Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 1/14
InfoSec InstituteInfoSec ResourcesIntense School
General SecurityGeneral Security
Chapter 12 – Applications of Biometrics 00
Tom OlzakTom Olzak November 12, 2012November 12, 2012
Passwords are not secure and are useless as an access control… at least that is what many vendors and security
consultants try to tell managers today. Instead, these purveyors of change claim that biometrics solves all
password issues and improves productivity. While this is partially true, it falls short of reality.
Like all controls, whether or not you implement biometrics is a business decision. It is a decision based on data
classifications, operating environments, available budget, and opportunity costs. In this chapter, we see how to
meet these challenges by understanding the advantages and disadvantages of biometrics in general. We also
look at these same characteristics associated with specific types of biometrics solutions; no one solution fits all
implementations across businesses or across all operations in a single business.
Why Biometrics: The Business Case
An organization typically implements biometrics for one or both of two reasons: to strengthen access control for
one or more systems or to improve employee productivity (Olzak, 2011). If you cannot make a business case for
either of these outcomes, you should probably just stick with passwords.
Strengthening Authentication
To review, authentication is the process of verifying and accepting an identity; it provides an acceptable level of
probability that a subject is who or what it says it is. The level of acceptability depends on external and internal
concerns.
External concerns
External concerns include regulatory mandates, ethical perceptions, and the direction the courts are moving in
assigning liability. Regulations that affect your decision about biometrics include HIPAA, GLBA, and other federal,
state, and local legislation that either provides exact standards or strong recommendations for authentication
strength. More information about relevant regulations is covered in Chapter 1.
Ethics is a moving target: one that differs between time, place, target market, and organization. In general,
however, ethics is concerned with “values relating to human conduct, with respect to the rightness and
wrongness of certain actions and to the goodness and badness of the motives and ends of such actions” (“Ethics,”
2012). Because ethics vary across affected entities, an organization must “tune in” to what its investors,
customers, and the public consider good-enough security, including access control.
Finally, court decisions tend to determine or reflect social norms (Cooter, 1998). Organizations should
understand how the courts and juries, and therefore the public, tend to view what is and is not enough security.
For example, an organization might implement RBAC and enforce separation of duties, least privilege, and
need-to-know with user IDs and passwords. However, management might find after the inevitable breach that
its customers feel more access control measures should have been used.
Internal concerns
Once we understand the external forces affecting access control decisions, we apply those when performing
our access control risk analysis. In Chapter 2, I described the risk analysis process. Analysis outcomes include
levels of risk associated with your network, systems, and endpoint devices. When attempting to mitigate
identified risks, we use attack trees to locate points of control. In some cases, the best way to block an attack
path is to lock systems and data behind strong authentication.
Problems with Passwords
We looked at problems with passwords in Chapter 11. We also assessed the value of adding biometrics to
SearchSearchHOMEHOME CATEGORIESCATEGORIES IT CERTIFICATIONSIT CERTIFICATIONS CONTRIBUTORSCONTRIBUTORS CONTACT USCONTACT US STUDENT PAPERSSTUDENT PAPERS
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 2/14
existing password solutions. As we explore in this chapter, biometrics are not always stronger than passwords.
Rather, they tend to strengthen overall human access controls. Selecting the right biometrics solution requires
understanding the strengths and weaknesses of each technology and whether it provides more, less, or the
same protection as the under-siege password.
Biometrics Defined
Biometrics is used to verify, at an acceptable level of probability, that a subject is who or what it claims to be. It
uses something you are, and requires the same outcome we expect from solutions that use what you know or
what you have. The difference is the expectation that a criminal cannot steal or copy physical characteristics of
human subjects used in biometrics technology. As we see later, this is sometimes a misplaced expectation.
Approaches
Biometrics solutions use a variety of physical characteristics: some are more secure than others. In the following
sections, we explore solutions that focus on recognizing the following physical characteristics:
Fingerprints
Facial structure
Iris patterns
Vein patterns
Voice
Typing behavior
This is not a complete list of all characteristics used by all available solutions. For example, retinal scans are
noticeably absent. However, what you learn as we examine the challenges facing implementation of the listed
technologies also apply to those I do not address.
How it Works
The process of using biometrics includes enrollment, enrollment storage and management, scanning,
verification, and object integration. See Figure 12-1 (Olzak, 2011, p. 6).
Want to learn more?? The InfoSec Institute CISSP Training course trains andprepares you to pass the premier security certification, the CISSP. Professionalsthat hold the CISSP have demonstrated that they have deep knowledge of all 10Common Body of Knowledge Domains, and have the necessary skills to provideleadership in the creation and operational duties of enterprise wide informationsecurity programs.
