TeAM
YYeP
G
DN: cn=TeAM YYePG, c=US, o=TeAM YYePG, ou=TeAM YYePG,
email=yyepg@msn. com
Fifth Edition
Information
Security
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: orders@crcpress.com
AUERBACH PUBLICATIONS
A CRC Press Company
Boca Raton London New York Washington, D.C.
Fifth Edition
Edited by
Harold F. Tipton, CISSP
Micki Krause, CISSP
Information
Security
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher.
All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is ISBN 0-8493-1997-8 /03/$0.00+$1.50. The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe.
Visit the CRC Press Web site at www.crcpress.com
© 2004 by CRC Press LLC Auerbach is an imprint of CRC Press LLC
No claim to original U.S. Government works International Standard Book Number 0-8493-1997-8
Library of Congress Card Number 2003061151
Library of Congress Cataloging-in-Publication Data
Information security management handbook / Harold F. Tipton, Micki Krause, editors.—5th ed. p. cm.
Includes bibliographical references and index. ISBN 0-8493-1997-8 (alk. paper)
1. Computer security—Management—Handbooks, manuals, etc. 2. Data protection—Handbooks, manuals, etc. I. Tipton, Harold F. II. Krause, Micki.
QA76.9.A25I54165 2003
658¢.0558—dc22 2003061151
collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.” “To purchase your own copy of this or any of Taylor & Francis or Routledge’s
v nologies. All rights reserved.
Chapter 18, “Packet Sniffers and Network Monitors,” by James S. Tiller, CISA, CISSP, and Bryan D. Fish, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 30, “ISO/OSI Layers and Characteristics,” by George G. McBride, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 32, “IPSec Virtual Private Networks,” by James S. Tiller, CISA, CISSP, ©INS. All rights reserved.
Chapter 58, “Security Patch Management,” by Jeffrey Davis, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 62, “Trust Governance in a Web Services World,” by Daniel D. Houser, CISSP, MBA, e-Biz+, © Nation-wide Mutual Insurance Company. All rights reserved.
Chapter 68, “Security Assessment,” by Sudhanshu Kairab, ©Copyright 2003 INTEGRITY. All rights reserved.
Chapter 70, “A Progress Report on the CVE Initiative,” by Robert Martin, Steven Christey, and David Baker, ©Copyright 2003 MITRE Corp. All rights reserved.
Chapter 87, “How to Work with a Managed Security Service Provider,” by Laurie Hill McQuillan, ©2003. Laurie Hill McQuillan. All rights reserved.
Chapter 99, “Digital Signatures in Relational Database Applications,” by Mike R. Prevost, ©2002 Mike R. Prevost and Gradkell Systems, Inc. Used with permission.
Chapter 108, “Three New Models for the Application of Cryptography,” by Jay Heiser, CISSP, ©Lucent Tech-nologies. All rights reserved.
Chapter 110, “Message Authentication,” by James S. Tiller, CISA, CISSP, ©INS. All rights reserved.
Chapter 128, “Why Today’s Security Technologies Are So Inadequate: History, Implications, and New Approaches,” by Steven Hofmeyr, Ph.D., ©2003 Sana Security. All rights reserved.
Chapter 131, “Improving Network-Level Security through Real-Time Monitoring and Intrusion Detection,” by Chris Hare, CISSP, CISA, ©International Network Services. All rights reserved.
Chapter 142, “Liability for Lax Computer Security in DDOS Attacks,” by Dorsey Morrow, JD, CISSP, ©2003. Dorsey Morrow. All rights reserved.
Chapter 152, “CIRT: Responding to Attack,” by Chris Hare, CISSP, CISA, ©International Network Services. All rights reserved.
