATION APPROACH
  • DEFINITIONS
  • KEY CONCEPTS
  • APPLICATIONS
  • KEY CONSIDERATIONS
  • POINTS TO NOTE
  • QUESTIONS

3
TO NOTE
  • THIS PRESENTATION HAS BEEN PREPARED FOR
    EDUCATIONAL PURPOSES.
  • ATTRIBUTION IS MADE TO PARTICULAR SOURCES OF
    INFORMATION WHICH SHOULD BE RE-CHECKED FOR
    COMPLETENESS AS CONTENT MAY HAVE BEEN REDUCED FOR
    THE SAKE OF BREVITY.

4
DEFINITIONS
  • BIOMETRICS AUTOMATED METHODS OF DISCOVERING AN
    INDIVIDUAL BASED ON MEASURABLE BIOLOGICAL AND
    BEHAVIOURAL CHARACTERISTICS (SOURCE- BIOMETRICS
    .GOV)
  • BIOMETRIC CHARACTERISTIC A MEASURABLE
    PHYSIOLOGICAL OR BEHAVIOURAL TRAIT OF A LIVING
    PERSON, ESPECIALLY ONE THAT CAN BE USED TO
    DETERMINE OR VERIFY THE IDENTITY OF A PERSON IN
    ACCESS CONTROL OR CRIMINAL FORENSICS.
    (SOURCE-GARTNER GLOSSARY)

5
HOMELAND SECURITY PRESIDENTIAL DIRECTIVE (HSPD)
24
  • BIOMETRICS FOR IDENTIFICATION AND SCREENING TO
    ENHANCE NATIONAL SECURITY,
  • SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008.
  • ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL
    DEPARTMENTS AND AGENCIES USE COMPATIBLE METHODS
    AND PROCEDURES IN THE COLLECTION, STORAGE, USE,
    ANALYSIS, AND SHARING OF BIOMETRIC AND ASSOCIATED
    BIOGRAPHIC AND CONTEXTUAL INFORMATION OF
    INDIVIDUALS IN A LAWFUL AND APPROPRIATE MANNER,
    WHILE RESPECTING PRIVACY AND OTHER LEGAL RIGHTS
    UNDER UNITED STATES LAW.
  • (SOURCE BIOMETRICS.GOV)

6
APPLICATIONS - UGANDA
  • GENERAL PHYSICAL ACCESS CONTROL OFFICES,
    FINGER,THUMB.
  • INTERNAL AFFAIRS IMMIGRATION, AIRPORT
    IDENTIFICATION OF PASSPORTHOLDER
    FINGER/PALM/FACE BIOMETRIC RECOGNITION.
  • ELECTORAL COMMISSION VOTER REGISTRATION.
  • DRIVING PERMIT DRIVER RECOGNITION.
  • .

7
APPLICATIONS - UGANDA
  • VISA APPLICATION UK VISA.
  • FINANCIAL SERVICES
  • CREDIT REFERENCE BUREAU COMPUSCAN
  • MICROFINANCE
  • ATM IN ADDITION TO ATM CARD/PIN
  • POINT OF SALES TERMINALS
  • MOBILE MONEY SERVICES - ENROLLMENT AND
    IDENTIFICATION AT CASHOUT

8
KEY CONCEPTS
  • CLAIM OF IDENTITY STATEMENT THAT A PERSON IS OR
    IS NOT THE SOURCE OF A REFERENCE IN A DATABASE,
    CAN BE POSITIVE (IN THE DATABASE), NEGATIVE (NOT
    IN THE DATABASE) OR SPECIFIC (I AM USER 123).
  • COMPARISION PROCESS OF COMPARING A BIOMETRIC
    REFERENCE WITH A PREVIOUSLY STORED REFERENCE TO
    MAKE AN IDENTIFICATION OR VERIFICATION DECISION.
  • (SOURCE BIOMETRICS.GOV)

9
KEY CONCEPTS
  • ENROLLMENT PROCESS OF COLLECTING A BIOMETRIC
    SAMPLE FROM AN END USER, CONVERTING IT INTO A
    BIOMETRIC REFERENCE AND STORING IT IN THE
    DATABASE FOR LATER COMPARISION.
  • EQUAL ERROR RATE (EER) A STATISTIC USED TO SHOW
    BIOMETRIC PERFORMANCE. THE LOWER THE EER, THE
    HIGHER THE ACCURACCY OF THE SYSTEM.
  • (SOURCE BIOMETRICS.GOV)

10
KEY CONCEPTS
  • FAILURE TO ACQUIRE FAILURE OF A BIOMETRIC
    SYSTEM TO CAPTURE AND OR EXTRACT USABLE
    INFORMATION FROM A BIOMETRIC SAMPLE
  • FAILURE TO ENROL FAILURE OF A BIOMETRIC SYSTEM
    TO FORM A PROPER ENROLLMENT REFERENCE FOR AN END
    USER (TRAINING, SENSOR QUALITY).
  • (SOURCE BIOMETRICS.GOV)

