Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | anthonysuber |
View: | 219 times |
Download: | 0 times |
of 25
7/30/2019 Biometrics and Cyber Security
1/25
Copyright Daon, 2009 1
Biometrics and Cyber SecurityBiometrics and Cyber Security
Key Considerations in Protecting CriticalKey Considerations in Protecting Critical
InfrastructureInfrastructure Now and In The FutureNow and In The Future
Conor White, Chief Technology Officer, Daon
7/30/2019 Biometrics and Cyber Security
2/25
Copyright Daon, 2009 2
Why is Cyber Secur it y
I mport ant in the Context ofBiomet r ic Syst ems?
7/30/2019 Biometrics and Cyber Security
3/25
Copyright Daon, 2009 3
Cyber Security & Biometrics
On the Internet, nobody knows you are a dog.
Or a terrorist Or a student Or a spy
7/30/2019 Biometrics and Cyber Security
4/25
Copyright Daon, 2009 4
Identity is More Valuable than Money!
I cant think of a single piece of information more critical to our ultimate
security and prosperity, both as individuals and as a country, than our personal
identity. The ability of an individual to establish identity, to verify you are
who you claim to be, is critical to the many transactions that occur in a single
day. As the world becomes more interdependent, as transactions become more
global, and as the world embraces identity management and assurance as an
element of conducting business, personal identities will become a form of
global currency. Whether you are crossing a border, seeking employment,applying for a public benefit, opening a bank account, combating crime, making
a purchase, enforcing immigration policy, granting access to public and private
spaces, detecting terrorists ---- identity verification has limitless value.
Governor Tom Ridge
Former Secretary, Department of Homeland Security
7/30/2019 Biometrics and Cyber Security
5/25
Copyright Daon, 2009 5
Identity Management is Fundamental to CyberSecurity
Cyber Security is about establishing trust inentities accessing your networks andensuring that they perform functions
consistent with the role you define for them.
The fundamental capability necessary for
any cyber security solution is IdentityManagement.
Biometrics is a key enabling technology in the
fight to strengthen the security of systems againstcyber crime
However
7/30/2019 Biometrics and Cyber Security
6/25 Copyright Daon, 2009 6
Biometric Identity Systems Will Be Attacked!
In this session we will discuss (briefly)the following cyber security topics asthey relate to Biometric Systems:
1. System Level Perspective
2. Person Level Perspective
3. Independence, Flexibility, OngoingAnalysis and Adaptation
7/30/2019 Biometrics and Cyber Security
7/25 Copyright Daon, 2009 7
Attacks on Biometric Systems
Consider the following:
Dont have to duplicate to spoof you just need to alter to ensure no 1:1 or 1:N
match (negative identification scenarios)
As our databases grow, we struggle to achieve universality
As we seek to automate, unattended acquisition and authentication creates risk
As more systems are deployed, frequency and sophistication of attacks willincrease
Microsoft OS virus vs Apple OS virus
No Biometric modality is perfect dont believe anybody who tells you otherwise
No silver bullet - lots of papers & patents but few commercial offerings
Industry starting to look more seriously at liveness detection e.g. LivDet 2009
Biometrics provide a clear benefit tocounteracting cyber security threats butbiometric systems can themselves be a
source of weakness
7/30/2019 Biometrics and Cyber Security
8/25 Copyright Daon, 2009 8
How Do We Compete?
Countermeasures are required:
Enhanced Capture Software
Secured Systems
New Capture Devices
Multi-factor
Multi-modal
Supervision & Oversight guiding standard and principles
Ability to react through flexible technology and process
Biometric matching has been a technology- and tool-centric field.
