1 / 46

Effective Security “Biometrics” Harj Singh CLAS Security Consultant harj.singh@synetrix.co.uk

Effective Security “Biometrics” Harj Singh CLAS Security Consultant harj.singh@synetrix.co.uk.

cher
Download Presentation

Effective Security “Biometrics” Harj Singh CLAS Security Consultant harj.singh@synetrix.co.uk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective Security “Biometrics” Harj Singh CLAS Security Consultant harj.singh@synetrix.co.uk Security Seminar

  2. “The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.” Gene Spafford Director, Computer Operations, Audit and Security Technology (COAST), Purdue University Security Seminar

  3. What is Information Security ? • Information • An asset which has value to an organisation and consequently needs to be suitably protected • Types of Information • Printed or written on paper • Stored electronically • Transmitted by post or electronic means • Shown on corporate videos • Verbal – spoken in conversations Security Seminar

  4. What is Information Security ? • Confidentiality • Ensuring that information is accessible to those authorised to have access • Integrity • Safeguarding the accuracy and completeness of information and processing methods • Availability • Ensuring that authorised uses have access to information and associated assets when required Security Seminar

  5. Why do you need Information Security ? • Web site defacements • Network penetrations • data loss • data corruption • Denial of service • Viruses/Worms • Bad publicity Security Seminar

  6. Why do you need Information Security ? • Legal issues • Data Protection Act • Electronic Communications Act • Regulation Of Investigatory Powers Act (RIP) • Human Rights Act • Directors are liable Security Seminar

  7. The SANS Institute – hacked ! Security Seminar

  8. Universal Studios - Hacked Security Seminar

  9. What can you do ? • Define a Security Policy • Carry out Risk Assessment • Implement Security Technologies • Regularly Test Security Security Seminar

  10. Security Policy • BS7799/ISO17799 • Must have management ‘buy in’ • Needs to be communicated to all users Security Seminar

  11. Risk Assessment A security risk is the potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset or group of information assets. Security Seminar

  12. Risk Assessment A security risk is the potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset or group of information assets. Security Seminar

  13. Implementation • Firewall • Content scanning • URL/Content filtering • Antivirus • Intrusion detection • VPN • Authentication Systems • Wireless Security Security Seminar

  14. Vulnerability Testing • Is your network secure from external attack ? • Is your network secure from internal attack ? • Are your operating systems patched and up to date ? • Is your web site secure ? • Is your email server secure ? • Is your firewall secure ? Security Seminar

  15. Internet Remote Site Firewall Web Servers Remote Users A Typical Network How can we satisfy business requirements without compromising information security? LAN Security Seminar

  16. Remote Access • PSTN • ISDN • Virtual Private Network (VPN) Security Seminar

  17. Virtual Private Network • LAN • Permanent Internet connection • VPN termination device • Remote User • PPP/ADSL connection to ISP • IPSec VPN Client Software • Or SSL ‘clientless’ VPN Security Seminar

  18. Internet Remote Site Site to Site VPN VPN Concentrator VPN VPN Client Software Remote User Virtual Private Network Security Seminar

  19. Untrusted Trusted Internet Firewall Web Servers DMZ LAN VPN Concentrator Web Servers Security Seminar

  20. Authentication • Proof that you are you • You are you because of • Something you have – token, smart card • Something you know - PIN, password • Something you are - Biometric Security Seminar

  21. What does Biometrics mean? • Comes from the Greek words “Bios – life” and “Metron – to measure”. • Automated methods of verifying or recognizing the identity of a living person based on physiological or behavioural characteristics Security Seminar

  22. Identification of Verification? • There are two ways of determining if you are you… • Identification • Establishing a persons identity – Who are you ? • One to many comparison • Biometric sample presented to a system which compares it against a database of samples in the hope of finding a match • Verification • Involves confirming or denying a person’s claimed identity - Are you who you claim to be? • One to one comparison • Biometric sample captured and compared with the previously stored template for that user (Reference template) Security Seminar

  23. Which Biometric? Fingerprint Hand Geometry Iris / Retina Scan Facial Scan Signature Voice Recognition Security Seminar

  24. Fingerprint • Variety of fingerprint devices available (silicon & optical) • Template constructed by analysing patterns and/or points of interest that make up the fingerprint (minutia) • Advantages • Low cost • Size of device and multiple choices • Ease of integration • Accurate – low instances of false acceptance Security Seminar

  25. Hand Geometry • Measures the physical characteristics of the user’s hand and fingers • Low level infrared light and a camera used to capture an image • Suited to applications where there is a large user base or users access the system infrequently • Flexible performance tuning can accommodate a wide range of applications • Disadvantages • Large footprint of hand geometry devices • Only used for verification • Right hand use only Security Seminar

  26. Iris • Captures the pattern of flecks on the iris • Pattern processed and encoded into 512 byte record • Uses conventional cameras • Average 2 seconds for identification • Less intrusive than retinal scanning • No physical contact between user and reader (unless very tall or very short) • Disadvantages • Ease of use • System integration • Cost Security Seminar

  27. Retinal • Unique patterns of the retina scanned by a low intensity infrared light • Image constructed from de-scanned reflected light • Extremely accurate • Fast enrolment process • Disadvantages • User acceptance – intrusive technology • Cost • Limited to high security applications • Does not perform well where user wears spectacles or has cataracts Security Seminar

  28. Facial • Based upon the geometric shape and position of features of the face • Performs equally well on all races and both genders • Resistant to changes in lighting, skin tone, facial hair, hair style, eyeglasses, expression and pose • No user participation required in order to perform identification/verification • Limited success in practical applications • 1 – many matching • Disadvantages • Perceived to be invasive as covert system Security Seminar