vii
Table of Contents
Contributors
... xxiiiIntroduction
... xli1 ACCESS CONTROL SYSTEMS AND METHODOLOGY
... 1Section 1.1
Access Control Techniques
1 Enhancing Security through Biometric Technology... 5
Stephen D. Fried, CISSP
2 Biometrics: What’s New?... 21
Judith M. Myerson
3 Controlling FTP: Providing Secured Data Transfers ... 27
Chris Hare, CISSP, CISA
Section 1.2
Access Control Administration
4 Privacy in the Healthcare Industry... 45
Kate Borten, CISSP
5 The Case for Privacy... 55
Michael J. Corby, CISSP
Section 1.3
Identification and Authentication Techniques
6 Biometric Identification... 61
Donald R. Richards, CPP
7 Single Sign-On for the Enterprise ... 77
Ross A. Leo, CISSP
Section 1.4
Access Control Methodologies and Implementation
viii
Christina M. Bird, Ph.D., CISSP
Section 1.5
Methods of Attack
10 Hacker Tools and Techniques ... 121
Ed Skoudis, CISSP
11 A New Breed of Hacker Tools and Defenses ... 135
Ed Skoudis, CISSP
12 Social Engineering: The Forgotten Risk ... 147
John Berti, CISSP and Marcus Rogers, Ph.D., CISSP
13 Breaking News: The Latest Hacker Attacks and Defenses ... 155
Ed Skoudis, CISSP
14 Counter-Economic Espionage... 165
Craig A. Schiller, CISSP
Section 1.6
Monitoring and Penetration Testing
15 Penetration Testing ... 179
Stephen D. Fried, CISSP
16 Penetration Testing ... 191
Chuck Bianco, FTTR, CISA, CISSP
2 TELECOMMUNICATIONS, NETWORK, AND
INTERNET SECURITY
... 197Section 2.1
Communications and Network Security
17 Understanding SSL ... 203
Chris Hare, CISSP, CISA
18 Packet Sniffers and Network Monitors... 217
James S. Tiller, CISA, CISSP and Bryan D. Fish, CISSP
19 Secured Connections to External Networks... 235
Steven F. Blanding
20 Security and Network Technologies... 249
Chris Hare, CISSP, CISA
ix
Steven F. Blanding
23 What’s Not So Simple about SNMP? ... 287
Chris Hare, CISSP, CISA
24 Network and Telecommunications Media: Security from the
Ground Up... 297
Samuel Chun, CISSP
25 Security and the Physical Network Layer ... 311
Matthew J. Decker, CISSP, CISA, CBCP
26 Security of Wireless Local Area Networks ... 319
Franjo Majstor, CISSP
27 Securing Wireless Networks ... 329
Sandeep Dhameja, CISSP
28 Wireless Security Mayhem: Restraining the Insanity
of Convenience... 339
Mark T. Chapman, MSCS, CISSP, IAM
29 Wireless LAN Security Challenge ... 349
Frandinata Halim, CISSP, CCSP, CCDA, CCNA, MSCE and Gildas Deograt, CISSP
30 ISO/OSI Layers and Characteristics ... 363George G. McBride, CISSP
Section 2.2
Internet/Intranet/Extranet
31 Enclaves: The Enterprise as an Extranet ... 373
Bryan T. Koch, CISSP
32 IPSec Virtual Private Networks ... 383
James S. Tiller, CISA, CISSP
33 Firewalls: An Effective Solution for Internet Security... 407
E. Eugene Schultz, Ph.D., CISSP
34 Internet Security: Securing the Perimeter... 413
Douglas G. Conorich
35 Extranet Access Control Issues... 423
Christopher King, CISSP
x
Keith Pasley, CISSP
38 Security of Communication Protocols and Services ... 457
William Hugh Murray, CISSP
39 An Introduction to IPSec ... 467
William Stackpole, CISSP
40 VPN Deployment and Evaluation Strategy... 475
Keith Pasley, CISSP
41 How to Perform a Security Review of a Checkpoint Firewall... 493
Ben Rothke, CISSP
42 Comparing Firewall Technologies ... 513
Per Thorsheim
43 The (In) Security of Virtual Private Networks ... 523
James S. Tiller, CISA, CISSP
44 Cookies and Web Bugs... 539
William T. Harding, Ph.D., Anita J. Reed, CPA, and Robert L. Gray, Ph.D.
