1 / 7

Debate Session (III) – Why risk management and vulnerability assessment is important?

Debate Session (III) – Why risk management and vulnerability assessment is important?. Dr Ted Dunstone , Chair Technical Panel Biometrics Institute, CEO Biometix. Some Debate Questions.

laban
Télécharger la présentation

Debate Session (III) – Why risk management and vulnerability assessment is important?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Debate Session (III) – Why risk management and vulnerability assessment is important? Dr Ted Dunstone, Chair Technical Panel Biometrics Institute, CEO Biometix

  2. Some Debate Questions • What are the main vulnerability points of ABC systems and their known (and unknown) strengths and weaknesses? • What are current known real world biometric attacks? • What are the implications of these attacks? And how to mitigate them? • How to insure vulnerability is included in overall ABC risk management? • How to assess the risks and what are the methods for penetration testing? • What is a research direction for vulnerability detection for ABC systems? • How to encourage border management agencies to address potential vulnerabilities? • How to exchange and share the experiences on this topic?

  3. Biometrics & Vulnerability Now • Things are changing rapidly (at last!) • BVEAG Meeting In London • ISO standards still primarily address performance testing but 30107 addresses presentation attack (spoofing) • Two NIST conferences on biometric performance – both had significant content relating to vulnerabilities • LivDet– 2009, 2011, 2013 fingerprint liveness detection competition • Tabula Rasa – Trusted Biometrics under Spoofing Attacks • BEAT – Biometrics Evaluation and Testing • Governments are including “spoof resistance” in procurement specs

  4. Some Real Vulnerability Cases Japan:Fingerprint Spoofing (Published 29 January 2010) • Two South Korean women using special tapes on their fingers; Canada:Facial Spoofing (November 2010) - Air Canada US: Fingerprints Removed • Cancer drug Capecitabine removed fingerprints • Brazilian Hospital • (March 2013)

  5. Vulnerability Web Results • Biometric Spoofing: 8,140,000 • Fingerprint Biometric Spoofing : 547,000 • Face Biometric Spoofing: 276,000 • Iris Biometric Spoofing: 97,900 • Voice Biometric Spoofing: 3,200,000 (!) • Speaker Verification Biometric Spoofing (1,750,000)

  6. Aims • Recognise that biometric vulnerability has become mainstream and share some of the activities that are underway • Find ways to improve transparency so that all parties speak a common language and understand how systems can be/have been tested. • Procurements specs, test results and statements about performance should be objective and unambiguous. • Improve the performance of biometric systems spoof resistance, leading to wider deployment.

  7. VulnerabilityChecklist • What are the common vulnerabilities for your technology (including biometrics)? • Do you have a risk management plan, and does it include the potential for biometric vulnerability? • Are you aware of the difference between a standard false accept rate and a biometric vulnerability? • For your system what vulnerability related documentation exists? • Are there any configuration options to for the vulnerability detection? • Will there be tradeoffs in performance usingthe vulnerability detection? • How is a potential vulnerability notified? • What types of conditions might create a false vulnerability alert? • Do you have a plan in your enrolment or verification workflow that supports vulnerability? • What mitigations can be established to protect against vulnerabilities? • Would you use external resources to conduct an assessment?

More Related