InfoSec Institute's proprietary CISSP certification courseware materials are alwaysup to date and synchronized with the latest ISC2 exam objectives. Our industryleading course curriculum combined with our award-winning CISSP trainingprovided by expert instructors delivers the platform you need in order to pass theCISSP exam with flying colors. You will leave the InfoSec Institute CISSPBoot Camp with the knowledge and domain expertise to successfullypass the CISSP exam the first time you take it. Some benefits of the CISSPBoot Camp are:
Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
We have cultivated a strong reputation for getting at the secrets of the CISSPcertification exam
Our materials are always updated with the latest information on the examobjectives: This is NOT a Common Body of Knowledge review-it is intense,successful preparation for CISSP certification.
We focus on preparing you for the CISSP certification exam through drillsessions, review of the entire Common Body of Knowledge, and practicalquestion and answer scenarios, all following a high-energy seminarapproach.
VIEW CISSP TRAININGVIEW CISSP TRAINING
Step 1 : When an employee reports on day one, the biometrics system administrator completes his
enrollment in the biometrics solution. This begins with the administrator supervising collection of one
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 3/14
or more biological characteristics, using a sensor connected to the biometrics enrollment application.
Step 2 : The enrollment application creates a reference template. This consists of a numeric
representation of the characteristics collected.
Step 3 : The reference template is connected to the user’s ID and stored in a database.
Figure 12- 1 : Biometrics Enrol lment
After initial orientation, when the user sits at his desk to begin work, the biometrics authentication application
requires him to provide the characteristics collected during enrollment. See Figure 12-2 (Olzak, 2011, p. 6).
Figure 12- 2 : Biometrics Verif ication
Step 1 : User uses biometrics sensor to supply the measured physical characteristic.
Step 2 : The biometrics software translates the collected user characteristics into a trial template.
Step 3 : The trial template and user ID is sent to the verification algorithm.
Step 4 : The verification algorithm sends a request to the database for the stored reference template
associated with the provided user ID.
Step 5 : Once the reference template is returned, it is compared with the trial template.
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 4/14
Step 6 : If the templates match within a reasonable margin of probability (as defined by the
organization and set by the administrator), access is granted to all applications integrated with the sign-
on solution used.
Evaluating Biometrics
All biometrics are not the same. Each approach has advantages and disadvantages that make careful analysis
necessary to select the right solution for each access control challenge. Before examining selected biometrics
technology, let us look at the biometrics challenges facing your implementation decision, including:
Forgery
Enrollment risks
Data store contamination
Business continuity
Accuracy
Environmental conditions
User acceptance
Forgery
Forging biological characteristics is easy for some body parts and difficult for others. For example, it is relatively
easy to obtain a fingerprint impression that works in many fingerprint recognition systems. This makes fingerprint
authentication a good candidate for only one part of a multi-factor authentication approach. Other characteristics
are not so easy to forge. Vein scans are very difficult to forge. As we step through the various approaches, it
becomes clear that the level of risk you define in your risk assessment
dictates your selection of what physical characteristic you use for identity verification.
Enrollment Risks
“Enrollment is both a management issue and a security risk” (Olzak, 2011, p. 7). When new employees report for
work, managers expect them quickly to be productive. This does not happen if it takes a day or two to enroll
users in one or more biometrics systems. It frustrates users and alienates management: something we try to
avoid if we expect successful biometrics projects.
Security risks include errors from poor enrollment processes or poor vendor solutions. Remember, the physical
characteristic measured is converted into a reference template. If the reference template is faulty, even
marginally so, the error rates at time of login increase. Again, this frustrates users and managers and negatively
affects productivity. Further, information is often more vulnerable at the point of input. Consequently, use
…least privilege to ensure the administrator is allowed only to perform enrollment actions; need-to-
know to allow access only to see what is absolutely necessary for enrollment; and segregation of
duties to validate that the documented process is followed and logs do not contain evidence of
questionable behavior (Olzak, 2011, p. 7).
Data Store Contamination
Once the reference templates reach a database, the context in which the database operates, how software
accesses the templates, and other attack surface considerations determine the risk of attackers stealing or
replacing stored templates. Attackers in possession of stolen reference templates, for example, can
compromise a system in one of two ways: replaying the template to the verification algorithm to gain access or
by possibly creating physical forgery of the characteristic measured (Bindha & Natarajan, 2012). We reviewed
attack surface mitigation in previous chapters. In addition to taking reasonable appropriate steps to eliminate
gaps in your overall security framework, follow vendor-supplied security configurations to hardened template
data stores.
Business Continuity
Imagine running an enterprise on a single Active Directory domain controller. If that DC fails, no one can
authenticate; the business stops. So no responsible administrator center configures just one DC. Biometrics
solutions require the same redundancy if they play a mandatory role in authentication. However, redundancy of
all components is not usually possible.
What happens if a fingerprint sensor fails at a nurse’s station? If the only way nurses can authenticate is via the
sensor, health care is significantly affected. Relying on a single sensor to authenticate is not a good idea when
critical business processes are involved. Consider having workarounds to support the sensors or spare sensors on
the shelf for quick replacement. Whether you choose a workaround or equipment swap approach depends on
the business impact resulting from locking users out.
