SlideShare a Scribd company logo

biometrics and cyber security

Karthiga Manisekaran, profile picture
Karthiga Manisekaran

This document discusses key considerations for protecting critical infrastructure from cybersecurity threats involving biometrics. It notes that while biometrics can strengthen security, biometric systems themselves must be secured against attacks. The document outlines vulnerabilities across different stages of biometric systems and recommends countermeasures like multi-factor authentication, flexible technology, and ongoing analysis to adapt to evolving threats. The overall message is that cybersecurity requires a holistic defense-in-depth approach when using biometrics to authenticate identity.

EducationTechnologyBusiness
1 of 25
1
2
3
4
5
Most read
6
7
8
9
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
© Copyright Daon, 2009 1 Biometrics and Cyber SecurityBiometrics and Cyber Security Key Considerations in Protecting CriticalKey Considerations in Protecting Critical InfrastructureInfrastructure –– Now and In The FutureNow and In The Future Conor White, Chief Technology Officer, Daon
© Copyright Daon, 2009 2 Why is Cyber Security Important in the Context of Biometric Systems?
© Copyright Daon, 2009 3 Cyber Security & Biometrics  On the Internet, nobody knows you are a dog…. Or a terrorist …Or a student … Or a spy…
© Copyright Daon, 2009 4 Identity is More Valuable than Money! “I can’t think of a single piece of information more critical to our ultimate security and prosperity, both as individuals and as a country, than our personal identity. The ability of an individual to establish identity, to verify “you are who you claim to be”, is critical to the many transactions that occur in a single day. As the world becomes more interdependent, as transactions become more global, and as the world embraces identity management and assurance as an element of conducting business, personal identities will become a form of global currency. Whether you are crossing a border, seeking employment, applying for a public benefit, opening a bank account, combating crime, making a purchase, enforcing immigration policy, granting access to public and private spaces, detecting terrorists ---- identity verification has limitless value.” Governor Tom Ridge Former Secretary, Department of Homeland Security
© Copyright Daon, 2009 5 Identity Management is Fundamental to Cyber Security  Cyber Security is about establishing trust in entities accessing your networks and ensuring that they perform functions consistent with the role you define for them.  The fundamental capability necessary for any cyber security solution is Identity Management. • Biometrics is a key enabling technology in the fight to strengthen the security of systems against cyber crime  However…
© Copyright Daon, 2009 6 …Biometric Identity Systems Will Be Attacked!  In this session we will discuss (briefly) the following cyber security topics as they relate to Biometric Systems: 1. System Level Perspective 2. Person Level Perspective 3. Independence, Flexibility, Ongoing Analysis and Adaptation
© Copyright Daon, 2009 7 Attacks on Biometric Systems Consider the following:  Don’t have to duplicate to spoof – you just need to alter to ensure no 1:1 or 1:N match (negative identification scenarios)  As our databases grow, we struggle to achieve universality  As we seek to automate, unattended acquisition and authentication creates risk  As more systems are deployed, frequency and sophistication of attacks will increase • Microsoft OS virus vs Apple OS virus  No Biometric modality is perfect – don’t believe anybody who tells you otherwise  No silver bullet - lots of papers & patents but few commercial offerings  Industry starting to look more seriously at liveness detection – e.g. LivDet 2009 Biometrics provide a clear benefit to counteracting cyber security threats – but biometric systems can themselves be a source of weakness
© Copyright Daon, 2009 8 How Do We Compete?  Countermeasures are required: • Enhanced Capture Software • Secured Systems • New Capture Devices • Multi-factor • Multi-modal • Supervision & Oversight – guiding standard and principles • Ability to react through flexible technology and process  Biometric matching has been a technology- and tool-centric field.  A Defense-in-Depth method of dealing with biometric & identity-related concerns takes a more holistic approach: People Technology Operations