45 Leveraging Virtual Private Networks ... 549
James S. Tiller, CISA, CISSP
46 Wireless LAN Security ... 561
Mandy Andress, CISSP, SSCP, CPA, CISA
47 Security for Broadband Internet Access Users... 567
James Trulove
48 New Perspectives on VPNs ... 575
Keith Pasley, CISSP
49 An Examination of Firewall Architectures ... 581
Paul A. Henry, CISSP, CNE
Section 2.3
E-mail Security
50 Instant Messaging Security Issues ... 601
William Hugh Murray, CISSP
Section 2.4 Secure Voice Communications
xi
Valene Skerpac, CISSP
Section 2.5
Network Attacks and Countermeasures
53 Packet Sniffers: Use and Misuse... 639
Steve A. Rodgers, CISSP
54 ISPs and Denial-of-Service Attacks ... 649
K. Narayanaswamy, Ph.D.
3 INFORMATION SECURITY MANAGEMENT
... 667Section 3.1
Security Management Concepts and Principles
55 The Human Side of Information Security... 663
Kevin Henry, CISA, CISSP
56 Security Management ... 677
Ken Buszta, CISSP
57 Measuring ROI on Security ... 685
Carl F. Endorf, CISSP, SSCP, GSEC
58 Security Patch Management... 689
Jeffrey Davis, CISSP
Section 3.2
Change Control Management
59 Configuration Management: Charting the Course for the
Organization ... 697
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
Section 3.3
Data Classification
60 Information Classification: A Corporate Implementation
Guide... 715
Jim Appleyard
Section 3.4
Risk Management
xii
Daniel D. Houser, CISSP, MBA, e-Biz+
63 Risk Management and Analysis ... 751
Kevin Henry, CISA, CISSP
64 New Trends in Information Risk Management... 759
Brett Regan Young, CISSP, CBCP
65 Information Security in the Enterprise ... 767
Duane E. Sharp
66 Managing Enterprise Security Information ... 779
Matunda Nyanchama, Ph.D., CISSP and Anna Wilson, CISSP, CISA
67 Risk Analysis and Assessment ... 795
Will Ozier
68 Security Assessment ... 821
Sudhanshu Kairab, CISSP, CISA
69 Cyber-Risk Management: Technical and Insurance Controls
for Enterprise-Level Security... 829
Carol A. Siegel, Ty R. Sagalow, and Paul Serritella
Section 3.5
Employment Policies and Practices
70 A Progress Report on the CVE Initiative ... 845
Robert Martin, Steven Christey, and David Baker
71 Roles and Responsibilities of the Information Systems
Security Officer ... 865
Carl Burney, CISSP
72 Information Protection: Organization, Roles, and Separation
of Duties ... 871
Rebecca Herold, CISSP, CISA, FLMI
73 Organizing for Success: Some Human Resources Issues
in Information Security ... 887
Jeffrey H. Fenton, CBCP, CISSP and James M. Wolfe, MSM
74 Ownership and Custody of Data ... 899
William Hugh Murray, CISSP
xiii 76 Information Security Policies from the Ground Up ... 917
Brian Shorten, CISSP, CISA
77 Policy Development... 925
Chris Hare, CISSP, CISA
78 Toward Enforcing Security Policy: Encouraging Personal
Accountability for Corporate Information Security Policy ... 945
John O. Wylder, CISSP
79 The Common Criteria for IT Security Evaluation ... 953
Debra S. Herrmann
80 A Look at the Common Criteria ... 969
Ben Rothke, CISSP
81 The Security Policy Life Cycle: Functions
and Responsibilities ... 979
Patrick D. Howard, CISSP
Section 3.7
Security Awareness Training
82 Maintaining Management’s Commitment... 989
William Tompkins, CISSP, CBCP
83 Making Security Awareness Happen ... 999
Susan D. Hansche, CISSP
84 Making Security Awareness Happen: Appendices... 1011
Susan D. Hansche, CISSP
Section 3.8
Security Management Planning
85 Maintaining Information Security during Downsizing... 1023
Thomas J. Bray, CISSP
86 The Business Case for Information Security: Selling Management on the Protection of Vital Secrets
and Products ... 1029
Sanford Sherizen, Ph.D., CISSP
xiv
Michael J. Corby, CISSP
89 Outsourcing Security ... 1061
James S. Tiller, CISA, CISSP
4 APPLICATION PROGRAM SECURITY
... 1073Section 4.1 APPLICATION ISSUES
