Computer Security and Biometrics - Research Paper Example

of the of the 8 February Computer Security and Biometrics This paper illustrates the importance of information security management within the organization. The basic idea is to protect information, whether it is in the network, computer system or in a database. Likewise, for addressing system security, all the possible risks, threats and vulnerabilities must be identified for mitigation. Moreover, for authentication purposes, biometric systems are considered to be the most effective control that will also be addressed in this paper. Introduction Due to recurrent technological developments, information and communication technology frequently diverts in new dimensions. The research and development in the context of information and communication technology is very effective. Moreover, the new and advanced form of technology has also facilitated vulnerabilities and threats to be more intelligent. Organizations require advanced protection and security from these threats and vulnerabilities. In order to protect information assets, organizations emphasize on implementing logical and physical controls to protect and secure organizational assets. Security issues can lead to many different aspects. For example, if the server containing customer data is breached, organization will lose its credibility and trust among the customer and that will result in business loss. Similarly, if a critical system is hacked by internal or external sources, organization’s financial data along with goals and objectives can be revealed to other competitors. For securing logical and physical threats, organizations implement firewalls to deploy packet filtering, eliminating viruses and malicious codes, intrusion detection system to continuously sense the behavior of the network, biometric systems for physical authentication of employees, incident response teams to recover the loss on immediate basis and IP cameras to monitor their critical information assets on the network. System Security As per (Dhillon 451), there are three types of controls that will address the three systems i.e. formal, informal and technical. Example of each one of these is illustrated as: Formal control: Modifying organization structure Informal control: Security awareness Technical control: Restricting unauthorized access Formal controls provide assistance to technical controls, as they govern and address issues of integrity in application and data that may lead to high risk and cost. Likewise, in order to govern formal controls, assignment of jobs and responsibilities is vital, as this allocation of duties and responsibilities will set alignment with business objectives. Formal controls are associated with management aspect that will deploy strategic security management practices. The security management will select employees from all departments of the organization where necessary. Moreover, the security management will address data protection legislations, security audits, regulatory compliance, legal and insurance issues, hiring criteria for employees, misconduct, risk assessment, incident management and response etc. Informal controls are associated with security awareness programs considered as the cost effective tool used to aware employees for ‘do’s and don’ts’ while accessing data or information resources. As risk environment is constantly changing, a comprehensive education and security awareness program is extremely important that will conduct periodic awareness sessions for new employees, or new technology or any relevant risk that needs to be addressed. Therefore, the security awareness program should be considered as a ‘common belief system’ (Dhillon 451). Lastly, the technical control that is not limited to authentication of a user along with assigning proper rights on an application or operating system. In order to apply confidentiality to data, encryption, hashing, encoding methods are adopted by organization. Likewise, smart card is the most popular one (Dhillon 451). Moreover, for preventing non repudiation, digital signatures are deployed by a third party certificate authority. However, the cost of technical controls must be justifiable and cannot exceed the cost of an asset. After implementing technical controls, the job is not finished yet. For instance, if a technical control is applied on a network segment for detecting electronic eaves dropping, it may be possible that an employee can hear a confidential conversation from a backdoor of his senior manager’s office. However, there are no significant cases available but a risk element is always present. In order to address residual risk, standards must be created that are also considered as the minimum acceptable security. Technical Computer System Security Before defining the security architecture or strategy, one question every organization must ask itself i.e. why I need information system security. After identifying the purpose, there is a requirement of identify weaknesses or vulnerabilities along with impact and types. Organizations have to consider the backdoors and the week points that may allow or trigger any threats to disrupt business operations by compromising an asset or information system. Moreover, a holistic approach is required to address all risks and vulnerabilities, as every minor vulnerability can expand by cascading other risks in the system. At a technical standpoint, what needs to be protected hardware, applications or data? That is a question that must be addressed by organization itself. The summary of this question can only be encountered by identifying and categorizing threats. As per (Dhillon 451) threats are categorized as Modification, Destruction, Disclosure, Interception, Interruption and fabrication and implies on hardware security, data security and software security. Modification is associated with changes in data or alteration in data with or without purpose. This modification can be performed by an employee or by software as well. Effective change management and configuration management procedures along with documentation are the most effective controls for minimize security vulnerabilities that may arise from incompatible modules or hardware modification from the system. Destruction is associated with physical damage to a hardware device, network device or software. Destruction of a