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 5/14
Accuracy
Not all biometrics sensors are made the same, causing identity verification error rates to vary. We measure
sensor errors in two ways: false acceptance rate (FAR) and false rejection rate (FRR). When a person who did not
go through enrollment presents the measured characteristic to a sensor, and the sensor verifies the person as an
authorized user, this is a false acceptance error. On the other hand, if an enrolled employee characteristic is
scanned and the biometrics system fails to verify her identity, this is a false rejection error. We want both FAR
and FRR as low as possible.
Balancing FAR and FRR is not always a simple process. Figure 12-3 shows how they relate to each other. It also
introduces a new measure of biometrics accuracy: crossover error rate (CER). As FAR increases, FRR decreases,
and the reverse is true. The point at which they are both equal is the CER. For many organizations, setting a
system to meet the CER is a good idea. It is a balance between false acceptance and false rejection. However,
conditions sometimes exist that require setting one error rate higher than the other.
For example, an organization might install time clocks requiring a fingerprint scan to clock in or out. In many
cases, the sensor’s rejection rate is far too high to enable managing a line of employees coming in at the last
minute. In these cases, management will likely tune the sensor/system to result in a high FRR. This allows fast
movement of the employee line, with increased risk of an unauthorized person clocking in. In my experience,
the improved results are worth the risk in this situation. In other situations, FAR might be unacceptable due to
the value of protected assets. Consequently, FAR is turned as low as possible and FRR increases significantly.
The loss in speed of accessibility is traded for increased security. How you adjust your sensors/systems depends
on the risks identified during risk assessments.
Figure 12- 3 : Biometrics Error Rate Relationships (Olzak, 2011)
Environmental Conditions
Error rates are not just caused by inherent characteristics of a vendor’s sensor and algorithm designs;
environmental factors also play a role. For example, placing a fingerprint reader on the manufacturing floor,
where soiled fingers and airborne contaminants settle on everything, significantly affects error rates. It could be
that the environment you assess is unsuitable for any biometrics solution. Trying to fit the proverbial round peg
into a square hole will not achieve the results you expect.
User and Management Acceptance
Biometrics projects can fail for any of the reasons listed here, but two of the biggest reasons they fail are user
rejection and loss of management support. Selection of the right solutions combined with user education is
critical for success.
User fear/frustration
Four user acceptance challenges face biometrics implementers (Brandel, 2010):
Users often believe the company is collecting and storing information about one or more of their
physical characteristics. Management must explain what is collected, how it is used, and provide
sufficient evidence that appropriate steps are taken to protect reference templates. Otherwise, users
might refuse to use the system. This can be a huge challenge if, for example, their labor union steps in.
Cultural norms vary from country to country. They strongly affect what individuals or groups see as
acceptable. Organizations must ensure employees have no norms conflicting with body part scanning. A
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 6/14
little research and care in selecting a solution helps meet this challenge.
People still commonly believe companies might use scans of certain physical characteristics to
determine whether an employee is insurable, employable long-term, etc. The same management
activities described in the first bullet apply here. The worst thing management can do is ignore concerns
and force compliance with, “You have to because I said so.”
High levels of frustration arise when the solution selected hinders productivity or causes more work for
employees. It is not just management who will storm your office if you deploy additional hindrances to
daily processes. In some cases, you can even streamline the identity verification process.
O’Leary (2008) writes, “User acceptance of the access control device is one of the most critical factors in the
success of a biometric-based implementation” (p. 52). Keep this in mind as you design your biometrics solutions,
or you are sure to face a high risk of project failure.
Management acceptance
Obviously, C-level management wants the system installed to work as expected. It wants security
commensurate with that necessary to reduce risk to levels they expect. However, they do not have to live with
the daily operational impact of a biometrics solution. This falls on the shoulders of first line managers.
Biometrics can hinder, aid, or do neither of these. For example, a biometrics device unsuited for the
environment in which IT places it can cause decreased production due to login time increases. Or the proper
device placed at a nurse’s station can enable quick access to health care stations, eliminating the need to enter a
password. The impact on productivity or customer/patient experience plays a large role in management
acceptance. Anything that helps a manager reach business objectives is enthusiastically received. That which
hinders reaching objectives is strongly resisted. Without management support, getting overall employee
support is nearly impossible (Heathfield, 2012).
Selecting the Right Solution
The rest of this chapter describes various types of biometrics solutions. No one solution fits all access control
challenges. In fact, you might find yourself implementing one type in the office and another in the warehouse.
The previous section provides enough information to know what questions to ask. Your budget, risk assessment
results, and operating environments determine the answers.
Fingerprint Recognition
When most people hear the term biometrics, they immediately envision finger scan. This makes sense
considering how many times we run into these sensors. For example, I gain access to my gym by entering my
phone number and presenting one of my index fingers to a fingerprint sensor. In addition, an increasing number
of organizations use fingerprint scans to enable users to clock in and clock out. But while fingerprint biometrics
is ubiquitous, it is not always a good choice.