90 Security Models for Object-Oriented Databases... 1077
James Cannady
91 Web Application Security... 1083
Mandy Andress, CISSP, SSCP, CPA, CISA
92 Security for XML and Other Metadata Languages ... 1093
William Hugh Murray, CISSP
93 XML and Information Security ... 1101
Samuel C. McClintock
94 Application Security ... 1109
Walter S. Kobus, Jr., CISSP
95 Covert Channels... 1115
Anton Chuvakin, Ph.D., GCIA, GCIH
96 Security as a Value Enhancer in Application Systems
Development ... 1123
Lowell Bruce McCulley, CISSP
97 Open Source versus Closed Source... 1139
Ed Skoudis, CISSP
Section 4.2
Databases and Data Warehousing
98 Reflections on Database Integrity... 1157
William Hugh Murray, CISSP
99 Digital Signatures in Relational Database Applications... 1165
Mike R. Prevost
100 Security and Privacy for Data Warehouses:
xv 101 Enterprise Security Architecture... 1193
William Hugh Murray, CISSP
102 Certification and Accreditation Methodology ... 1205
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
103 System Development Security Methodology... 1221
Ian Lim, CISSP and Ioana V. Carastan, CISSP
104 A Security-Oriented Extension of the Object Model for the
Development of an Information System... 1235
Sureerut Inmor, Vatcharaporn Esichaikul, and Dencho N. Batanov
Section 4.4
Malicious Code
105 A Look at Java Security ... 1251
Ben Rothke, CISSP
106 Malware and Computer Viruses ... 1257
Robert M. Slade, CISSP
Section 4.5
Methods of Attack
107 Methods of Auditing Applications ... 1287
David C. Rice, CISSP and Graham Bucholz
5 CRYPTOGRAPHY
... 295Section 5.1
Use of Cryptography
108 Three New Models for the Application of Cryptography... 1299
Jay Heiser, CISSP
109 Auditing Cryptography: Assessing System Security ... 1309
Steve Stanek
Section 5.2 Cryptographic Concepts, Methodologies, and Practices
110 Message Authentication ... 1313James S. Tiller, CISA, CISSP
xvi
Javek Ikbel, CISSP
113 Hash Algorithms: From Message Digests to Signatures ... 1349
Keith Pasley, CISSP
114 A Look at the Advanced Encryption Standard (AES) ... 1357
Ben Rothke, CISSP
Section 5.3
Private Key Algorithms
115 Principles and Applications of Cryptographic Key
Management ... 1365
William Hugh Murray, CISSP
Section 5.4
Public Key Infrastructure (PKI)
116 Preserving Public Key Hierarchy ... 1379
Geoffrey C. Grabow, CISSP
117 PKI Registration ... 1385
Alex Golod, CISSP
Section 5.5
System Architecture for Implementing Cryptographic
Functions
118 Implementing Kerberos in Distributed Systems ... 1397
Joe Kovara, CTP and Ray Kaplan, CISSP, CISA, CISM
Section 5.6
Methods of Attack
119 Methods of Attacking and Defending Cryptosystems ... 1447
Joost Houwen, CISSP
6 ENTERPRISE SECURITY ARCHITECTURE
... 146Section 6.1
Principles of Computer and Network Organizations,
Architectures, and Designs
xvii Architecture Primer ... 1475
Chris Hare, CISSP, CISA
122 The Reality of Virtual Computing... 1489
Chris Hare, CISSP, CISA
123 Overcoming Wireless LAN Security Vulnerabilities... 1507
Gilbert Held
Section 6.2
Principles of Security Models, Architectures and
Evaluation Criteria
124 Formulating an Enterprise Information Security Architecture ... 1513
Mollie Krehnke, CISSP, IAM and David Krehnke,CISSP, CISM, IAM
125 Security Architecture and Models ... 1531
Foster J. Henderson, CISSP, MCSE and Kellina M. Craig-Henderson, Ph.D.
Section 6.3
Common Flaws and Security Issues — System
Architecture and Design
126 Common System Design Flaws and Security Issues... 1547
William Hugh Murray, CISSP
7 OPERATIONS SECURITY
... 1555Section 7.1
Concepts
127 Operations: The Center of Support and Control ... 1559
Kevin Henry, CISA, CISSP
128 Why Today’s Security Technologies Are So Inadequate: History,
Implications, and New Approaches... 1565
Steven Hofmeyr, Ph.D.
