I have been
in IT Security for a long time, probably at least 20+ years. I first got started in the Biometrics
field. Of course, I had no idea what this
was all about, so I had to teach myself a lot about what the technology
is. From there, I started the first
security gig, in which I was reselling Hand Geometry Scanners and Fingerprint
Scanners from two leading vendors.
I had to define
my market, and I decided to focus on Physical Access Entry applications. This is simply meant that I would present
these two devices as a means to replace the traditional lock and key. I thought that this would be more or less an
easier sales cycle, because who wouldn’t want an automated to open up their
doors?
Well, I was
proved wrong, and in a big way. Even despite
the craze that Biometrics got after the 9/11 attacks (especially that of Facial
Recognition), people simply either did not understand it, or simply just did
not care about it. So as result, I found
myself educating people about it, more than selling it. Of course, I did not make much money in those
years that I had the business, but this new path put me on a different
trajectory.
I ended up
closing down this first business, and opened up a new one 15 years ago. This focused on content generation about
Biometrics, such as authoring articles and doing podcasts with top Biometrics
vendors. I even wrote and published
three books on this subject through a leading publisher, CRC Press. But now fast forward some 20 years later to the
present time.
Where is
Biometrics today? Honestly, I have been
out of the field for too long to see where the trends are. One fact that I do know of is that is has
received strong as being used as an authentication mechanism for an MFA
solution. In this regard, both
Fingerprint Recognition and Iris Recognition have received a lot of attention.
But even despite
the good that Biometrics can bring to an organization, it is one of those
technologies that still receives more negative attention. And now, it may be at its worst. Just in November of 2023, the Department of
Defense (DoD) released a detailed report about the specific weaknesses of
Biometrics. This report can be downloaded
at this link:
http://cyberresources.solutions/blogs/DOD_Biometrics.pdf
But to just
summarize, here are the some of the major weaknesses that were reviewed in the
report:
*Data
Theft: This was compared to stealing a
password, and from there, access to just about anything can be yielded.
*Spoofing/Impersonation: There were instances where something like a
Fingerprint Recognition Template was hijacked, and spoofed in order to gain
access to a high secure area.
*Data
Privacy: Just like AI, Biometrics are
often viewed as a “black box solution”.
Meaning, you give it the input, and from there, you get the output, with
no knowledge as to how the insides of the system work. This has led to huge concerns with respect to
data protection and privacy.
*Integration: From the best of my knowledge, it appears
that Biometrics is not being heavily used as a standalone solution. Rather, it is being used as an add on, such
as in MFA, as reviewed earlier. So,
there are integration challenges here as well, especially if Biometrics is going
to be used to further secure our Critical Infrastructure.
My
Thoughts On This:
In fact,
Biometric data is now viewed as “Personal Identifiable Information” (or “PII” for
short). Because of this, they are now
prone to the data privacy laws such as the GDPR, CCPA, HIPAA, etc. More details on this can be seen at the link
below:
https://www.darkreading.com/cyber-risk/thought-gdpr-compliance-was-hard-buckle-up
Now again, I
am not sure about all of the technological advancements that have occurred in the
recent with regards to Biometrics, one thing I can tell you for sure is that
when an image of a fingerprint is captured, it is usually converted over into a
mathematical file. In this case, it
would be a binary one, which is represented as a series of 1’s and 0’s, like
this: 1100010101000100111. So if you think about it, if a Cyberattacker
were to steal this, what can they do with it?
IMHO, not
much really. It’s not like stealing a
credit card number. And for that matter,
there should really be no issue at all with data privacy laws, unless the end
user has some sort of extremely unique identifier that is associated with their
particular Template. I can agree with the
last point, but in terms of spoofing, I still find that a little hard to
believe.
One of the
only ways I can see this happening is if an image of a fingerprint has been
left on the sensor, and has not been completely wiped away. If you choose to use Biometrics as means of
defense, my best advice would be to deploy it with the same amount of caution
as you would with other Cyber related devices, and use the same approaches to
make sure that it will work well in your particular environment.
No comments:
Post a Comment