© Copyright Daon, 2009 9 Biometric System Threats & Countermeasures
© Copyright Daon, 2009 10 Biometric System Vulnerabilities Key Considerations: • There is no perfect identity authentication method – every form of authentication has vulnerabilities • The entire identity eco-system is vulnerable to attack • Don’t just secure the point of authentication • Consider systemic weaknesses as well • Must provide a defense-in-depth strategy Signal Processing Data Collection Matching Storage Decision Verifier 1 2 3 4 5 6 7 8 9 10 11 Person Perspective System Perspective Source: Study report on Biometrics and E-Authentication
© Copyright Daon, 2009 11 First Principle of Cyber Security Security by Design  Security should be designed into a solution and not “bolted on” after the fact  All solutions MUST be designed using industry-best security principles • Encryption of data – both in transit and at rest • Use of strong cryptographic techniques (e.g. HSMs) • Robust key management • Non-repudiation of events • Authorization of function • Integrity protection – data and system • Uses industry proven techniques – no “security by obscurity” Biometrics systems are vulnerable to attack at several points in the process: data collection, signal processing, data storage, and decision/action point
© Copyright Daon, 2009 12 Location Threats Example Countermeasures 1 – Data Collection Spoofing Liveness detection - Challenge/response Multi-modal, policy-based Device substitution Mutually authenticate device Vendor agnostic architecture 2 – Raw Data Transmission Replay attack Sign data, timestamp, session tokens/nonces, HSM, FIPS 3 – Signal Processing (Software) Component replacement Sign components 5 – Matching Manipulation of match scores Debugger hostile environment Hill climbing Coarse scoring, trusted sensor, secure channel, limit attempts 7 - Storage Database compromise (reading/replacing template, changing bindings) DB access controls, sign/encrypt templates, store on secure token Audit, digital signature 9 – Decision Threshold manipulation Protected function, data protection Signal Processing Data Collection Matching Storage Decision Verifier 1 2 3 4 5 6 7 8 9 10 11 Person Perspective System PerspectiveDefense in Depth So How do We Design in the Countermeasures?
© Copyright Daon, 2009 13 And Don’t Forget about Data Security  Provide an authentication framework that • Securely manages sensitive biometric data. • Ensures the privacy of users’ personal (e.g. biometric) data. • Resists attacks launched by insiders/outsiders. • Provides for non-repudiation of activities. • Integrates with 3rd party applications. • Scales to enterprise-wide deployments. • Is biometric-agnostic by design.  Biometric data must be stored securely • Privacy concerns (legislation) • Risk of legal challenges to signatures if stolen  Assume a hostile network • Eavesdropping on sensitive traffic. • Injection/deletion of messages  Assume a hostile environment • Database may be compromised. • Machines may be physically attacked. • Attacks launched against OS or Daon software.
© Copyright Daon, 2009 14 In Summary  Biometrics enable stronger defense against cyber security attacks but biometric systems need to ensure that they don’t become a platform for launching an attack themselves  Design Security In – Don’t just bolt it on • Protect biometric systems using a holistic approach • Ensure all data is encrypted (in motion and at rest) • Ensure robust key management and distribution • Signing of all parties in a transaction • Tamper evidence and integrity checks throughout system • Audit trails and non-repudiation • Consider all points in a solution and look for vulnerabilities  Its NOT just about the matching algorithm!
© Copyright Daon, 2009 15 Person-Oriented Attacks & Countermeasures
© Copyright Daon, 2009 16 Person Oriented Attacks  Historically the focus has been finger, face, and iris however, there are several modes being refined: vein, voice, iris on the move,….  To defeat a biometric system, sometimes it is sufficient to cause distortion (i.e. to not match). • Example, distortion of fingerprints to avoid watchlist hits  Universality/Inclusivity becomes a major issue for large populations  Multi-Modal solutions work best  Systems need an adaptive architecture that can incorporate these new modes and leverage technology improvements over time The most progressive, modern systems begin as a multi-biometric platform with built in systemic security & privacy safeguards and add different biometric capabilities as needed over time!