A Defense-in-Depth method of dealing with biometric & identity-relatedconcerns takes a more holistic approach:
People
Technology Operations
7/30/2019 Biometrics and Cyber Security
9/25 Copyright Daon, 2009 9
Biomet r ic System Threat s &Countermeasures
7/30/2019 Biometrics and Cyber Security
10/25 Copyright Daon, 2009 10
Biometric System Vulnerabilities
Key Considerations:
There is no perfect identity authentication method every form of
authentication has vulnerabilities
The entire identity eco-system is vulnerable to attack
Dont just secure the point of authentication
Consider systemic weaknesses as well
Must provide a defense-in-depth strategy
SignalProcessing
DataCollection
Matching
Storage
Decision
Verifier
12
34
5
6
7
89
10
11
PersonPerspective
SystemPerspective
Source: Study report on Biometrics and E-Authentication
7/30/2019 Biometrics and Cyber Security
11/25 Copyright Daon, 2009 11
First Principle of Cyber Security
Security by Design
Security should be designed into a solution and not bolted on after the fact
All solutions MUST be designed using industry-best security principles
Encryption of data both in transit and at rest
Use of strong cryptographic techniques (e.g. HSMs) Robust key management
Non-repudiation of events
Authorization of function
Integrity protection data and system
Uses industry proven techniques no security by obscurity
Biometrics systems are vulnerable to attack at several
points in the process: data collection, signal processing,data storage, and decision/action point
7/30/2019 Biometrics and Cyber Security
12/25 Copyright Daon, 2009 12
Location Threats Example Countermeasures1 Data Collection Spoofing Liveness detection - Challenge/response
Multi-modal, policy-basedDevice substitution Mutually authenticate device
Vendor agnostic architecture
2 Raw Data
Transmission
Replay attack Sign data, timestamp, session tokens/nonces, HSM,
FIPS3 Signal
Processing
(Software) Componentreplacement
Sign components
5 Matching Manipulation of match
scores
Debugger hostile environment
Hill climbing Coarse scoring, trusted sensor, secure channel, limit
attempts
7 - Storage Database compromise(reading/replacingtemplate, changing
bindings)
DB access controls, sign/encrypt templates, store on
secure token
Audit, digital signature
9 Decision Threshold manipulation Protected function, data protection
SignalProcessing
DataCollection
Matching
Storage
Decision
Verifier
12
34
5
6
7
89
10
11
Person
Perspective
System
PerspectiveDefense in Depth
So How do We Design inthe Countermeasures?
7/30/2019 Biometrics and Cyber Security
13/25 Copyright Daon, 2009 13
And Dont Forget about Data Security
Provide an authenticationframework that Securely manages sensitive
biometric data.
Ensures the privacy of userspersonal (e.g. biometric) data.
Resists attacks launched byinsiders/outsiders.
Provides for non-repudiationof activities.
Integrates with 3rd partyapplications.
Scales to enterprise-widedeployments.
Is biometric-agnostic bydesign.
Biometric data must be storedsecurely Privacy concerns (legislation)
Risk of legal challenges to
signatures if stolen
Assume a hostile network
Eavesdropping on sensitivetraffic.
Injection/deletion of messages
Assume a hostile environment
Database may becompromised.
Machines may be physicallyattacked.
Attacks launched against OSor Daon software.
7/30/2019 Biometrics and Cyber Security
14/25 Copyright Daon, 2009 14
In Summary
Biometrics enable stronger defense against cyber securityattacks but biometric systems need to ensure that theydont become a platform for launching an attack
themselves
Design Security In Dont just bolt it on
Protect biometric systems using a holistic approach
Ensure all data is encrypted (in motion and at rest)
Ensure robust key management and distribution
Signing of all parties in a transaction
Tamper evidence and integrity checks throughout system Audit trails and non-repudiation
Consider all points in a solution and look for vulnerabilities
Its NOT just about the matching algorithm!
7/30/2019 Biometrics and Cyber Security
15/25 Copyright Daon, 2009 15
Person-Orient ed At t acks &Countermeasures
7/30/2019 Biometrics and Cyber Security
16/25 Copyright Daon, 2009 16
Person Oriented Attacks
Historically the focus has been finger, face, and iris however, there areseveral modes being refined: vein, voice, iris on the move,.