Section 7.2
Resource Protection Requirements
xviii
130 Auditing the Electronic Commerce Environment ... 1585
Chris Hare, CISSP, CISA
Section 7.4
Intrusion Detection
131 Improving Network-Level Security through Real-Time
Monitoring and Intrusion Detection ... 1601
Chris Hare, CISSP, CISA
132 Intelligent Intrusion Analysis: How Thinking Machines Can
Recognize Computer Intrusions ... 1619
Bryan D. Fish, CISSP
Section 7.5
Operations Controls
133 Directory Security ... 1633
Ken Buszta, CISSP
8 BUSINESS CONTINUITY PLANNING
... 1641Section 8.1
Business Continuity Planning
134 Reengineering the Business Continuity Planning Process ... 1645
Carl B. Jackson, CISSP, CBCP
135 The Changing Face of Continuity Planning ... 1657
Carl B. Jackson, CISSP, CBCP
136 The Role of Continuity Planning in the Enterprise Risk
Management Structure ... 1667
Carl B. Jackson, CISSP, CBCP
Section 8.2
Disaster Recovery Planning
137 Restoration Component of Business Continuity Planning... 1679
John Dorf, ARM and Martin Johnson, CISSP
138 Business Resumption Planning and Disaster Recovery:
A Case History ... 1689
Kevin Henry, CISA, CISSP
xix 140 The Business Impact Assessment Process ... 1709
Carl B. Jackson, CISSP, CBCP
9 LAW, INVESTIGATION, AND ETHICS
... 1725Section 9.1
Information Law
141 Jurisdictional Issues in Global Transmissions ... 1729
Ralph Spencer Poore, CISSP, CISA, CFE
142 Liability for Lax Computer Security in DDoS Attacks ... 1737
Dorsey Morrow, JD, CISSP
143 The Final HIPAA Security Rule Is Here! Now What?... 1743
Todd Fitzgerald, CISSP, CISA
144 HIPAA 201: A Framework Approach to HIPAA Security Readiness... 1759
David MacLeod, Ph.D., CISSP, Brian Geffert, CISSP, CISA, and David Deckter, CISSP
Section 9.2
Investigations
145 Computer Crime Investigations: Managing a Process
without Any Golden Rules ... 1771
George Wade, CISSP
146 Computer Crime Investigation and Computer Forensics... 1785
Thomas Welch, CISSP, CPP
147 Operational Forensics ... 1813
Michael J. Corby, CISSP
148 What Happened ... 1819
Kelly J. Kuchta, CPP, CFE
Section 9.3
Major Categories of Computer Crime
149 The International Dimensions of Cybercrime... 1823
Ed Gabrys, CISSP
Section 9.4
Incident Handling
xx
Chris Hare, CISSP, CISA
152 Incident Response Management ... 1861
Alan B. Sterneckert, CISA, CISSP, CFE, CCCI
153 Managing the Response to a Computer Security Incident ... 1871
Michael Vangelos, CISSP
154 Cyber Crime: Response, Investigation, and Prosecution ... 1881
Thomas Akin, CISSP
155 Incident Response Exercises... 1887
Ken M. Shaurette, CISSP, CISA, CISM, IAM and Thomas J. Schleppenbach
156 Software Forensics... 1897
Robert M. Slade, CISSP
Section 9.5
Ethics
157 Ethics and the Internet ... 1911
Micki Krause, CISSP
10 PHYSICAL SECURITY
... 1921Section 10.1
Facility Requirements
158 Physical Security: A Foundation for Information Security ... 1925
Christopher Steinke, CISSP
159 Physical Security: Controlled Access and Layered Defense ... 1935
Bruce R. Mathews, CISSP
160 Computing Facility Physical Security ... 1947
Alan Brusewitz, CISSP, CBCP
xxi 162 Types of Information Security Controls... 1965
Harold F. Tipton, CISSP
Section 10.3
Environment and Life Safety
163 Physical Security: The Threat after September 11th ... 1975
Jaymes Williams, CISSP
xxiii
Contributors
Thomas Akin, CISSP, has worked in information security for almost a decade. He is the founding director of the Southeast Cybercrime Institute, where he also serves as chairman for the Institute's Board of Advisors. He is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations. He has published several articles on Information Security and is the author of Hardening Cisco Routers. He developed Kennesaw State University’s highly successful UNIX and Cisco training programs and, in addition to his security certifications, is also certified in Solaris, Linux, and AIX; is a Cisco Certified Academic Instructor (CCAI), and is a Certified Network Expert (CNX). He can be reached at takin@kennesaw.edu.
Mandy Andress, CISSP, SSCP, CPA, CISA, is Founder and President of ArcSec Technologies, a security con-sulting firm specializing in product/technology analysis. Before starting ArcSec Technologies, Mandy worked for Exxon, USA and several Big 5 accounting firms, including Deloitte & Touche and Ernst & Young. After leaving the Big 5, Mandy became Director of Security for Privada, Inc., a privacy start-up in San Jose. At Privada, Mandy helped develop security policies, secure network design, develop Firewall/VPN solutions, increase physical security, secure product design, and periodic network vulnerability testing. Mandy has written numerous security product and technology reviews for various computer trade publications. A member of the Network World Global Test Alliance, she is also a frequent presenter at conferences, including Net-world+Interop, Black Hat, and TISC. Mandy holds a BBA in accounting and an MS in MIS from Texas A&M University. She is the author of Surviving Security, 2nd Edition (Auerbach Publications, 2003).