© Copyright Daon, 2009 17 Multi-biometric Fusion  Use fusion to improve accuracy and robustness • Increase accuracy beyond single biometric matching • Reduce FTE (broaden population) • Spoof/denial resistance • Cope with poor quality data • Sensor/user fault tolerance  Fusion performance depends on: • Input data available • Comparison algorithm accuracy • Correlations between different matcher scores • Fusion technique • Training data
© Copyright Daon, 2009 18 Multi-Biometric Fusion in Action  Choose a platform that enables multiple biometrics to ensure optimized performance  Multi-biometric systems provide key advantages: • Increased accuracy (noise reduction) • Enhanced Usability • Greater Universality • Improved Security • Improved performance (FMR, FNMR)  As enrollment populations grow dramatically, multi- modal solutions are inevitable. Performance of large scale identity programs can be significantly improved through the use of multiple biometrics. Large scale systems should establish a core multi-biometric platform first and then choose the most applicable algorithms to suit their population, commercial and performance needs 0.1000% 1.0000% 10.0000% 100.0000% 0.0001% 0.0010% 0.0100% 0.1000% 1.0000% 10.0000% 100.0000% False Match Rate (FMR) FalseNon-MatchRate(FNMR) Face Finger Sum fusion Product fusion
© Copyright Daon, 2009 19 In Summary  There is NO perfect biometric type  There is NO perfect biometric device or algorithm  Biometric performance will continue to increase over time, costs will decrease  Spoofing attacks will continue and gain in frequency and complexity  A flexible framework is needed to counteract these attacks  Multi-biometric systems provide best defense – with ability to continually add new technology components  Policy based normalization and fusion should be kept independent of biometric matching algorithms  Adopt a platform that enables you to take advantage of technological improvements over time
© Copyright Daon, 2009 20 Technology Flexibility, Ongoing Analysis and Adaptation
© Copyright Daon, 2009 21 Analysis and Adaptation  Question: How do you react to: • Biometric technologies continuously changing • Weaknesses identified in specific algorithms or devices • Spoofing techniques continuously improving • New normalization and fusion techniques emerging • Throughput and performance models emerging • …  Answer: Deploy an analysis and adaptation engine that enables you to do “what-if analysis” and understand consequences of changes ahead of implementation  Identify and correct weak points ahead of cyber attackers  Automate performance analysis of what-if scenarios: • Algorithms: Matching, Quality, Fusion • Devices/sensors • Interoperability: Cross-device analysis, multi-algorithm scenarios • Protocols e.g. 1:1, 1:N, #attempts, preferred sample types
© Copyright Daon, 2009 22 Which Fusion? DETs 1.0E-03 1.0E-02 1.0E-01 1.0E+00 1.0E-06 1.0E-05 1.0E-04 1.0E-03 1.0E-02 1.0E-01 1.0E+00 False Match Rate (FMR) FalseNon-MatchRate(FNMR) 517_Face_C 517_Finger_LI SUM: MinMax SUM: Zscore SUM: MAD SUM: TanH PROD: FNMR PROD: Liklihood
© Copyright Daon, 2009 23 Self Optimizing Framework for Analysis and Adaptation Biometric Performance Analysis Engine Results Analysis Policy Based Biometric Platform Biometric Performance Analysis Engine
© Copyright Daon, 2009 24 In Summary  Vendor independence provides both a monetary ROI and a cyber- threat risk mitigation  Leverage concept of master broker to orchestrate operations of biometric components  Ensure a vendor independent framework is put in place  Ensure (i.e. prove positively) that your solution is independent of any single biometric technology provider  Maintain strict data independence from underlying device or matcher technology  Large scale programs can clearly benefit for performance analysis tools to ensure optimum use of biometrics  Deploying a system that leverages synergies between an identification broker and analysis tools enables systems to be self optimizing over time yielding better performance and mitigating against cyber security threats
© Copyright Daon, 2009 25 Thank You – Questions? Conor White Email: conor.white@daon.com Direct: 703 984 4010