How it works
When my finger is scanned at the gym, the sensor picks up a set of characteristics like those shown in Figure 12-
4. Although what is scanned and how it is scanned might differ between vendors, the basic process is the same.
An algorithm converts the scanned information into a value—the reference or trial template. Consequently, no
actual print is stored, only a numeric value representing the print.
Figure 12- 4 : Common Fingerprint Characteristics (Rosistem, n.d. )
Advantages
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 7/14
Probably the biggest advantage is the number of solutions available. Fingerprint scanning has been around for
years, and users commonly encounter them. The cost of fingerprint sensors is relatively low when compared to
other types of biometrics. However, the negatives can quickly overwhelm the positives.
Disadvantages
Two big disadvantages haunt fingerprint biometrics: ease of forgery and sensitivity to environmental factors.
Fingerprint forgery can be very easy, depending on the access control system used. Congdon (2010) writes,
Fingerprints are something everyone leaves behind, and they can be copied by forgers using simple
household items like scotch tape or gummy bears. In fact, tests have shown that fingerprints left on
gummy bears are effective at fooling many fingerprint scanners (Types of Biometric Technologies,
para. 1).
No, attackers do not go around with bags of gummy bears just waiting to pounce on latent prints. This is simply
an example of what is possible.
In addition to forgery, many (if not all) fingerprint solutions are particularly sensitive to environmental
conditions. Soiled hands, surgical gloves, and airborne contaminants are examples of workplace challenges
facing IT project teams as they look for the right product.
Facial Recognition
Many computers today ship with software that uses a laptop or other camera to capture an image of the user’s
face. This image is converted into a reference template during enrollment. It is fast, relatively inexpensive, and
very difficult to forge.
How it works
Capturing characteristics requires the algorithm to recognize a face in the camera image. Current solutions
typically use a database of general face shapes to separate a face from other objects in the camera’s view. Once
a face is located, the system identifies and measures nodal points. Figure 12-5 shows some of these points.
Figure 12- 5 : Facial Points of Measurement (questbiometrics. com)
The human face possesses about 80 nodal points (Bonsor & Johnson, 2012, p. 2), including:
Distance between the eyes
Width of the nose
Depth of the eye sockets
The shape of the cheekbones
The length of the jaw line
Advantages
Since users do not come into contact with the sensor, facial recognition is often a more acceptable approach
than contact-based biometrics. And unlike retinal scans, no beams of light enter the eyes. In fact, facial
recognition without employee action is possible. Further, the cost is often much lower than solutions requiring a
separate sensor for collection of physical characteristics because many computers and laptops today come with
cameras. For those that do not, the cost of a camera is usually much less than that of other types of sensors.
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 8/14
Finally, it is very difficult to forge a face. Photos do not work.
Disadvantages
But while it is difficult to forge a face, it is not impossible. Latex masks have been shown to produce false
acceptance (Xiao, 2010). Another issue is lighting. If lighting is not sufficient to accurately capture nodal points,
verification failure rates increase. Some vendors resolve this by making the computer screen go white,
illuminating the face in front of the camera (Sensible Vision). Finally, racial differences can cause errors (Eye
Tracking Update, 2010). Improvements in lighting sensitivity should help remove this obstacle to
implementation, but consider workforce diversity when deciding whether a low-cost solution meets your
requirements.
Next generation facial technology
So far, we have looked at what is known as 2-dimensional (2-D) facial recognition. However, 3-D systems help
eliminate problems listed above. Instead of using 2-D nodes, they measure unchangeable features such as the
contour of the eyes, nose, and chin. “The advantages of 3-D facial recognition are that is it not affected by
lighting, and it can identify a face from a variety of angles, including profile view” (findBiometrics, 2012, para. 7).
Facial recognition can provide low error rates when used under the right conditions. Consider 2-D or 3-D facial
recognition if you require a low CER.
Iris Recognition
If you are looking for accuracy with very low probability of forgery, an iris scanning solution might be the
answer. In addition, the technological characteristics of iris scans provide scanning from a distance with little or
no user interaction. Finally, employee complaints about the perceived intrusiveness associated with retinal
scans are eliminated.
How it works
Figure 12-6 depicts the human eye. Retinal scans require shining light into the back of the eye to read retina
patterns. However, the iris is located at the front of the eye. An iris scan starts from the outer edge of the iris and
records distinguishing features (see Figure 12-7). As with other biometrics solutions, the collected data is
converted into a template for identity verification.
Figure 12- 6 : Human Eye
Figure 12- 7 : Iris S can Process (BBC News, 2009)
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 9/14
Advantages
Again, employees presenting themselves for identity verification do not have to touch the scanner. Figure 12-8
shows one type of iris sensor. In some cases, organizations can place sensors out of the path of entering
employees, scanning from as far away as 30 feet (SarniffCorp., 2010). In addition to its flexibility, “A key
advantage of iris recognition, besides its speed of matching and its extreme resistance to False Matches, is the
stability of the iris as an internal, protected, yet externally visible organ of the eye” (“Iris recognition,” 2012).