Jim Appleyard is a senior security consultant with the IBM Security and Privacy Services consulting practice. With 33 years of technical and management experience in information technology, he specializes in enterprise-wide information security policies and security architecture design. He has specific expertise in developing information security policies, procedures, and standards; conducting business impact analysis; performing enterprisewide security assessments; and designing data classification and security awareness programs.
David W. Baker is a member of the CVE Editorial Board. As a Lead INFOSEC Engineer in MITRE’s Security and Information Operations Division, he has experience in deployment and operation of large-scale intrusion detection systems, critical infrastructure protection efforts, and digital forensics research. A member of the American Academy of Forensic Sciences, Baker holds a bachelor’s degree from The State University of New York, and a Master of Forensic Science degree from George Washington University.
Dencho N. Batanov is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand.
xxiv
various information security-related incidents for a large telecommunications company in Manitoba, relating to computer and toll fraud crimes.
Chuck Bianco, FTTR, CISA, CISSP, is an IT Examination Manager for the Office of Thrift Supervision in Dallas, Texas. He has represented his agency on the IT Subcommittee of the FFIEC. Bianco has experienced more than 600 IT examinations, participated in six IT symposia, written OTS’ original Disaster Recovery Bulletin, and led the Interagency Symposium resulting in SP–5. He was awarded the FFIEC Outstanding Examiner Award for significant contributions, and received two Department of the Treasury Awards for Outstanding Performance.
Christina M. Bird, Ph.D., CISSP, is a senior security analyst with Counterpane Internet Security in San Jose, California. She has implemented and managed a variety of wide-area-network security technologies, such as firewalls, VPN packages and authentication systems; built and supported Internet-based remote access systems; and developed, implemented, and enforced corporate IS security policies in a variety of environments. Tina is the moderator of the Virtual Private Networks mailing list, and the owner of "VPN Resources on the World Wide Web," a highly regarded vendor neutral source of information about VPN technology. Tina has a BS in physics from Notre Dame and an MS and Ph.D. in astrophysics from the University of Minnesota.
Steven F. Blanding, CIA, CISA, CSP, CFE, CQA, was, when his contributions were written, the Regional Director of Technology for Arthur Andersen, based in Houston, Texas. Steve has 25 years of experience in the areas of financial auditing, systems auditing, quality assurance, information security, and business resumption planning for large corporations in the consulting services, financial services, manufacturing, retail electronics, and defense contract industries. Steve earned a BS in accounting from Virginia Tech and an MS in business information systems from Virginia Commonwealth University.
David Bonewell, CISSP, CISA, is a chief security architect with Teradata, Cincinnati, Ohio.
Kate Borten, CISSP, a nationally recognized expert in health information security and privacy, is president of The Marblehead Group. She has over 20 years at Harvard University teaching hospitals, health centers, and physician practices; as information security head at Massachusetts General Hospital, and Chief Information Security Officer at CareGroup in Boston. She is a frequent speaker at conferences sponsored by AHIMA, AMIA, CHIM, CHIME, CPRI, and HIMSS, and an advisor and contributor to “Briefings on HIPAA.”
Dan M. Bowers, CISSP, is a consulting engineer, author, and inventor in the field of security engineering.
Thomas J. Bray, CISSP, is a Principal Security Consultant with SecureImpact. He has more than 13 years of information security experience in banking, information technology, and consulting. Tom can be reached at tjbray@secureimpact.com. SecureImpact is a company dedicated to providing premier security consulting expertise and advice. SecureImpact has created its information and network service offerings to address the growing proliferation of security risks being experienced by small to mid-sized companies. Information about SecureImpact can be obtained by visiting www.secureimpact.com.
Allen Brusewitz, CISSP, CBCP, has more than 30 years of experience in computing in various capacities, including system development, EDP auditing, computer operations, and information security. He has contin-ued his professional career leading consulting teams in cyber-security services with an emphasis on E-commerce security. He also participates in business continuity planning projects and is charged with developing that practice with his current company for delivery to commercial organizations.
