@ISACA Volume 2  25 January 2017

Challenges Associated With Biometrics


Biological measurements are one of the oldest techniques used for identification. You may know it as anthropometry. This process of measuring different parts of the human body to identify an individual was developed during the early 1700s and was used in criminal profiling as early as the 1940s. These techniques had fallen out of favor for identifying individuals due to the inconsistences of the measurements resulting from the position of the individual during measuring; the devices used in taking the measurements (e.g., tape measures, yard sticks, calipers); and the perceived existence of doppelgangers.

But biological measurements are making a comeback. Advances in technology have made available new identification techniques known as biometrics. Biometrics is the identification of individuals by their characteristics or traits. This includes areas forged by anthropometry and new, more advanced techniques. Some of the more common areas of measurement and pattern recognition include face recognition, finger and handprint recognition, and iris and retina scanning.

Biometrics, when used to identify humans, is a study in probability. There are a lot of variables that can determine how effective biometrics can be when used for identification. This includes variables such as the technique and technology for collecting the biometric information (known as the biometric template), and the function for which the biometric is collected (e.g., access control, identification of individuals from video or images). This article is meant to give some insight into why security professionals should understand the technology and techniques used in biometrics and the challenges they present.

Collection of Biometric Data

Many organizations use contact readers for fingerprints. As part of my job, I have been asked to compromise several contact fingerprint readers. I can say there are several simple techniques for compromising these biometric readers. To further complicate the issue, a small number of individuals do not have fingerprints. In some instances, readers only capture partial fingerprints, making matching the biometric very difficult, if not impossible. Facial recognition readers have been compromised using 3-D pictures of faces. Depending on the importance of the individual, 3-D printers could be used to compromise facial recognition software. Retina scans can create a denial of service if an individual, for example, consumes alcohol the night before using it, distorting the retina results.

Today, state-of-the-art techniques for collecting biometric data include devices such as touchless fingerprint scanners and iris and face scanners that can collect data up to 5 feet away. Having to contact a surface to capture a fingerprint distorts the image. Contactless readers are opening up a whole new study in fingerprint analysis as the biometric data become 3 dimensional. This allows both the pattern of the fingerprint and the depth of the pattern to be considered for matching. Soon, 10K cameras could be used to capture biometrics, such as fingerprints, passively from afar as people walk past them. These distances could exceed 5 feet.

Use of Biometric Data

There are very few true biometric authentication systems. Most systems are hybrid authentication systems, i.e., an individual provides a personal identifier, the system pulls the corresponding biometric template, and the biometric presented at the challenge point and the returned biometric template are compared. This comparison considers a number of unique identifiers for that particular biometric. This number can vary to ensure adequate speed through the challenge point or the capabilities of the reader. In the applications where someone is being identified within a picture or video, the number of unique identifiers must be increased as the number of candidates that match will increase. So, based on different applications, the accuracy of the biometric processing varies.

There are concerns about the legal precedence that could require alternative identification be provided in addition to biometrics. It is crucial that an organization inform employees in writing that a biometric system is going to be implemented. Unionized workers present another level of cooperation that needs to be considered when implementing biometrics in the workplace. Informing your employees and resolving any potential issues should occur prior to buying biometric systems.

Biometrics is an interesting development, and technology and techniques are changing at an accelerated rate. Some tips to consider when using biometrics are:

  • Try not to rely on one biometric for access control. The more identification methods you use, the higher the probability you are identifying the correct person.
  • Understand what the industry standard is for identifying an individual based on the number of unique identifiers for the biometric that you are considering.
  • Understand the risk with the biometric reader or scanner being used. In some cases, add monitoring to ensure the challenge point is not being compromised.
  • Consider the correct biometric for the application. For example, using fingerprints in an environment where employees come in contact with caustic chemicals is probably not a good match.

Biometrics is a study in probability. Like other aspects of security, biometrics is about risk management. Know the risk associated with biometrics and the collection and matching of that biometric, and mitigate that risk.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Solving Business Problems With COBIT 5


COBIT 5 is a useful framework for resolving business problems, and seeing how it can be implemented helps practitioners better leverage it. To help enterprises learn how to use COBIT 5 to address problems, ISACA is presenting the Solving Business Problems with COBIT 5 webinar. This webinar will take place on 26 January at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Peter Tessin, CISA, CRISC, CGEIT, will lead this webinar. In it, he will present a business problem and then walk through how COBIT 5 can help isolate the problem and prevent it from happening in the future. Attendees will learn how to solve business problems by applying COBIT 5 concepts and tools.

