IT Assessment

Part3pdf.pdf

Home >Information Systems homework help >IT Assessment

authentication process requires the user to speak the same phrase so that the technology can compare the current voiceprint against the stored value.

Effectiveness of Biometrics Biometric technologies are evaluated on three basic cri- teria: the false reject rate, which is the percentage of authorized users who are denied access; the false accept rate, which is the percentage of unauthorized users who are granted access; and the crossover error rate, the level at which the number of false rejections equals the false acceptances.

The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device. This failure is known as a Type I error. While a nuisance to unauthenticated people who are authorized users, this error rate is probably of little con- cern to security professionals because rejection of an authorized user represents no threat to security. Therefore, the false reject rate is often ignored unless it reaches a level high enough to generate complaints from irritated unauthenticated people. For example, most people have experienced the frustration of having a credit card or ATM card fail to perform because of problems with the magnetic strip. In the field of biometrics, similar problems can occur when a system fails to pick up the various information points it uses to authenti- cate a prospective user properly.

The false accept rate conversely describes the number of unauthorized users who somehow are granted access to a restricted system or area, usually because of a failure in the biometric device. This failure is known as a Type II error and is unacceptable to security professionals.

The crossover error rate (CER), the point at which false reject and false accept rates inter- sect, is possibly the most common and important overall measure of accuracy for a biomet- ric system. Most biometric systems can be adjusted to compensate both for false positive and false negative errors. Adjustment to one extreme creates a system that requires perfect matches and results in a high rate of false rejects, but almost no false accepts. Adjustment to the other extreme produces a low rate of false rejects, but excessive false accepts. The trick is to find the balance between providing the requisite level of security and minimizing the frustrations of authentic users. Thus, the optimal setting is somewhere near the point at which the two error rates are equal—the CER. CERs are used to compare various bio- metrics and may vary by manufacturer. If a biometric device provides a CER of 1 percent, its failure rates for false rejections and false acceptance are both 1 percent. A device with a CER of 1 percent is considered superior to a device with a CER of 5 percent.

Acceptability of Biometrics As you’ve learned, a balance must be struck between a security system’s acceptability to users and how effective it is in maintaining security. Many biometric systems that are highly reliable and effective are considered intrusive by users. As a result, many information security professionals don’t implement these systems, in an effort to avoid confrontation and possible user boycott of the biometric controls. Table 6-1 shows how certain biometrics rank in terms of effectiveness and acceptance. Interestingly, the orders of effectiveness and acceptance are almost exactly opposite.

For more information on using biometrics for identification and authentication, read NIST SP 800- 76-1 and SP 800-76-2 at http://csrc.nist.gov/publications/PubsSPs.html.

336 Chapter 6

� Access Control Architecture Models

Key Terms

covert channels Unauthorized or unintended methods of communications hidden inside a computer system. reference monitor Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects. storage channels TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography. timing channels TCSEC-defined covert channels that communicate by managing the relative timing of events. trusted computing base (TCB) Under the Trusted Computer System Evaluation Criteria (TCSEC), the combination of all hardware, firmware, and software responsible for enforcing the security policy.

Security access control architecture models, which are often referred to simply as architecture models, illustrate access control implementations and can help organizations quickly make improvements through adaptation. Formal models do not usually find their way directly into usable implementations; instead, they form the theoretical foundation that an implemen- tation uses. These formal models are discussed here so you can become familiar with them and see how they are used in various access control approaches. When a specific implementa- tion is put into place, noting that it is based on a formal model may lend credibility, improve its reliability, and lead to improved results. Some models are implemented into computer hardware and software, some are implemented as policies and practices, and some are

Biometrics Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention

Face H L M H L H L

Facial Thermogram

H H L H M H H

Fingerprint M H H M H M H

Hand Geometry

M M M H M M M

Hand Vein M M M M M M H

Eye: Iris H H H M H H H

Eye: Retina H H M L H L H

DNA H H H L H L L

Odor & Scent H H H L L M L

Voice M L L M L H L

Signature L L L H L H L

Keystroke L L L M L M M

Gait M L L H L H M

Table 6-1 Ranking of Biometric Effectiveness and Acceptance

Note: In the table, H ¼ High, M ¼ Medium, and L ¼ Low. From multiple sources.3

Access Control 337