Graham Bucholz is a computer security research for the U.S. government in Baltimore, Maryland.
xxv ten years of IT experience and six years of InfoSec experience. He served in the U.S. Navy’s intelligence community before entering the consulting field in 1994. Should you have any questions or comments, he can be reached at Infosecguy@att.net.
James Cannady is a research scientist at Georgia Tech Research Institute. For the past seven years he has focused on developing and implementing innovative approaches to computer security in sensitive networks and systems in military, law enforcement, and commercial environments
Ioana V. Carastan, CISSP, is a manager with Accenture’s global security consulting practice. She has written security policies, standards, and processes for clients in a range of industries, including financial services, high-tech, resources, and government
Mark T. Chapman, CISSP, CISM, IAM, is the Director of Information Security Solutions for Omni Tech Corporation in Waukesha, Wisconsin. Mark holds an MS in computer science from the University of Wisconsin, Milwaukee, in the area of cryptography and information security. He has published several papers and has presented research at conferences in the United States, Asia, and Europe. He is the author of several security-related software suites, including the NICETEXT linguistic steganography package available at www.nicet-ext.com. Mark is a member of the executive planning committee for the Eastern Wisconsin Chapter of InfraGard. For questions or comments, contact Mark at mark.chapman@omnitechcorp.com.
Steven Christey is the editor of the CVE List and the chair of the CVE Editorial Board. His operational experience is in vulnerability scanning and incident response. His research interests include automated vul-nerability analysis of source code, reverse-engineering of malicious executable code, and responsible vulnera-bility disclosure practices. He is a Principal INFOSEC Engineer in MITRE's Security and Information Operations Division. He holds a BS in computer science from Hobart College.
Samuel Chun, CISSP, is director for a technology consulting firm in the Washington, D.C., area
Anton Chuvakin, Ph.D., GCIA, GCIH, is a senior security analyst with a major information security company. His areas of InfoSec expertise include intrusion detection, UNIX security, forensics, and honeypots. In his spare time, he maintains his security portal, www.infosecure.org.
Douglas G. Conorich, the Global Solutions Manager for IBM Global Service’s Managed Security Services, with over 30 years of experience with computer security holding a variety of technical and management positions, has responsibility for developing new security offerings, ensuring that the current offerings are standardized globally, and oversees training of new members of the MSS team worldwide. Mr. Conorich teaches people how to use the latest vulnerability testing tools to monitor Internet and intranet connections and develop vulnerably assessments suggesting security-related improvements. Mr. Conorich is also actively engaged in the research of bugs and vulnerabilities in computer operating systems and Internet protocols and is involved in the development of customized alerts notifying clients of new potential risks to security. He has presented papers at over 400 conferences, has published numerous computer security-related articles on information security in various magazines and periodicals, and has held associate professor positions at several colleges and uni-versities.
xxvi
Washington, D.C. Craig-Henderson’s work has been supported by grants from the National Science Foundation and the Center for Human Resource Management at the University of Illinois.
Jeffrey Davis, CISSP, has been working in information security for the past ten years. He is currently a senior manager at Lucent Technologies, involved with intrusion detection, anti-virus, and threat assessment. He holds a bachelor’s degree in electrical engineering and a master’s degree in computer science from Stevens Institute of Technology
Matthew J. Decker, CISSP, CISA, CBCP, has 17 years of professional experience in information security. He has advised private industry and local government on information security issues for the past six years with International Network Services, Lucent Technologies, and KPMG LLP. Prior to this, he devoted two years to the United States Special Operations Command (USSOCOM) as a contractor for Booz Allen Hamilton, and served nine years with the NSA. He earned a BSEE in 1985 from Florida Atlantic University and an MBA in 1998 from Nova Southeastern University. In 1992, the NSA’s Engineering and Physical Science Career Panel awarded him Certified Cryptologic Engineer (CCE) stature. A former president of the ISSA Tampa Bay chapter, he is a member of ISSA and ISACA.
David Deckter, CISSP, a manager with Deloitte & Touche Enterprise Risk Services, has extensive experience in information systems security disciplines, controlled penetration testing, secure operating system, application and internetworking architecture and design, risk and vulnerability assessments, and project management. Deckter has obtained ISC2 CISSP certification. He has performed numerous network security assessments for emerging technologies and electronic commerce initiatives in the banking, insurance, telecommunications, healthcare, and financial services industries, and has been actively engaged in projects requiring HIPAA security solutions.