11
KEY CONCEPTS
  • FALSE ACCEPTANCE RATE THE PERCENTAGE OF TIMES A
    SYSTEM PRODUCES A FALSE ACCEPT AN INDIVIDUAL IS
    INCORRECTLY MATCHED TO ANOTHER INDIVIDUALS
    EXISTING BIOMETRIC. T2
  • FALSE ALARM RATE THE PERCENTAGE OF TIMES AN
    ALARM IS INCORRECTLY SOUNDED ON AN INDIVIDUAL
    WHO IS NOT IN THE BIOMETRIC SYSTEMS DATABASE
  • (SOURCE BIOMETRICS.GOV)

12
KEY CONCEPTS
  • FALSE REJECTION RATE THE PRECENTAGE OF TIMES
    THE SYSTEM PRODUCES A FALSE REJECT. THIS OCCURS
    WHEN AN INDIVIDUAL IS NOT MATCHED TO HIS/HER OWN
    EXISTING BIOMETRIC TEMPLATE. T1
  • ALGORITHM A LIMITED SEQUENCE OF INSTRUCTIONS OR
    STEPS THAT TELLS A COMPUTER HOW TO SOLVE A
    PARTICULAR PROBLEM IMAGE PROCESSING, TEMPLATE
    GENERATION, COMPARISIONS E.T.C
  • (SOURCE BIOMETRICS.GOV)

13
KEY CONCEPTS
  • VERIFICATION A TASK WHERE BIOMETRIC SYSTEM
    ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY BY
    COMPARING A SUBMITTED SAMPLE TO ONE OR MORE
    PREVIOUSLY ENROLLED TEMPLATES USED TO CONFIRM
    THAT INDIVIDUAL IS ENROLLED AND HAS CLAIMED
    AUTHORISATIONS
  • AM I WHO I CLAIM I AM ? SYS ADMIN
  • IDENTIFICATION A TASK WHERE A BIOMETRIC SYSTEM
    ATTEMPTS TO DETERMINE THE IDENTITY OF AN
    INDIVIDUAL, A BIOMETRIC IS COLLECTED AND COMPARED
    TO ALL TEMPLATES IN THE DATABASE WHO AM I ? -
  • SOURCES (MICHIGAN STATE UNIVERSITY ARTICLE,
    BIOMETRICS .GOV)

14
KEY CONCEPTS
  • IDENTIFICATION CAN BE
  • OPEN SET PERSON NOT GUARANTEED TO EXIST IN
    THE DATABASE
  • CLOSED SET PERSON IS KNOWN TO EXIST IN THE
    DATABASE
  • (SOURCE BIOMETRICS.GOV)

15
KEY CONCEPTS
  • FAILURE TO ENROLL RATE (FTER) NUMBER OF
    UNSUCCESSFUL ENROLLMENTS/TOTAL NUMBER OF USERS
    ATTEMPTING TO ENROLL.
  • CROSS-OVER ERROR RATE (CER)A MEASURE
    REPRESENTING THE PERCENT AT WHICH FRR EQUALS FAR.
    THIS IS THE POINT ON THE GRAPH WHERE THE FAR AND
    FRR INTERSECT.
  • THE CROSS-OVER RATE INDICATES A SYSTEM WITH GOOD
    BALANCE OVER SENSITIVITY AND PERFORMANCE.
  • (SOURCE ISACA)

16
FAR, FRR, CER COMPARISIONS SOURCE - ISACA
17
GENERAL APPLICATIONS
  • AS A PHYSICAL ACCESS CONTROL
  • AS A MECHANISM FOR LOGICAL ACCESS CONTROL
  • IN LOGICAL ACCESS CONTROL PART OF IDENTIFICATION
    AND AUTHENTICATION PROCESS

18
IDENTIFICATION AND AUTHENTICATION (I A)
  • IN LOGICAL ACCESS CONTROL SOFTWARE, IS THE
    PROCESS OF PROVING ONES IDENTITY
  • IDENTIFICATION MEANS BY WHICH USER PROVIDES
    CLAIMED IDENTITY
  • HELPS ESTABLISH USER ACCOUNTABILITY
  • FIRST LINE OF DEFENSE
  • SOURCE CISA REVIEW MANUAL 2003

19
IDENTIFICATION AND AUTHENTICATION (I A)
  • IS A TECHNICAL MEASURE THAT PREVENTS UNAUTHORISED
    PEOPLE (OR UNAUTHORISED PROCESSES) FROM ENTERING
    A COMPUTER SYSTEM
  • I A TECHNIQUES
  • SOMETHING YOU KNOW PASSWORD, STATIC PIN
  • SOMETHING YOU HAVE TOKEN CARD, PIN GENERATOR
  • SOMETHING YOU ARE BIOMETRIC CHARACTERISTIC
  • SOURCE CISA REVIEW MANUAL 2003