More Related Content

PPTX
Biometric technology
Sudip Sadhukhan
 
PPTX
Biometric technology
Madugula Kumar
 
PPTX
Biometric Authentication PPT
OECLIB Odisha Electronics Control Library
 
PPTX
Multi modal biometric system
Aalaa Khattab
 
PPTX
Introduction to biometric systems security
Self
 
PPTX
Biometric Systems and Security
Shreyans Jain
 
PPT
Biometric's final ppt
Ankita Vanage
 
PPTX
Biometrics
umertariq12345
 
Biometric technology
Sudip Sadhukhan
 
Biometric technology
Madugula Kumar
 
Biometric Authentication PPT
OECLIB Odisha Electronics Control Library
 
Multi modal biometric system
Aalaa Khattab
 
Introduction to biometric systems security
Self
 
Biometric Systems and Security
Shreyans Jain
 
Biometric's final ppt
Ankita Vanage
 
Biometrics
umertariq12345
 

What's hot (20)

PPT
Biometric security Presentation
Prabh Jeet
 
PPTX
Biometrics Technology In the 21st Century
Star Link Communication Pvt Ltd
 
PPTX
Biometrics
Divya Shah
 
PPTX
Biometric Security Systems ppt
OECLIB Odisha Electronics Control Library
 
PPT
Bio-metrics Technology
Avanitrambadiya
 
PPTX
Biometrics
shweta-sharma99
 
PPTX
Biometric technology .pptx
vineeth chepuri
 
PPTX
Digital forensic tools
Parsons Corporation
 
PPTX
Biometrics Technology
lole2
 
PPTX
Cyber Forensics Overview
Yansi Keim
 
PPTX
Biometric authentication ppt by navin 6 feb
Navin Kumar
 
PPTX
Attendance system based on face recognition using python by Raihan Sikdar
raihansikdar
 
PPTX
Biometrics ppt
MOUNIKA VINNAKOTA
 
PPTX
E mail Investigation
Dr Raghu Khimani
 
PPTX
Biometric Technology
Rajesh Anupoju
 
PPTX
Biometrics
meeravali shaik
 
PPT
Biometrics Technology Intresting PPT
preeti tripathi
 
PPT
Bio-metrics Authentication Technique
Rekha Yadav
 
PPTX
Palm vein technology.pptx
schetan202
 
PPTX
Computer and network security
Karwan Mustafa Kareem
 
Biometric security Presentation
Prabh Jeet
 
Biometrics Technology In the 21st Century
Star Link Communication Pvt Ltd
 
Biometrics
Divya Shah
 
Biometric Security Systems ppt
OECLIB Odisha Electronics Control Library
 
Bio-metrics Technology
Avanitrambadiya
 
Biometrics
shweta-sharma99
 
Biometric technology .pptx
vineeth chepuri
 
Digital forensic tools
Parsons Corporation
 
Biometrics Technology
lole2
 
Cyber Forensics Overview
Yansi Keim
 
Biometric authentication ppt by navin 6 feb
Navin Kumar
 
Attendance system based on face recognition using python by Raihan Sikdar
raihansikdar
 
Biometrics ppt
MOUNIKA VINNAKOTA
 
E mail Investigation
Dr Raghu Khimani
 
Biometric Technology
Rajesh Anupoju
 
Biometrics
meeravali shaik
 
Biometrics Technology Intresting PPT
preeti tripathi
 
Bio-metrics Authentication Technique
Rekha Yadav
 
Palm vein technology.pptx
schetan202
 
Computer and network security
Karwan Mustafa Kareem
 
Ad

Viewers also liked (13)

PPTX
Slide-show on Biometrics
Pathik504
 
PPT
Biometric Security advantages and disadvantages
Prabh Jeet
 
PPT
Biometric Presentation
rs2003
 
PPTX
Cyber security presentation
Bijay Bhandari
 
PDF
ISSA Web Conference - Biometric Information Security Management
Phil Griffin
 
PDF
Final Year Projects Computer Science (Information security) -2015
Syed Ubaid Ali Jafri
 