Although the iris is harder to forge than fingerprints, it is still not invulnerable to attempts by motivated
criminals.
Figure 12- 8 : Iris S canner (Grigsby , 2011)
Disadvantages
Unlike ubiquitous fingerprint sensors, iris scanners are expensive; placing one at every desk is likely not
something you want to propose for next year’s budget. Units like the one shown in Figure 12-8, for example,
can cost two- or three-thousand dollars. Desktop units are entering the market, but still significantly raise the
cost of user-based biometrics access control beyond the reach of most organizations. Finally, the advantage of
iris scanning’s resistance to forgery is disappearing, gradually mitigating advantages gained for the additional
cost.
When iris scanners first appeared on the market, forgery was nearly impossible. However, following the adage,
“if you build it, they will crack it,” this is no longer true. Like fingerprint templates, researchers demonstrated that
they could reverse engineer iris templates in less then 10 minutes (Zetter, 2012). All that is needed is access to
the right algorithm and a reference template: either stolen during a database breach or via social engineering.
Vein Recognition
Lying below the surface of our hands are networks of veins. The patterns they form are unique for each
individual. Using near infrared, the palm pattern can be captured to create a reference template for biometrics
access control. One of the first vein scanners is shown in Figure 12-9 (Hanlon, 2005).
Figure 12- 9 : Hand Vein S canner, 2005
How it works
Contactless vein recognition technology, originally engineered by Fujitsu, relies on a specific characteristic of
blood in veins: deoxidized hemoglobin. Veins carry blood back to the lungs after the body’s cells remove
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 10/14
oxygen from the hemoglobin. Deoxidized hemoglobin absorbs light at a near infrared wave length, making
them look black, as shown on the left in Figure 12-10.
Figure 12- 10 : Hand Vein Patterns (Hanlon, 2005)
Advantages
Vein scans, like iris scans, do not require contact with the sensor, have a very low error rate (as low as FRR of
0.01 percent and FAR of 0.00008 percent (Ridden, 2012)), and are nearly impossible to forge. In addition,
scanners less than 2 inches across are in testing and facilitate embedding vein-based access control in user
devices. See Figure 12-11.
Figure 12- 11 : Embedded Vein S canner (Ridden, 2012)
Disadvantages
The technology is still evolving, with no real standard. This should not stop you from considering it as a viable
alternative for fingerprint and facial recognition end-user authentication. This issue may disappear as large
companies, like Intel, move to integrate palm scanning into consumer devices (Randewich, 2012).
Voice and Typing
I am providing detail only on the most common, or most promising, biometrics technologies. In addition, two
less popular technologies to watch are voice recognition and keystroke dynamics.
Voice recognition
Voice recognition is easy for users, but it is subject to easy forgery (Olzak, 2011). Algorithms make reference
templates using voiceprints. This approach works well for telephone-based authentication, but it is very weak
authentication when expecting users to speak into microphones. It is not as accurate as other forms of
biometrics, and voice tracks are subject to theft via recording devices. Voice authentication is not secure in
public or cubicle-dense areas.
Keystroke dynamics
Keystroke dynamics uses the speed and rhythm of a user’s typing. It is not very accurate, but it can be a very easy
biometrics solution to implement. It requires no special hardware: just an agent residing on the end-user device.
Users do not have to take time to enroll; enrollment is done in the background as users work. Further,
administrators can tune FRR/FAR by application. Keystroke biometrics is a good choice if you need something
easy to implement, relatively inexpensive, and part of a multi-factor authentication effort. See
http://mcaf.ee/6bwcf for more information about this technology.
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 11/14
Conclusion
Biometrics is not a panacea. Implementation should be the result of cost/benefit analysis stemming from a risk
assessment. However, regulatory constraints sometimes make our decision easy. The only thing possible at that
point is to select the solution that makes sense.
Making sense, or the reasonable and appropriate implementation of biometrics, includes consideration of
several factors.
Understand the limitations of the target operating environments
Ensure the overall security context supports reference template safety
Understand the probability of forgery and match it to the importance of that which you are trying to
protect
Do not implement a biometrics solution that exposes business processes to a potential business
continuity event in the form of sensor or backend authentication server loss
Ask each vendor to provide reasonable proof of error rates for the products proposed
Always consider how users might receive the new systems
Although not covered in the chapter, I want to close with a very strong recommendation to pilot any biometrics
solution before signing a final vendor agreement. This is the best way to ensure management and user
acceptance, operational suitability, and the impact of environmental conditions.