hardware or network device includes spilling of water, inadequate configuration, voltage variations etc. Whereas, software destruction can be from a malicious code, Trojan or unintentional deletion of a kernel of any application etc. Similarly, data can also be deleted intentionally or unintentionally and can also be cause by malfunctioning device. Disclosure of data is proportional to confidentiality i.e. need to know basis. Data is easy to be stolen because the original copy still seems intact, in spite of the data theft. Data types can be classified in to many types, again depending on organizational requirements. For instance, trade secrets, upcoming financial results or long term strategic plans of the organization can be classified as top secret, whereas, customer information can be classified as confidential. Organizations conducting business online collect customer information via websites. Data can also be intercepted by unauthorized access to computing and electronic resources. Moreover, unauthorized remote can also result in accessing information from a remote location. Interruption can also cause system availability that may result from malfunctioned hardware or power outage. Moreover, interruption of services can also be caused from broadcast storm or network congestion that may cause denial of service. Lastly, fabrication refers to a penetration of transactions to a database. Fabrication is often conducted by unauthorized parties in a way that is difficult to identify the authentic and forged transaction. One of the examples of fabrication is called as ‘Phishing’. However, in order to implement technical system security, encryption is the best control up till now for preventing integrity of data. Encryption encapsulates the data by ciphering it to another form by public and private key encryption. Likewise, asymmetric and symmetric encryption techniques are considered as per requirements. Moreover, non-repudiation can be prevented by third party certificate authorities. The file system of a system can be prevented by keeping the system updates current, maintaining and updating antivirus, unnecessary accounts and services must be disabled. Likewise, access management of a system can be maintained by a strong password policy, deactivate administrative account on critical systems, applying account lockout policy etc. furthermore, network security can be implemented by deploying an efficient software or hardware based firewall, installing anti spyware/adware, deactivating remote access etc. Formal Computer System Security Management of information system security requires a development of organizational structure and processes for ensuring adequate protection and integrity. Likewise, for maintaining adequate security, an appropriate relationship organization is required for maintaining integrity of roles and responsibilities. Moreover, a major strategy and policy is required to maintain and manage information system security. However, information system security will not be effective if the organization does not realize that information security must be considered as a top level management responsibility. As, it is the responsibility of the board of directors, if a top down approach is not followed, there will be no effective security governance within the organization. Moreover, considering information security solely as a technical will result in a failure of an information security program. As technical controls can only prevent threats and vulnerabilities via a specific set of technical configurations, there is a requirement of information security management that will demonstrate the performance and measurements of security metrics. Some of the examples include dashboard, balanced scorecards etc. that will show the current and required information security state of the organization. However, implementing information security governance at the top level cannot resolve issues, as it is a multi-dimensional discipline. This is because information security management is a complex issue that must be reviewed and maintained on a periodic basis. Moreover, effective risk management should be in place so that organization wise risks are identified in order to establish an effective information security management plan. Organizations must maintain a minimum acceptable standard that will be considered as the recommended best information security management practices. However, corporate information security enforcement is essential that will act as a management control and define purpose, scope, ownerships, standards, configuration requirements, enforcement and revision history. Likewise, this policy will demonstrate comprehensive details and will include all aspects of protecting information of the organization. Furthermore, in spite of information security governance, risk management, policy and policy enforcement, user awareness is essential. As risk environment is constantly changing, every employee must be aware of practices effective procedures for information security. A comprehensive training and awareness program by NIST address three levels of users i.e. beginners, intermediate and professionals (Whitman and Mattord 656). Each group is addressed by customized user awareness training sessions that also includes computer based testing environment. Informal Computer System Security Informal system security supports the formal system security naturally within the organization. Formal systems cannot be workable alone unless employees accept them. Likewise, user acceptance is directly linked with user acceptance. For instance, if a biometric attendance system is installed as a physical security control, user acceptance is necessary or else, the control will not be effective. However, the severity level of an improper informal system is not high as compare to formal and technical security. It is a fundamental concept that humans are resistant to change. Few of the examples for factors that may introduce issues to information security management are: department is now becoming computerized deployment of a ERP changes in management changes in reporting In the above mentioned examples, there is a possibility that most of the employees may encourage changes and some may not. However, to address these issues is importantly because if an employee is repelling to change, there is a possibility that he/she