PPTX
Biometric security using cryptography
Sampat Patnaik
 
PPTX
biometrics
Akhil Kumar
 
PDF
Top Cyber Security Trends for 2016
Imperva
 
PPT
Cyber Crime and Security
Dipesh Waghela
 
PPTX
Iris recognition seminar
Ajinkya Bhalerao
 
PPTX
Cyber-crime PPT
Anshuman Tripathi
 
PPTX
Cyber crime and security ppt
Lipsita Behera
 
Slide-show on Biometrics
Pathik504
 
Biometric Security advantages and disadvantages
Prabh Jeet
 
Biometric Presentation
rs2003
 
Cyber security presentation
Bijay Bhandari
 
ISSA Web Conference - Biometric Information Security Management
Phil Griffin
 
Final Year Projects Computer Science (Information security) -2015
Syed Ubaid Ali Jafri
 
Biometric security using cryptography
Sampat Patnaik
 
biometrics
Akhil Kumar
 
Top Cyber Security Trends for 2016
Imperva
 
Cyber Crime and Security
Dipesh Waghela
 
Iris recognition seminar
Ajinkya Bhalerao
 
Cyber-crime PPT
Anshuman Tripathi
 
Cyber crime and security ppt
Lipsita Behera
 
Ad

Similar to biometrics and cyber security (20)

PDF
Insights into cyber security and risk
EY
 
PDF
BYOD: Device Control in the Wild, Wild, West
Jay McLaughlin
 
PPTX
Portable Biometrics (1)
Torrey Hutchison
 
PPTX
Information Systems.pptx
KnownId
 
PPTX
Nonprofit IT Trends 2018
Community IT Innovators
 
PPT
Information Technology Security Basics
Mohan Jadhav
 
PDF
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
Jenna Murray
 
PDF
I0516064
IOSR Journals
 
PPTX
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
PDF
Applied mobile chaos theory
SecureITExperts
 
PPTX
Zero Trust: Redefining Security in the Digital Age
Arnold Antoo
 
PPTX
Ethics, Professionalism and Other Emerging Technologies
Prakhyath Rai
 
PPTX
Unlocking the Power of Your IBM i and Z Security Data with Google Chronicle
Precisely
 
PPT
Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02
anjalee990
 
PDF
Network Security-Module_1.pdf
Dr. Shivashankar
 
DOCX
CyberCore – Security Essentials_ Protecting Your Digital World.docx
Oscp Training
 
PPTX
Information Security Management System in the Banking Sector
Samvel Gevorgyan
 
PPSX
The myth of secure computing; management information system; MIS
Saazan Shrestha
 
PPTX
CS_Lecture01.pptx for the new lab conservatio of computer network
saad504633
 
Insights into cyber security and risk
EY
 
BYOD: Device Control in the Wild, Wild, West
Jay McLaughlin
 
Portable Biometrics (1)
Torrey Hutchison
 
Information Systems.pptx
KnownId
 
Nonprofit IT Trends 2018
Community IT Innovators
 
Information Technology Security Basics
Mohan Jadhav
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
Jenna Murray
 
I0516064
IOSR Journals
 
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
Applied mobile chaos theory
SecureITExperts
 
Zero Trust: Redefining Security in the Digital Age
Arnold Antoo
 
Ethics, Professionalism and Other Emerging Technologies
Prakhyath Rai
 
Unlocking the Power of Your IBM i and Z Security Data with Google Chronicle
Precisely
 
Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02
anjalee990
 
Network Security-Module_1.pdf
Dr. Shivashankar
 
CyberCore – Security Essentials_ Protecting Your Digital World.docx
Oscp Training
 