References
BBC News. (2009). Biometric Technology. Retrieved November 3, 2012, from BBC
News:
http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/nn3page1.stm
Bindha, V. E., & Natarajan, A. M. (2012). Multi-Modal Biometric Template Security:
Fingerprint and Palmprint Based Fuzzy Vault. Retrieved October 31, 2012, from
OMICS Publishing Group: http://www.omicsonline.org/2155-
6180/pdfdownload.php?download=2155-6180-3-150.pdf&&aid=7885
Bonsor, K., & Johnson, R. (2012). How facial recocognition systems work. Retrieved
November 3, 2012, from HowStuffWorks:
http://electronics.howstuffworks.com/gadgets/hith-tech-gadgets/facial-
recognition.htm
Brandel, M. (2010). Using Biometric Access Systems: Dos and don’ts. Retrieved
November 1, 2012, from CIO Magazine Online:
http://www.cio.com.au/article/339235/using_biometric_access_systems_dos_don_ts
Congdon, K. (2010, May 20). Are Biometrics The Key To Health IT Security?
Retrieved November 2, 2012, from Healthcare Technology Online:
http://www.healthcaretechnologyonline.com/article.mvc/Are-Biometrics-The-Key-
To-Health-IT-Security-0001?VNETCOOKIE=NO
Cooter, R. D. (1998, February). Punitive Damages, Social Norms, and Economic
Analysis. Retrieved October 3, 2012, from eScholarship.org:
http://escholarship.org/uc/item/7h38w307.pdf
Ethics. (2012). In Dictionary.com. Retrieved from http://dictionary.reference.com/browse/ethics
Want to learn more?? The InfoSec Institute CISSP Training course trains andprepares you to pass the premier security certification, the CISSP. Professionalsthat hold the CISSP have demonstrated that they have deep knowledge of all 10Common Body of Knowledge Domains, and have the necessary skills to provideleadership in the creation and operational duties of enterprise wide informationsecurity programs.
InfoSec Institute's proprietary CISSP certification courseware materials are alwaysup to date and synchronized with the latest ISC2 exam objectives. Our industryleading course curriculum combined with our award-winning CISSP trainingprovided by expert instructors delivers the platform you need in order to pass theCISSP exam with flying colors. You will leave the InfoSec Institute CISSPBoot Camp with the knowledge and domain expertise to successfullypass the CISSP exam the first time you take it. Some benefits of the CISSP
OTHER ARTICLES BY TOM OLZAKOTHER ARTICLES BY TOM OLZAK
Managing insider threats
Physical Security: Managing the Intruder
Chapter 11 – Identity Management and Access Controls
Chapter 10 – Virtualization Security
Chapter 9: Securing Remote Access
Chapter 8 – UEFI and the TPM: Building a foundation forplatform trust
Chapter 7: The Role of Cryptography in Information Security
Chapter 6 – End-user Device Security
VLAN Network Segmentation and Security- Chapter 5
Attack Surface Reduction – Chapter 4
Building the Foundation: Architecture Design – Chapter 3
Risk Management – Chapter 2
Enterprise Security: A practitioner’s guide – Chapter 1
UEFI and the TPM: Building a foundation for platform trust
Five Steps to Incident Management in a VirtualizedEnvironment
Microsoft Virtual Server Security: 10 Tips and Settings
LIKE US ON FACEBOOK == STAY UP TO DATELIKE US ON FACEBOOK == STAY UP TO DATE
InfoSec Institute
Îmi place 4.417
AWARD WINNING TRAINING FROM INFOSECAWARD WINNING TRAINING FROM INFOSEC
Be the first to hear of new free tutorials, training videos,product demos, and more. We'll deliver the best of our freeresources to you each month, sign up here:
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 12/14
Boot Camp are:
Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
We have cultivated a strong reputation for getting at the secrets of the CISSPcertification exam
Our materials are always updated with the latest information on the examobjectives: This is NOT a Common Body of Knowledge review-it is intense,successful preparation for CISSP certification.
We focus on preparing you for the CISSP certification exam through drillsessions, review of the entire Common Body of Knowledge, and practicalquestion and answer scenarios, all following a high-energy seminarapproach.
VIEW CISSP TRAININGVIEW CISSP TRAINING
Eye Tracking Update. (2010, January 22). Retrieved November 3, 2012, from Race
Presents Challenge for Facial and Eye Tracking Technology:
http://eyetrackingupdate.com/2010/01/22/race-presents-challenge-for-facial-
and-eye-tracking-technology
findBiometrics. (2012). Facial Recognition. Retrieved November 3, 2012, from
findbiometrics: http://findbiometrics.com/facial-recognition
Grigsby, J. (2011, May 1). Iris Recognition. Retrieved November 5, 2012, from
Biology – Block D: http://biologyblockd.blogspot.com/2011/05/iris-recognition-
by-jennifer-grigsby.html
Hanlon, M. (2005, June 29). Contactless Palm Vein Authentiation Technology
targets defacto standard in biometric security markets. Retrieved November 5,
2012, from Gizmag: http://www.gizmag.com/go/42314
Heathfield, S. M. (2012). Build Support for Effective Change Management. Retrieved
November 2, 2012, from About.com Human Resources:
http://humanresources.about.com/od/changemanagement/a/change_lessons5.htm
Iris recognition. (2012). In Wikipedia.org. Retrieved from http://en.wikipedia.org/wiki/Iris_recognition
O’Leary, T. (2008, February). Acceptance and Accuracy in Biometrics. Security Dealer
and Integrator
, 30 (2), p. 52.