20
BIOMETRIC IDENTIFIERS
  • PHYSIOLOGICAL BEHAVIOURAL
  • FINGERPRINT
  • FINGERVEIN
  • PALM PRINT
  • HAND GEOMETRY

21
BIOMETRIC IDENTIFIERS
  • IRIS RECOGNITION
  • RETINA RECOGNITION
  • VOICE RECOGNITION
  • SIGNATURE RECOGNITION
  • FACE RECOGNITION

22
BIOMETRIC IDENTIFIERS
  • KEYSTROKE DYNAMICS
  • DNA ? DEBATE, AS NOT PERFORMED BY AN AUTOMATED
    METHOD-BIOMETRICS.GOV
  • GAIT ? IN DEVELOPMENT / PRACTICAL ??

23
FINGER PRINT SOURCE - NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY (NIST), USA.
24
FINGERPRINT
  • ADVANTAGES
  • MULTIPLE FINGERS!
  • EASY TO USE
  • LOW STORAGE SPACE
  • LARGE EXISTING DATABASES GLOBALLY FOR WATCHLIST
    CHECKS
  • PROVEN EFFECTIVE OVER TIME
  • DISADVANTAGES
  • PUBLIC PERCEPTIONS CRIMINAL CONNOTATIONS
  • HEALTH CONCERNS EBOLA, BIRD FLU
  • AGE, OCCUPATION, WEIGHT GAIN, CUTS
  • (SOURCE BIOMETRICS.GOV)

25
IRIS - SOURCE - NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY, USA.
26
IRIS
  • ADVANTAGES
  • NO CONTACT REQUIRED
  • HIGHLY STABLE OVER TIME
  • DISADVANTAGES
  • DIFFICULT TO CAPTURE- FOR SOME , TRAINING
  • EASILY OBSCURED REFLECTIONS FROM CORNEA,
    EYELIDS, EYELASHES
  • PUBLIC FEARS OF SCANNING THE EYE WITH LIGHT
    SOURCE INFRARED LIGHT USED TO ILLUMINATE IRIS
    (SOURCE FINDBIOMETRICS .COM)
  • LIMITED EXISTING DATA FOR WATCHLIST CHECKS
  • (SOURCE BIOMETRICS.GOV)

27
FACE
  • ADVANTAGES
  • NO CONTACT
  • COMMONLY AVAILABLE SENSORS CAMERA
  • LARGE AMOUNTS OF EXISTING DATA
  • EASY FOR HUMANS TO VERIFY RESULTS
  • DISADVANTAGES
  • OBSTRUCTION OF IMAGE BY HAIR, GLASSES, HATS.
  • CHANGE OVER TIME
  • (SOURCE BIOMETRICS.GOV)

28
VOICE
  • ADVANTAGES
  • PUBLIC ACCEPTANCE
  • NO CONTACT REQUIRED
  • SENSORS COMMON TELEPHONES, MICROPHONES
  • DISADVANTAGES
  • NOT SUFFICIENTLY DISTINCTIVE OVER LARGE DATABASES
  • (SOURCE BIOMETRICS.GOV)

29
DESIRABLE QUALITIES FOR EFFECTIVE BIOMETRIC TRAITS
  • UNIQUENESS
  • THE TWINS CHALLENGE
  • PERMANENCE

30
BIOMETRIC ENROLLMENT
  • ITERATIVE AVERAGING PROCESS.
  • ACQUIRE BIOMETRIC SAMPLE (PHYSICAL /BEHAVIOURAL).
  • EXTRACT UNIQUE FEATURES FROM SAMPLE
  • FEATURES CONVERTED INTO MATHEMATICAL CODE

31
BIOMETRIC ENROLLMENT
  • CREATION OF INITIAL TEMPLATE (DIGITAL
    REPRESENTATION OF THE BIOMETRIC)
  • COMPARISION OF NEW SAMPLES WITH WHAT HAS BEEN
    STORED
  • DEVELOPING FINAL TEMPLATE
  • ENCRYPTION
  • USE TO IDENTIFY USER
  • (e.g. FINGERPRINT latent v Conventional Source
    NIST, BIOMETROCS.GOV)

32
ADVANTAGES
  • SECURE ?
  • CONVINIENT ?
  • CANNOT BE STOLEN ?
  • CANNOT BE FORGOTTEN
  • DIFFICULT TO FORGE
  • (SOURCE SMARTCARDALLIANCE)