Information Security Management System in the Banking Sector
Samvel Gevorgyan
 
The myth of secure computing; management information system; MIS
Saazan Shrestha
 
CS_Lecture01.pptx for the new lab conservatio of computer network
saad504633
 

Recently uploaded (20)

PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Lesson notes of climatology university.
sgladness67
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
RMMM.pdf make it easy to upload and study
sajedul2
 

biometrics and cyber security

  • 1. © Copyright Daon, 2009 1 Biometrics and Cyber SecurityBiometrics and Cyber Security Key Considerations in Protecting CriticalKey Considerations in Protecting Critical InfrastructureInfrastructure –– Now and In The FutureNow and In The Future Conor White, Chief Technology Officer, Daon
  • 2. © Copyright Daon, 2009 2 Why is Cyber Security Important in the Context of Biometric Systems?
  • 3. © Copyright Daon, 2009 3 Cyber Security & Biometrics  On the Internet, nobody knows you are a dog…. Or a terrorist …Or a student … Or a spy…
  • 4. © Copyright Daon, 2009 4 Identity is More Valuable than Money! “I can’t think of a single piece of information more critical to our ultimate security and prosperity, both as individuals and as a country, than our personal identity. The ability of an individual to establish identity, to verify “you are who you claim to be”, is critical to the many transactions that occur in a single day. As the world becomes more interdependent, as transactions become more global, and as the world embraces identity management and assurance as an element of conducting business, personal identities will become a form of global currency. Whether you are crossing a border, seeking employment, applying for a public benefit, opening a bank account, combating crime, making a purchase, enforcing immigration policy, granting access to public and private spaces, detecting terrorists ---- identity verification has limitless value.” Governor Tom Ridge Former Secretary, Department of Homeland Security
  • 5. © Copyright Daon, 2009 5 Identity Management is Fundamental to Cyber Security  Cyber Security is about establishing trust in entities accessing your networks and ensuring that they perform functions consistent with the role you define for them.  The fundamental capability necessary for any cyber security solution is Identity Management. • Biometrics is a key enabling technology in the fight to strengthen the security of systems against cyber crime  However…
  • 6. © Copyright Daon, 2009 6 …Biometric Identity Systems Will Be Attacked!  In this session we will discuss (briefly) the following cyber security topics as they relate to Biometric Systems: 1. System Level Perspective 2. Person Level Perspective 3. Independence, Flexibility, Ongoing Analysis and Adaptation
  • 7. © Copyright Daon, 2009 7 Attacks on Biometric Systems Consider the following:  Don’t have to duplicate to spoof – you just need to alter to ensure no 1:1 or 1:N match (negative identification scenarios)  As our databases grow, we struggle to achieve universality  As we seek to automate, unattended acquisition and authentication creates risk  As more systems are deployed, frequency and sophistication of attacks will increase • Microsoft OS virus vs Apple OS virus  No Biometric modality is perfect – don’t believe anybody who tells you otherwise  No silver bullet - lots of papers & patents but few commercial offerings  Industry starting to look more seriously at liveness detection – e.g. LivDet 2009 Biometrics provide a clear benefit to counteracting cyber security threats – but biometric systems can themselves be a source of weakness
  • 8. © Copyright Daon, 2009 8 How Do We Compete?  Countermeasures are required: • Enhanced Capture Software • Secured Systems • New Capture Devices • Multi-factor • Multi-modal • Supervision & Oversight – guiding standard and principles • Ability to react through flexible technology and process  Biometric matching has been a technology- and tool-centric field.  A Defense-in-Depth method of dealing with biometric & identity-related concerns takes a more holistic approach: People Technology Operations
  • 9. © Copyright Daon, 2009 9 Biometric System Threats & Countermeasures
