Название: The Official (ISC)2 SSCP CBK Reference
Автор: Mike Wills
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119874874
isbn:
Iris or Retina Scan Biometric measurements of the eye proceed similarly. The iris is the colorful part of the eye that surrounds the pupil, which is the dark circle in the middle. Gradations of color and patterns of light and dark are distinctive for any individual. These colors and these patterns persist throughout a lifetime, with little change due to age or illness, making the iris one of the most reliable forms of biometric measurement.Biometric scans using the retina are even more individualistic than those of the iris. The retina, a thin segment of light-sensitive tissue at the back of the eye, contains both arteries and veins. The structure of the inner retinal vasculature is unique to each human eye, differing even for identical twins. It can be recorded for biometric use by means of infrared light. To acquire a good picture of the back of the eye, it is necessary for the individual being measured to place their eye directly up against a viewpiece similar to that of a microscope; some people find this experience physically or psychologically uncomfortable. Another drawback of retinal scans is that the appearance of the retina can be affected by diseases of the eye such as glaucoma and cataracts or even the progression of diseases such as diabetes.
Facial Recognition Facial recognition uses measurements of the external geometry of the face, such as the positions, sizes, and relative orientations of the eye sockets, nose, mouth, chin, and ears, as its basis for comparison, typically using visible light measurements. It can also use infrared measurements to identify and map the subcutaneous (below the skin) blood vessels and structures. All of this data about the subject is first collected during identity provisioning and then measured again as part of authentication. Minor changes in facial hair, skin tone or tan, health, and even the changes due to aging can be accommodated by the measurement and comparison technologies now widely in use.
New Factor Type: Something You Do
Two broad applications of user security behavior analysis are part of the current security landscape, although one is much more well-developed than the other at the time of this writing. The first is the use of behavioral patterns, primarily ones associated with simple motions or actions, as additional authentication factors used with access control systems. Voice print identification, signature and handwriting dynamics, and keystroke dynamics are all available in the marketplace today. The second is the use of behavioral analytics to monitor ongoing user behavior to assess whether a legitimate subject is behaving in abnormal ways. Changes in behavior might be a precursor or indicator of a possible security incident. Employees can be under stress because of health or family concerns, which can lead to making mistakes or choosing wrong courses of action. In other instances, disgruntled employees might experience dissatisfaction and stress that builds to a tipping point and they react. Employees can also be vulnerable to coercion, extortion, or other threats. Some of these stresses (but not all) may show in biometric identification readings. Others may show in larger patterns of behavior, such as patterns of applications use, data accesses, or interactions in the workplace. Behavioral analytics as a form of predictive intelligence is a hot topic in security research and analytics research worldwide and could be a game-changing technology in the very near term.
Behavioral biometric methods are good examples of “something you do” rather than “something you are,” in that they all relate to measuring actions you take over time. The most frequently used forms of behavioral biometrics include the following:
Voice Print Voice print authentication systems typically work by capturing a digital recording of a subject speaking one of several prompted phrases and then comparing that to a recording of the subject speaking the same phrase during the identity provisioning process. Digital signal processing techniques are constantly improving the ability of these systems to deal with minor illness, slight changes in cadence or tone, or ambient conditions while still providing acceptable rates of false match or false reject errors.
Signature or Handwriting Dynamics Handwriting dynamics measures the speed and direction of the pen or stylus tip as a subject writes their signature or a standardized short phrase; in some instances, a pressure-sensitive pad and stylus can also gather useful data on how forcefully the subject presses the stylus into the pad. Without these measurements, digital signature or handwriting analysis reduces to more classical graphological analysis techniques, which can with good reliably distinguish authentic handwriting samples from clever forgeries or detect indications that the writer is under stress.
Keystroke Dynamics Keystroke dynamics can also be used for biometric purposes. In this application, the characteristics of key presses—dwell time, for example, and the pauses between and after certain key combinations—can be recorded and registered as belonging to the legitimate user, for later comparison. As with signature dynamics, keystroke analysis verges on a new dimension of biometric security. It represents, perhaps, “something you do” as opposed to “something you are.”
In some high-security settings, access control systems also provide a distress code, a way in which the employee can signal the security team to indicate either an overt emergency (such as urgent medical need, a fire, or even an active shooter) or a covert signal that they are under duress, such as an armed assailant is trying to force them to grant access to restricted areas or systems. Both types of distress codes can protect your employees from further harm, although even in military settings, the duress code option asks the employee to put themselves even further into harm's way. Your organization's security and safety requirements need to be carefully balanced if you're considering duress codes as an option.
Considerations When Using Biometric Methods
Regardless of the specific technology that is used, biometric techniques all involve the same stages of preparation as any other authentication method. First, the user must be enrolled, and the characteristics that will be used for authentication are captured and recorded as part of the registration process. This creates a reference profile to which comparisons can be made. Preparations must be made for the secure storage of reference profiles and their retrieval in a timely way. A method must be available to verify, promptly and within specified accuracy limits, whether a person claiming an identity should be authenticated. A final requirement is a secure method of updating the reference profile when the characteristics to be compared change (due to age or illness, for example) or revoking the reference profile when it is no longer needed, has expired, or can no longer be trusted to be accurate.
Let the specific information security and risk mitigation needs of each system and situation dictate how you specify, design, configure, and maintain your choice of biometric access authentication technologies. Situations that involve high levels of risk to life and limb, such as safety of aircraft flight or medical laboratory information systems in a major hospital, demand that you tolerate extremely low false acceptance rates, and as a result, you'll have to ensure that users and other team members appreciate the risks and the concomitant need for more extreme security measures.
If, on the other hand, you are responsible for adjusting the office badge reader at a newspaper office, you will want to consider trying to keep the false rejection rate reasonably low—if only to avoid reading flaming editorials complaining about how security has run amok in modern society.
In selecting a set of biometric tools for authentication, it is certainly СКАЧАТЬ