To learn more about this webinar or to register for it, visit the Solving Business Problems with COBIT 5 page of the ISACA website.


Developing an Effective Privacy Program


With the proliferation of connected devices, people and enterprises are becoming more concerned about their privacy. But emerging technologies and legal requirements can make implementing a privacy management program challenging. By aligning privacy principles with commonly used privacy standards, frameworks and good practices, the Privacy Principles and Program Management Guide can be used to help enterprises overcome common privacy concerns.

The guide, which provides instruction on using COBIT 5 to implement a privacy program, emphasizes establishing and maintaining an enterprise privacy strategy. By understanding the relationship between laws and privacy principles, enterprises can better develop a privacy program. The guide also helps enterprises identify the best privacy protections for their needs.

Privacy Principles and Program Management Guide can be purchased from the ISACA bookstore. This book costs US $35 for members and US $70 for non-members.


Smashing the Information Security Policy for Fun and Profit


It is necessary for enterprises to have an information security policy, but an outdated policy can do significant harm to an organization. ISACA Journal volume 1 author David Eduardo Acosta R., CISA, CRISC, CISM, BS 25999 LA, CCNA Security, CEH, CHFI Trainer, CISSP Instructor, PCI QSA, OPST, discusses the ways in which work-to-rule can undermine an information security strategy in his article “Smashing the Information Security Policy for Fun and Profit.”

One of the chief components of an organization’s information security strategy is the security policy. This is a compulsory, high-level administrative document that sets out the strategic objectives and principles of information security that must be adhered to in any activity that may affect the organization’s environment and defines the responsibilities and roles of all the actors involved. By way of a rhetorical comparison, it could be said that an information security policy is to an organization what a constitution (or the Magna Carta) would be to a country.

However, and just like an organization’s physical or logical assets, the documentary and administrative components of an organization have vulnerabilities and can be exploited to impact its security and operation. Sadly, these kinds of vulnerabilities are not taken into account in a “traditional” risk analysis, leaving the organization exposed to potential attacks, such as a “work-to-rule.”

Undermining a poorly written information security policy can be fairly easy. Taking into account that the vast majority of these documents are based on generic templates, are rarely reviewed, are not adapted to the actualities of the organization’s business or the current state of its information environment, and generally do not include procedures for managing exceptions, the reality of adhering strictly to these types of regulations can lead to delays in operation and/or consequences for the integrity, confidentiality or availability of information. With the addition of the obligation-to-comply factor on the part of those involved, such failures can be amplified by means of a work-to-rule, causing productivity losses to the business, with knock-on effects that are both financial and operational (i.e., affecting service level agreements [SLAs]).

Additionally, an information security policy is supported and complemented by auxiliary documents that focus more on specific areas/topics whose importance is classified according to the degree of obligation they entail. This is the situation for regulations, standards, procedures, technical instructions, guides, recommendations, etc. The implementation of a work-to-rule would be possible via any of these components of an organization’s regulatory framework.

Several illustrative examples of work-to-rule on an information security policy or a vulnerable auxiliary document include:

  • A company’s information security policy makes it obligatory for “all operating systems susceptible to malware to have an updated, working antivirus solution installed.” However, this organization has within its computer pool a series of stations with limited hardware used as point-of-sale (POS) terminals. A work-to-rule can be implemented through the obligatory installation of antivirus software on these stations, with the ensuing impact on their performance and availability adversely affecting customer response times and normal operation, as well as their response to daily transactions and sales.
  • The information security policy makes it obligatory to install security updates during the month following their release by the manufacturers. The work-to-rule could be applied to the unplanned-for updates to critical components by merely complying with the time frames indicated, which can affect the availability of the company’s services.
  • With regard to password management, the policy states that “changes to passwords that have been forgotten must be applied with physical validation of the user’s identity.” If the user is not in the city or the country, the administrator in charge of the change may apply the work-to-rule to the implementation of this check, thereby affecting the user’s access.

Additional examples can be found in the implementation of policies on change management and user management, where often the stages for request, approval and implementation tend to be very strict and the implicit red tape can be exploited in a process of work-to-rule, impacting the company’s normal operation.

Unfortunately, the organization affected by this problem cannot contradict itself by making its workers disobey the security policy’s controls, since this would invalidate the regulations; thus, the situation leaves the company at the mercy of the resulting procedural chaos.

Read David Eduardo Acosta R’s full ISACA Journal article, “Smashing the Information Security Policy for Fun and Profit.”