  • 10. © Copyright Daon, 2009 10 Biometric System Vulnerabilities Key Considerations: • There is no perfect identity authentication method – every form of authentication has vulnerabilities • The entire identity eco-system is vulnerable to attack • Don’t just secure the point of authentication • Consider systemic weaknesses as well • Must provide a defense-in-depth strategy Signal Processing Data Collection Matching Storage Decision Verifier 1 2 3 4 5 6 7 8 9 10 11 Person Perspective System Perspective Source: Study report on Biometrics and E-Authentication
  • 11. © Copyright Daon, 2009 11 First Principle of Cyber Security Security by Design  Security should be designed into a solution and not “bolted on” after the fact  All solutions MUST be designed using industry-best security principles • Encryption of data – both in transit and at rest • Use of strong cryptographic techniques (e.g. HSMs) • Robust key management • Non-repudiation of events • Authorization of function • Integrity protection – data and system • Uses industry proven techniques – no “security by obscurity” Biometrics systems are vulnerable to attack at several points in the process: data collection, signal processing, data storage, and decision/action point
  • 12. © Copyright Daon, 2009 12 Location Threats Example Countermeasures 1 – Data Collection Spoofing Liveness detection - Challenge/response Multi-modal, policy-based Device substitution Mutually authenticate device Vendor agnostic architecture 2 – Raw Data Transmission Replay attack Sign data, timestamp, session tokens/nonces, HSM, FIPS 3 – Signal Processing (Software) Component replacement Sign components 5 – Matching Manipulation of match scores Debugger hostile environment Hill climbing Coarse scoring, trusted sensor, secure channel, limit attempts 7 - Storage Database compromise (reading/replacing template, changing bindings) DB access controls, sign/encrypt templates, store on secure token Audit, digital signature 9 – Decision Threshold manipulation Protected function, data protection Signal Processing Data Collection Matching Storage Decision Verifier 1 2 3 4 5 6 7 8 9 10 11 Person Perspective System PerspectiveDefense in Depth So How do We Design in the Countermeasures?
  • 13. © Copyright Daon, 2009 13 And Don’t Forget about Data Security  Provide an authentication framework that • Securely manages sensitive biometric data. • Ensures the privacy of users’ personal (e.g. biometric) data. • Resists attacks launched by insiders/outsiders. • Provides for non-repudiation of activities. • Integrates with 3rd party applications. • Scales to enterprise-wide deployments. • Is biometric-agnostic by design.  Biometric data must be stored securely • Privacy concerns (legislation) • Risk of legal challenges to signatures if stolen  Assume a hostile network • Eavesdropping on sensitive traffic. • Injection/deletion of messages  Assume a hostile environment • Database may be compromised. • Machines may be physically attacked. • Attacks launched against OS or Daon software.
  • 14. © Copyright Daon, 2009 14 In Summary  Biometrics enable stronger defense against cyber security attacks but biometric systems need to ensure that they don’t become a platform for launching an attack themselves  Design Security In – Don’t just bolt it on • Protect biometric systems using a holistic approach • Ensure all data is encrypted (in motion and at rest) • Ensure robust key management and distribution • Signing of all parties in a transaction • Tamper evidence and integrity checks throughout system • Audit trails and non-repudiation • Consider all points in a solution and look for vulnerabilities  Its NOT just about the matching algorithm!
  • 15. © Copyright Daon, 2009 15 Person-Oriented Attacks & Countermeasures
  • 16. © Copyright Daon, 2009 16 Person Oriented Attacks  Historically the focus has been finger, face, and iris however, there are several modes being refined: vein, voice, iris on the move,….  To defeat a biometric system, sometimes it is sufficient to cause distortion (i.e. to not match). • Example, distortion of fingerprints to avoid watchlist hits  Universality/Inclusivity becomes a major issue for large populations  Multi-Modal solutions work best  Systems need an adaptive architecture that can incorporate these new modes and leverage technology improvements over time The most progressive, modern systems begin as a multi-biometric platform with built in systemic security & privacy safeguards and add different biometric capabilities as needed over time!