33
LIMITATIONS/VULNERABILITIES
  • TEMPLATE SKIMMING
  • NOT ALWAYS ACCURATE - FARs/ FRRs
  • 10 OF POPULATION HAVE WORN/CUT/UNRECOGNISABLE
    FINGERPRINTS!! SOURCE BIOMETRIC NEWSPORTAL
  • BIOMETRIC FEATURES MAY ALTER DEGRADE WITH AGE,
    DISEASE, WEIGHT GAIN

34
LIMITATIONS/VULNERABILITIES
  • SECURITY RISKS - CAR THEFT!!
  • VOICE BIOMETRICS BACKGROUND NOISE
  • STORAGE AND TRANSMISSION QUALITY LOSS

35
SOLUTIONS
  • MULTIMODAL BIOMETRICS USE OF MORE THAN ONE
    BIOMETRIC IDENTIFIER FOR INCREASED ACCURACCY
  • COMBINATION OF BIOMETRICS WITH PINS AND TOKENS
  • SMARTCARDS ICC, MEMORY, STORAGE OF BIOMETRIC
    TEMPLATES TO AVOID VERIFICATION AT LONG DISTANCE
    HOST
  • (SOURCE VARIOUS)

36
AUDIT AND CONTROL IMPLICATIONS
  • AUDIT CONTROLS IN MATCHING TEMPLATES GENERATED TO
    OTHER DATA CRIMINAL RECORDS, FINANCIAL DEFAULT
    HISTORIES
  • IS AUDIT GUIDELINE ISACA G36
  • PRIVACY CONCERNS
  • INTRUSIVENESS OF DATA COLLECTION
  • HEALTH CONCERNS
  • SKILL OF SYSTEM USE BY STAFF
  • ROBUSTNESS OF TECHNOLOGY RELIABLE
  • COST OF DEPLOYMENT
  • LEGISLATIVE AND REGULATORY COMPLIANCE
  • RESISTANCE TO CHANGE/USE

37
PRACTICAL CONSIDERATIONS
  • COST BENEFIT CONSIDERATIONS
  • PRACTICALITY AND EFFICIENCY AIRPORT QUEUES,
    VOTING PROCESSES.
  • ACCURACCY FAR, FRR, EER
  • CULTURE GLOBAL COMPANIES!
  • NON-CO-OPERATION, HEALTH CONCERNS
  • (SOURCE NIST, BIOMETRICS.GOV)

38
PRACTICAL CONSIDERATIONS
  • WILL IMAGES BE COMPACT ENOUGH FOR EFFECTIVE
    TRANSMISSION ACROSS NETWORKS WITHOUT DEGRADATION?
  • WILL IMAGES/TEMPLATES BE COMPACT ENOUGH FOR
    STORAGE ON SMART CARD?
  • INTEROPERABILITY AND STANDARDISATION
    IMMIGRATION FACE CAMERA AND FINGER PRINT CAPTURE
    TO SINGLE APPLICATION/DEVICE
  • (SOURCE NIST)

39
PRACTICAL CONSIDERATIONS
  • INTEROPERABILITY ACROSS GOVERNMENT AGENCIES
  • PRIVACY CONCERNS
  • DATA SHARING - ACROSS JURISDICTIONS ?
  • LEGAL IMPLICATIONS ?
  • DATA STORAGE REQUIREMENTS

40
.
  • QUESTIONS?

41
REFERENCES
  • CIO MAGAZINE - http//www.cio.com/article/573113/U
    sing_Biometric_Access_Systems_Dos_and_Don_ts?page
    3taxonomyId3092
  • BIOMETRICS.GOV http//www.biometrics.gov/
  • 2003 CISA REVIEW MANUAL (2003). INFORMATION
    SYSTEMS AUDIT AND CONTROL ASSOSCIATION.
  • GARTNER IT GLOSSARY - http//www.gartner.com/it-gl
    ossary/biometrics/
  • MULTIMODAL BIOMETRICS BIOMETRIC NEWS PORTAL
    http//www.biometricnewsportal.com/multimodal-biom
    etrics.asp
  • NEW NIST BIOMETRIC DATA STANDARD ADDS DNA,
    FOOTMARKS AND ENHANCED FINGERPRINT DESCRIPTIONS-
    http//www.nist.gov/itl/iad/biometric-120611.cfm
  • SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE
    http//www.smartcardalliance.org/pages/publication
    s-smart-cards-and-biometrics
  • IRIS SCANNERS AND RECOGNITION
    http//www.findbiometrics.com/iris-recognition/
  • AN OVERVIEW OF BIOMETRIC RECOGNITION
    http//biometrics.cse.msu.edu/info.html
  • ISACA AUDIT GUIDELINE 36 BIOMETRICS
    http//www.isaca.org/Knowledge-Center/Standards/Pa
    ges/IS-Auditing-Guideline-G36-Biometric-Controls.a
    spx
Write a Comment
User Comments (0)
About PowerShow.com