Olzak, T. (2011). Practical Application of Biometrics. Retrieved September 2, 2012,
from TechRepublic: http://www.techrepublic.com/downloads/practical-
application-of-biometrics/2393163
Randewich, N. (2012, September 13). With the ware of a hand, Intel wants to do
away with passwords. Retrieved November 5, 2012, from Reuters:
http://www.reuters.com/article/2012/09/13/us-intel-passwords-
idUSBRE88CIA120120913
Ridden, P. (2012, May 10). Fujitsu develops smallest Palm Vein Biometric
Authentication Sensor yet. Retrieved November 5, 2012, from Gizmag:
http://www.gizmag.com/fujitsu-slim-small-palm-vein-authentication-
sensor/22493/
Rosistem. (n.d.). Biometric Education: Fingerprint. Retrieved November 2, 2012,
from http://barcode.ro/tutorials/biometrics/fingerprint.html
SarniffCorp. (2010, February 24). Iris on the move [video file]. Retrieved November
5, 2012, from http://www.youtube.com/watch?
v=b1uzonksCnl&feature=player_embedded
Yes, Send My Free Training & Tutorials
Want to learn more?? The InfoSec Institute CISSPTraining course trains and prepares you to pass thepremier security certification, the CISSP. Professionals thathold the CISSP have demonstrated that they have deepknowledge of all 10 Common Body of Knowledge Domains,and have the necessary skills to provide leadership in thecreation and operational duties of enterprise wideinformation security programs.
InfoSec Institute's proprietary CISSP certification courseware
materials are always up to date and synchronized with the
latest ISC2 exam objectives. Our industry leading course
curriculum combined with our award-winning CISSP training
provided by expert instructors delivers the platform you
need in order to pass the CISSP exam with flying colors.
You wil l l eave the InfoS ec Institute CIS S P Boot
Camp with the knowledge and domain expertise to
successful l y pass the CIS S P exam the f irst time
you take it. Some benefits of the CISSP Boot Camp are:
Dual Certif ication - CISSP and ISSEP/ISSMP/ISSAP
We have cultivated a strong reputation for getting at thesecrets of the CISSP certification exam
Our materials are always updated with the latestinformation on the exam objectives: This is NOT aCommon Body of Knowledge review-it is intense,successful preparation for CISSP certification.
We focus on preparing you for the CISSP certificationexam through drill sessions, review of the entireCommon Body of Knowledge, and practical questionand answer scenarios, all following a high-energyseminar approach.
VIEW CISSP TRAININGVIEW CISSP TRAINING
InfoSec Institute - The most awarded security trainingcompany
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 13/14
Name (required)
Email (required)
Website
Comment
Post CommentPost Comment
Xiao, Q. (2010). Applying Biometrics. Retrieved 2011, from Defense Research and
Development Canada: http://www.ottawa.drdc-rddc.gc.ca/html/biometrics-
end.html
Zetter, K. (2012, July 25). Rverse-Engineered Irises Look So Real, They Fool Eye
Scanners. Retrieved November 5, 2012, from Wired:
http://www.wired.com/threatlevel/2012/07/reverse-engineering-irs-scans/all/
Incoming search terms:
what is a successful biometric application
fingerprint friction ridge detail
resources infosecinstitute com chapter-12-applications-of-biometrics
two disadvantages to standard biometrics cost and error rates
how biometrics work
how is the business organized biometric
how to find some nodal points measurements using biometrics
human eye authentication process
infosec cer
vein matching builidng access
biometricsbiometrics featurefeature
About the Author
Tom Olzak is a security researcher for the InfoSec Institute and an IT professional with over 27
years of experience in programming, network engineering and security. He has an MBA as well
as CISSP and MCSE certifications. He is currently an online instructor for the University of
Phoenix.
He has held positions as an IS director, director of infrastructure engineering, director of information security, and
programming manager at a variety of manufacturing, health care, and distribution companies. Before joining the
private sector, he served 10 years in the United States Army Military Police with four years as a military police
investigator.
He has written two books, "Just Enough Security" and "Microsoft Virtualization." He is also the author of various
papers on security management and a blogger for CSOonline.com, TechRepublic, Toolbox.com, and Tom Olzak
on Security.