To defeat a biometric system, sometimes it is sufficient to cause
distortion (i.e. to not match). Example, distortion of fingerprints to avoid watchlist hits
Universality/Inclusivity becomes a major issue for large populations
Multi-Modal solutions work best
Systems need an adaptive architecture that can incorporate these newmodes and leverage technology improvements over time
The most progressive, modern systems begin as a multi-biometric platform with
built in systemic security & privacy safeguards and
add different biometric capabilities as needed over time!
7/30/2019 Biometrics and Cyber Security
17/25 Copyright Daon, 200917
Multi-biometric Fusion
Use fusion to improve accuracy and robustness
Increase accuracy beyond single biometric matching
Reduce FTE (broaden population)
Spoof/denial resistance
Cope with poor quality data
Sensor/user fault tolerance
Fusion performance depends on:
Input data available
Comparison algorithm accuracy Correlations between different matcher scores
Fusion technique
Training data
7/30/2019 Biometrics and Cyber Security
18/25
7/30/2019 Biometrics and Cyber Security
19/25 Copyright Daon, 2009 19
In Summary
There is NO perfect biometric type
There is NO perfect biometric device or algorithm
Biometric performance will continue to increase over time, costs will
decrease
Spoofing attacks will continue and gain in frequency and complexity
A flexible framework is needed to counteract these attacks
Multi-biometric systems provide best defense with ability tocontinually add new technology components
Policy based normalization and fusion should be kept independent of
biometric matching algorithms
Adopt a platform that enables you to take advantage of technologicalimprovements over time
7/30/2019 Biometrics and Cyber Security
20/25 Copyright Daon, 2009 20
Technology Flexibil it y,Ongoing Analysis and
Adaptation
7/30/2019 Biometrics and Cyber Security
21/25 Copyright Daon, 2009 21
Analysis and Adaptation
Question: How do you react to:
Biometric technologies continuously changing
Weaknesses identified in specific algorithms or devices
Spoofing techniques continuously improving
New normalization and fusion techniques emerging
Throughput and performance models emerging
Answer: Deploy an analysis and adaptation engine that enables youto do what-if analysis and understand consequences of changesahead of implementation
Identify and correct weak points ahead of cyber attackers
Automate performance analysis of what-if scenarios: Algorithms: Matching, Quality, Fusion
Devices/sensors
Interoperability: Cross-device analysis, multi-algorithm scenarios
Protocols e.g. 1:1, 1:N, #attempts, preferred sample types
7/30/2019 Biometrics and Cyber Security
22/25 Copyright Daon, 2009 22
Which Fusion? DETs
1.0E-03
1.0E-02
1.0E-01
1.0E+00
1.0E-06 1.0E-05 1.0E-04 1.0E-03 1.0E-02 1.0E-01 1.0E+00
False Match Rate (FMR)
FalseNon-Match
Rate(FNMR)
517_Face_C
517_Finger_LI
SUM: MinMax
SUM: ZscoreSUM: MAD
SUM: TanH
PROD: FNMR
PROD: Liklihood
Self Optimizing Framework for Analysis and
7/30/2019 Biometrics and Cyber Security
23/25
Copyright Daon, 2009 23
Self Optimizing Framework for Analysis andAdaptation
Biometric
PerformanceAnalysis
Engine
ResultsAnalysis
Policy BasedBiometricPlatform
BiometricPerformance
AnalysisEngine
7/30/2019 Biometrics and Cyber Security
24/25
Copyright Daon, 2009 24
In Summary
Vendor independence provides both a monetary ROI and a cyber-threat risk mitigation
Leverage concept of master broker to orchestrate operations of
biometric components
Ensure a vendor independent framework is put in place
Ensure (i.e. prove positively) that your solution is independent of anysingle biometric technology provider
Maintain strict data independence from underlying device or matchertechnology
Large scale programs can clearly benefit for performance analysistools to ensure optimum use of biometrics
Deploying a system that leverages synergies between an identificationbroker and analysis tools enables systems to be self optimizing overtime yielding better performance and mitigating against cyber security
threats
7/30/2019 Biometrics and Cyber Security
25/25
25
Thank You Questions?
Conor White
Email: [email protected]: 703 984 4010