may handle information security procedures inadequately, resulting in an introduction to security risk for the organization. Although, training sessions must be conducted targeting group of people to minimize these issues. The three systems i.e. formal, informal and technical, and their coordination, demonstrated technical, management and human interaction and management factors. However, in protecting data and information in an organization is a collaborative effort i.e. technical systems acts as a core, including all the technical aspects, formal systems acting as a management aspect and informal system dealing with human element. Biometric System Security Biometric system is considered as a deficient mechanism for information security. Likewise, a system demonstrating information security must adhere to the three fundamental pillars of information security i.e. Confidentiality, Availability, integrity as well as non-repudiation and authentication. Organization deploying biometric systems, do not integrate it with the existing security controls that are protecting information assets. Examples of these controls include segregation of duties, approvals, risk assessment etc. There is a requirement for integrating biometric systems with the overall information security program of an organization. However, it is a challenge because humans are reluctant to change and issue arises with increased security and unstable political relations in different regions (Charndra and Calderor 101-106). Moreover, biometric systems store authentication samples from the employees and often there are issues due to no properly defined standards (Charndra and Calderor 101-106). Likewise, there is a possibility that every organization must equip with biometric systems, the reason is a weak business case. A proper strong business case must address both the financial and non-financial factors. Some of the common challenges for a biometric system include sic domains. Each domain specifies its own challenges as mentioned below (Charndra and Calderor 101-106): Business: Financial Feasibility, Interaction with traditional controls, Application non subject to rigor, Incompatibility with business partners, Transition to E business People: User confidence, privacy issues, user acceptance, user preferences and trust Legal and Regulatory Requirements: Lack of precedence, unclear processes System: business process, design, control, enrollment challenge, system downtime, availability of template database and consequences of malicious code. Technical: Adaption, hardware, evolving nature of technology, scalability and uniqueness of biometric Operational: Continuous Authentication and security Latest Researches (Zheng 1206-1212) proposed a framework for multifactor authentication by incorporating a token and biometrics. Likewise, the framework has de coupled the biometric based authentication and cryptographically bound to the last. In this type of construction, different authentications are processed separately along with ensuring exploitation of any authentication process from a hacker or intruder. Moreover, confidentiality has also been addressed by incorporating it with a database that stores the cipher text for the biometric templates. Moreover, the tokens that are utilized for decrypting cipher texts during the process of authentication and the cryptographic module that hides the authentication algorithm are also addressed in this framework. Furthermore, service providers of biometric authentication service are separated from the authenticator and considered to be a new innovation for the configuration of the framework (Zheng 1206-1212). One more research from (HAMDY and TRAORE 12-12:30) was carried out to amplify human digital security. One of the prime objectives of this research includes human visual scan and detection that is demonstrated, quanti?ed, and dignified as a biometric element which was previously studied thoroughly by medicine and psychology researchers. Results demonstrated unique and consistent patterns for each user when they are exposed to abnormal visual distortion. Secondly, the second objective of this research addressed the behavioral biometric factor in static user authentication (HAMDY and TRAORE 12-12:30). Moreover, a hybrid scheme is presented by (Chen and Chen 353-361) for protecting finger print templates stored in a database. The research illustrates a hybrid scheme that incorporates a fuzzy vault processing linear equations and chaff points, as they are applied to fingerprint templates on initial basis, than a transformation of noninvertible conversion takes place region by region. However, the database stores only a double transformed form. In this way, brute force attacks can be prevented and the template database is more difficult to compromise. Conclusion We have discussed the three concepts proposed by (Dhillon 451) covering formal, informal and technical dimensions of threats affecting information systems. We have also discussed biometric security challenges representing five domains, each having its own challenges. Moreover, we have also discussed researches and studies addressing fingerprint template databases. These studies show better ways of protecting the authentication process and security of databases by incorporating different methods and techniques. Work Cited Chen, Haiyong, and Hailiang Chen. "A Hybrid Scheme for Securing Fingerprint Templates." International Journal of Information Security 9.5 (2010): 353-61. Charndra, Akhilesh, and Thomas Calderor. "CHALLENGES AND CONSTRAINTS TO THE Diffusion of Biometrics IN INFORMATION SYSTEMS." Communications of the ACM 48.12 (2005): 101-6. Dhillon, Gurpreet. Principles of Information Systems Security: Text and Cases . Hoboken, NJ: John Wiley & Sons, 2007 HAMDY, OMAR, and ISSA TRAORE. "Homogeneous Physio-Behavioral Visual and Mouse-Based Biometric." ACM Transactions on Computer-Human Interaction (TOCHI) 18.3 (2011): 12,12:30. Schatten, Markus, Miroslav Baca, and Mirko Cubrilo. "Towards a General Definition of Biometric Systems." International Journal of Computer Science Issues (IJCSI) 7.4 (2010): 1-7. Whitman, Michael E., and Herbert J. Mattord. Principles of Information Security . Course Technology. Zheng, Jian De. "A Framework for Token and Biometrics Based Authentication in Computer Systems." Journal of Computers 6.6 (2011): 1206-12. Read More