Related Posts
Leave A Response
5/17/13 InfoSec Institute Resources – Chapter 12 – Applications of Biometrics
resources.infosecinstitute.com/chapter-12-applications-of-biometrics/ 14/14
ARCHIVEARCHIVE
May 2013May 2013 (23) (23)
April 2013April 2013 (56) (56)
March 2013March 2013 (68) (68)
February 2013February 2013 (65) (65)
January 2013January 2013 (65) (65)
December 2012December 2012 (51) (51)
November 2012November 2012 (45) (45)
October 2012October 2012 (59) (59)
September 2012September 2012 (56) (56)
August 2012August 2012 (35) (35)
July 2012July 2012 (21) (21)
June 2012June 2012 (31) (31)
May 2012May 2012 (11) (11)
April 2012April 2012 (16) (16)
March 2012March 2012 (12) (12)
February 2012February 2012 (24) (24)
January 2012January 2012 (22) (22)
December 2011December 2011 (15) (15)
November 2011November 2011 (12) (12)
October 2011October 2011 (12) (12)
September 2011September 2011 (1) (1)
August 2011August 2011 (2) (2)
July 2011July 2011 (7) (7)
June 2011June 2011 (22) (22)
May 2011May 2011 (30) (30)
April 2011April 2011 (33) (33)
March 2011March 2011 (24) (24)
February 2011February 2011 (7) (7)
January 2011January 2011 (2) (2)
December 2010December 2010 (3) (3)
November 2010November 2010 (7) (7)
October 2010October 2010 (1) (1)
September 2010September 2010 (1) (1)
August 2010August 2010 (4) (4)
July 2010July 2010 (2) (2)
RECENT POSTSRECENT POSTS
Fortune 500 Interview: Scotiabank’s GregFortune 500 Interview: Scotiabank’s GregThompson talks hackers, cyber terrorists,Thompson talks hackers, cyber terrorists,hacktivists and morehacktivists and more
The Sysenter Instruction InternalsThe Sysenter Instruction Internals
Stress Testing Your Wireless NetworkStress Testing Your Wireless Network
Anatomy of a VB VirusAnatomy of a VB Virus
Mozilla Persona: What you should know andMozilla Persona: What you should know andhow to implement ithow to implement it
Open Source .NET: Platform-IndependentOpen Source .NET: Platform-Independent.NET Application Development with MONO.NET Application Development with MONO– part one– part one
Pentesting Distributions and Installer KitsPentesting Distributions and Installer Kitsfor your Raspberry Pifor your Raspberry Pi
Vulnerability Assessment of SNMP ServiceVulnerability Assessment of SNMP Service– I– I
Introduction to Kernel Debugging withIntroduction to Kernel Debugging withWindbgWindbg
E -Money FraudE -Money Fraud
Email InjectionEmail Injection
Form Authentication: ASP.NET SecurityForm Authentication: ASP.NET SecurityPart 3Part 3
CATEGORIESCATEGORIES
Application SecurityApplication Security (109) (109)
Exploit DevelopmentExploit Development (47) (47)
ForensicsForensics (43) (43)
General SecurityGeneral Security (144) (144)
HackingHacking (261) (261)
InterviewsInterviews (33) (33)
IT CertificationsIT Certifications (63) (63)CCNACCNA (2) (2)
CEHCEH (5) (5)
CISACISA (16) (16)
CISMCISM (10) (10)
CISSPCISSP (33) (33)
MCITPMCITP (2) (2)
Management, Compliance, & AuditingManagement, Compliance, & Auditing (48) (48)
OtherOther (79) (79)
Reverse EngineeringReverse Engineering (95) (95)
SCADASCADA (5) (5)
Virtualization SecurityVirtualization Security (6) (6)
Wireless SecurityWireless Security (10) (10)
POPULARPOPULAR COMMENTSCOMMENTS TAGSTAGS POPULAR SEARCH TERMSPOPULAR SEARCH TERMS
iphoneiphone, , i phonei phone, , backtrack 5 r3 tutorialbacktrack 5 r3 tutorial,,resources infosecinstitute comresources infosecinstitute com, , Backtrack 5Backtrack 5,,diarmfdiarmf, , backtrack 5 r3 tutorial pdfbacktrack 5 r3 tutorial pdf, , w3afw3aftutorialtutorial, , iphone 1iphone 1, , iphone 10iphone 10, , maltegomaltego,,network security engineernetwork security engineer
Back to TopBack to TopCopyright © 2012 - InfoSec InstituteCopyright © 2012 - InfoSec Institute
Ideal S ki ll S et Fo r t heIdeal S ki ll S et Fo r t hePenet r at ion Test ingPenet r at ion Test ing
August 27, 2010August 27, 2010 4242
Ant ivi r us E vasion : TheAnt ivi r us E vasion : TheMaking o f a Fu ll ,Making o f a Fu ll ,Undet ec t ab le US BUndet ec t ab le US BDr opper / S p r eaderDr opper / S p r eader
September 20, 2012September 20, 2012 4040
S LAAC At t ack – 0dayS LAAC At t ack – 0dayWindows Net wor kWindows Net wor kIn t er cep t ionIn t er cep t ionConfigu r at ionConfigu r at ion
Vu lner ab i l i t yVu lner ab i l i t y
April 04, 2011April 04, 2011 3939
S QL In jec t ion t h r oughS QL In jec t ion t h r oughHTTP Header sHTTP Header s
March 30, 2012March 30, 2012 3131