  29. 2D Facial • Relies on controlled lighting • One photograph per facial position • High failure rate • Can be ‘fooled’ Security Seminar

  30. 3D Facial • 3D technology enables the real-time capture of three-dimensional images of a subject’s face. The unique features of the subject’s cranio-facial structure are extracted and stored as a biometric template for automated human recognition. The method can be used either in identification or in verification.. Security Seminar

  31. 3D Facial • Face Capture • Uses structured light in near-infrared range • A projector shoots an invisible structured light pattern onto the face • The special pattern is distorted by the face’s surface geometry • The video camera precisely records the pattern distortion • Reconstruction Process • Real-time reconstruction of the 3D facial surface • The distorted pattern is input into a 3D reconstruction algorithm • A 3D mesh of the face is created by means of triangulation • The resulting face geometry is measurable in millimetres • The 3D reconstructed image is NOT stored in the database Security Seminar

  32. 3D Facial • Feature extraction and matching • A biometric template is extracted from the 3D facial geometry (skull curvature, etc) • The template is based on the unique rigid tissues of the skull which are unchanging over time • The resulting numeric template is stored in an ordinary database • Identification is performed by matching the biometric template against the enrolment database • Verification is performed by matching the biometric template against a template stored on a smart card Security Seminar

  33. 3D Facial Advantages • Not affected by lighting conditions, background colours, facial hair or make-up • Provides higher performance at different view angles • Is of higher accuracy in real-life environments Security Seminar

  34. Signature • Based on analysis of the dynamics of a handwritten signature e.g shape, speed, stroke order, pen pressure • Generally use pressure sensitive tablets or wired pens • User friendly • Non intrusive – minimal public acceptance issues • Captured signature can be used for digitally signing documents • Disadvantages • Considered to be one of the least accurate biometrics • Only performs 1 – 1 verification Security Seminar

  35. Voice Recognition • Analyses voice patterns and characteristics of speech e.g. pitch, tone • High user acceptance - perceived as least intrusive biometric technology • Easy for end users to implement BUT the least secure biometric • Ideal for telephone systems/ mobile environments • Disadvantages:- • Affected by environmental factors – background noise greatly affects system performance • Problems if enrolment undertaken using mobile device then request verification from fixed land line. Security Seminar

  36. Post 9/11… Biometrics – What are the drivers? • On October 26, 2001 The Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the “USA Patriot Act”) was enacted. • On May 14, 2002, the President signed into law H.R. 3525, the "Enhanced Border Security and Visa Entry Reform Act of 2002." Security Seminar

  37. H.R.3525 • “The border security bill makes reforms to our immigration system in response to the increased awareness of America’s vulnerability to terrorism after 9/11. It provides for calls for vital improvements in technology to provide more timely information to help with the battle against terrorism. Among the key features: —Funds for increased border and State Department personnel and training, including 1,000new INS inspections personnel, and $150 million for INS border technology; —A report, a plan, and protections for an interoperable information-sharing system; —An interoperable information-sharing system with name-matching capacity; —Machine-readable, tamper-resistant biometric travel documents and passports; —Restriction on nonimmigrant visas for aliens from countries that sponsor terrorism; —Reform of the visa waiver program; —Requirement of passenger manifest information for commercial flights and vessels; —Repeal of the 45-minute time limit on INS inspections of arriving passengers; and —Enhanced foreign student monitoring program” Security Seminar

  38. What Does this mean to the UK? By Oct 26th 2004 the UK must have introduced biometric enabled travel documents (or have in place advanced plans to do so). National Institute of Standards and Technology given lead to evaluate biometric technologies. International Civil Aviation Organisation laid down standard (9303). Security Seminar

  39. ICAO 9303 • ICAO 9303 requires a digitised facial image of the document holder to be securely attached to the travel document and recommends the use of a Contact-less RF Proximity Smart Card as the carrier. Governments MAY optionally also embed fingerprint and/or iris images. Security Seminar

  40. UKPS DVLA Home Office (ICU) What is UK Government Doing ? Biometric Enabled Passport Book (and maybe Passport Card) in 2005. Establishing ‘Gold Identity’ Examining use of biometric in UK Driving Licence. Planning for a National Id Card (long term). ? Security Seminar

  41. The Joint Contact Group Unprecedented co-operation and sharing of intelligence between the UK and the USA was agreed at a meeting on Tuesday (1st April 2003) between Home Secretary David Blunkett and US Homeland Security Secretary Tom Ridge. At the meeting, Mr Blunkett and Mr Ridge agreed the work should cover “closer working on the development of biometric technology such as iris and facial recognition.” Security Seminar

  42. Asylum Seekers (IND) IND Application Registration Card (ARC) Police – Immigration Fingerprint Exchange (PIFE) Security Seminar

  43. UK Visas (IND/UKIS) Visitors to the UK from five east African countries and those traveling on refugee documents issued by other countries will have to provide fingerprint data before they enter the UK from March 2004. Follows a 6 month trial in Sri Lanka. Security Seminar

  44. UK Law Enforcement Human identification is a key element in the reduction and investigation of crime and thus a key element in the provision of effective capabilities to assist the Police Service in meeting strategic objectives. Dr Fred Preston, Director of Identification, PITO Security Seminar

  45. In Conclusion • Most security breaches are due to weak authentication • Is Biometrics the answer ? Security Seminar

  46. Questions Security Seminar

More Related