  • 17. © Copyright Daon, 2009 17 Multi-biometric Fusion  Use fusion to improve accuracy and robustness • Increase accuracy beyond single biometric matching • Reduce FTE (broaden population) • Spoof/denial resistance • Cope with poor quality data • Sensor/user fault tolerance  Fusion performance depends on: • Input data available • Comparison algorithm accuracy • Correlations between different matcher scores • Fusion technique • Training data
  • 18. © Copyright Daon, 2009 18 Multi-Biometric Fusion in Action  Choose a platform that enables multiple biometrics to ensure optimized performance  Multi-biometric systems provide key advantages: • Increased accuracy (noise reduction) • Enhanced Usability • Greater Universality • Improved Security • Improved performance (FMR, FNMR)  As enrollment populations grow dramatically, multi- modal solutions are inevitable. Performance of large scale identity programs can be significantly improved through the use of multiple biometrics. Large scale systems should establish a core multi-biometric platform first and then choose the most applicable algorithms to suit their population, commercial and performance needs 0.1000% 1.0000% 10.0000% 100.0000% 0.0001% 0.0010% 0.0100% 0.1000% 1.0000% 10.0000% 100.0000% False Match Rate (FMR) FalseNon-MatchRate(FNMR) Face Finger Sum fusion Product fusion
  • 19. © Copyright Daon, 2009 19 In Summary  There is NO perfect biometric type  There is NO perfect biometric device or algorithm  Biometric performance will continue to increase over time, costs will decrease  Spoofing attacks will continue and gain in frequency and complexity  A flexible framework is needed to counteract these attacks  Multi-biometric systems provide best defense – with ability to continually add new technology components  Policy based normalization and fusion should be kept independent of biometric matching algorithms  Adopt a platform that enables you to take advantage of technological improvements over time
  • 20. © Copyright Daon, 2009 20 Technology Flexibility, Ongoing Analysis and Adaptation
  • 21. © Copyright Daon, 2009 21 Analysis and Adaptation  Question: How do you react to: • Biometric technologies continuously changing • Weaknesses identified in specific algorithms or devices • Spoofing techniques continuously improving • New normalization and fusion techniques emerging • Throughput and performance models emerging • …  Answer: Deploy an analysis and adaptation engine that enables you to do “what-if analysis” and understand consequences of changes ahead of implementation  Identify and correct weak points ahead of cyber attackers  Automate performance analysis of what-if scenarios: • Algorithms: Matching, Quality, Fusion • Devices/sensors • Interoperability: Cross-device analysis, multi-algorithm scenarios • Protocols e.g. 1:1, 1:N, #attempts, preferred sample types
  • 22. © Copyright Daon, 2009 22 Which Fusion? DETs 1.0E-03 1.0E-02 1.0E-01 1.0E+00 1.0E-06 1.0E-05 1.0E-04 1.0E-03 1.0E-02 1.0E-01 1.0E+00 False Match Rate (FMR) FalseNon-MatchRate(FNMR) 517_Face_C 517_Finger_LI SUM: MinMax SUM: Zscore SUM: MAD SUM: TanH PROD: FNMR PROD: Liklihood
  • 23. © Copyright Daon, 2009 23 Self Optimizing Framework for Analysis and Adaptation Biometric Performance Analysis Engine Results Analysis Policy Based Biometric Platform Biometric Performance Analysis Engine
  • 24. © Copyright Daon, 2009 24 In Summary  Vendor independence provides both a monetary ROI and a cyber- threat risk mitigation  Leverage concept of master broker to orchestrate operations of biometric components  Ensure a vendor independent framework is put in place  Ensure (i.e. prove positively) that your solution is independent of any single biometric technology provider  Maintain strict data independence from underlying device or matcher technology  Large scale programs can clearly benefit for performance analysis tools to ensure optimum use of biometrics  Deploying a system that leverages synergies between an identification broker and analysis tools enables systems to be self optimizing over time yielding better performance and mitigating against cyber security threats
  • 25. © Copyright Daon, 2009 25 Thank You – Questions? Conor White Email: conor.white@daon.com Direct: 703 984 4010