Debate Session (III) – Why risk management and vulnerability assessment is important? Dr Ted...
-
Upload
georgina-armstrong -
Category
Documents
-
view
214 -
download
2
Transcript of Debate Session (III) – Why risk management and vulnerability assessment is important? Dr Ted...
Debate Session (III) – Why risk management and vulnerability
assessment is important?
Dr Ted Dunstone, Chair Technical Panel Biometrics Institute,
CEO Biometix
Some Debate Questions• What are the main vulnerability points of ABC systems and
their known (and unknown) strengths and weaknesses?• What are current known real world biometric attacks? • What are the implications of these attacks? And how to
mitigate them?• How to insure vulnerability is included in overall ABC risk
management?• How to assess the risks and what are the methods for
penetration testing?• What is a research direction for vulnerability detection for
ABC systems?• How to encourage border management agencies to address
potential vulnerabilities?• How to exchange and share the experiences on this topic?
Biometrics & Vulnerability Now• Things are changing rapidly (at last!)
– BVEAG Meeting In London– ISO standards still primarily address performance testing
but 30107 addresses presentation attack (spoofing)– Two NIST conferences on biometric performance – both
had significant content relating to vulnerabilities– LivDet – 2009, 2011, 2013 fingerprint liveness detection
competition– Tabula Rasa – Trusted Biometrics under Spoofing Attacks– BEAT – Biometrics Evaluation and Testing– Governments are including “spoof resistance” in
procurement specs
Some Real Vulnerability Cases
Japan: Fingerprint Spoofing (Published 29 January 2010)
• Two South Korean women using
special tapes on their fingers;Canada: Facial Spoofing (November 2010) - Air Canada
•
US: Fingerprints Removed• Cancer drug Capecitabine
removed fingerprints
• Brazilian Hospital• (March 2013)
5
Vulnerability Web Results
• Biometric Spoofing: 8,140,000• Fingerprint Biometric Spoofing : 547,000• Face Biometric Spoofing: 276,000• Iris Biometric Spoofing: 97,900• Voice Biometric Spoofing: 3,200,000 (!)• Speaker Verification Biometric Spoofing
(1,750,000)
Aims
• Recognise that biometric vulnerability has become mainstream and share some of the activities that are underway
• Find ways to improve transparency so that all parties speak a common language and understand how systems can be/have been tested.
• Procurements specs, test results and statements about performance should be objective and unambiguous.
• Improve the performance of biometric systems spoof resistance, leading to wider deployment.
Vulnerability Checklist What are the common vulnerabilities for your technology (including
biometrics)? Do you have a risk management plan, and does it include the potential for
biometric vulnerability? Are you aware of the difference between a standard false accept rate and
a biometric vulnerability? For your system what vulnerability related documentation exists? Are there any configuration options to for the vulnerability detection? Will there be tradeoffs in performance using the vulnerability detection? How is a potential vulnerability notified? What types of conditions might create a false vulnerability alert? Do you have a plan in your enrolment or verification workflow that
supports vulnerability? What mitigations can be established to protect against vulnerabilities? Would you use external resources to conduct an assessment?