Gildas Deograt, CISSP, is a CISSP Common Body of Knowledge (CBK) seminar instructor. He has been working in the IT field for more than ten years, with a focus over the past five years on information security. His experience includes network design and implementation, security policy development and implementation, developing security awareness program, network security architecture, assessment and integration, and also firewall deployment. At present, he is an Information System Security Officer for Total Exploration and Production. Before moving to France, he was the Chief Information Security Officer at TotalFinaElf E&P Indonesia and also a board member of the Information System Security Association (ISSA), Indonesia
Sandeep Dhameja, CISSP, is responsible for implementation, management of data, network security, and information security at Morningstar. With more than ten years of IT experience, including five years in information security, Dhameja has held several executive and consulting positions. He is widely published with the IEEE, International Engineering Consortium (IEC), Society of Automotive Engineers (SAE), and at inter-national conferences.
John Dorf, ARM, is a senior manager in the Actuarial Services Group of Ernst & Young. Specializing in insurance underwriting and risk management consulting, John earned his 19 years of experience as a risk manager at several Fortune 500 financial service and manufacturing firms. Before joining Ernst & Young, John was a senior risk manager at General Electric Capital Corporation. John has also held risk management positions at Witco Corporation, National Westminster Bank, and the American Bureau of Shipping. Prior to becoming a risk manager, John spent seven years as an underwriting manager and senior marine insurance underwriter at AIG and Atlantic Mutual. John holds a MBA with a concentration in risk management from the College of Insurance; a BA in Economics from Lehigh University; and an Associate in Risk Management (ARM) designation from the Insurance Institute of America.
xxvii computer security. Mark previously worked for KPMG Information Risk Management Group and IBM’s Privacy and Security Group, where he performed network security assessments, security system reviews, development of security recommendations, and ethical hacking. Other projects included helping companies develop secure and reliable network system architecture for their Web-enabled businesses. Mark was managing editor of the SANS Digest (Systems Administration and Network Security) and contributing editor to the SANS Step-by-Step Windows NT Security Guide. He is co-author of Windows NT: Performance, Monitoring and Tuning, and he developed the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.
Carl F. Endorf, CISSP, is a senior security analyst for one of the largest insurance and banking companies in the United States. He has practical experience in forensics, corporate investigations, and Internet security.
Vatcharaporn Esichaikul is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand.
Jeffrey H. Fenton, CBCP, CISSP, is the corporate IT crisis assurance/mitigation manager and technical lead for IT Risk Management and a senior staff computer system security analyst in the Corporate Information Security Office at Lockheed Martin Corporation. He joined Lockheed Missiles and Space Company in Sunny-vale, California, as a system engineer in 1982 and transferred into its telecommunications group in 1985. Fenton completed a succession of increasingly complex assignments, including project manager for the con-struction and activation of an earthquake-resistant network center on the Sunnyvale campus in 1992, and group leader for network design and operations from 1993 through 1996. Fenton holds a BA in economics from the University of California, San Diego, an MA in economics and an MS in operations research from Stanford University, and an MBA in telecommunications from Golden Gate University. Fenton is also a Certified Business Continuity Planner (CBCP) and a Certified Information Systems Security Professional (CISSP).
Bryan D. Fish, CISSP, isa security consultant for Lucent Technologies in Dallas, Texas. He holds a BS in Computer Engineering and a Master of Computer Science degree with a focus on internetworking and computer system security, both from Texas A&M University. Professional interests include security programs and policies, and applications of cryptography in network security.
Todd Fitzgerald, CISSP, CISA, is the Systems Security Office for United Government Services, LLC, the nation’s largest processor of Medicare hospital claims on behalf of the Centers for Medicare and Medicaid Services (CMS). He has over 24 years of broad-based information technology experience, holding senior IT management positions with Fortune 500 and Global Fortune 250 companies. Todd is a board member of the ISSA–Milwaukee Chapter, co-chair on the HIPAA Collaborative of Wisconsin Security Task Force, participant in the CMS/ Gartner Security Best Practices Group, and is a frequent speaker and writer on security issues.
Stephen D. Fried, CISSP, is the Director of Global Information Security at Lucent Technologies, leading the team responsible for protecting Lucent’s electronic and information infrastructure. Stephen began his profes-sional career at AT&T in 1985 and has progressed through a wide range of technical and leadership positions in such areas as software development, database design, call center routing, computing research, and informa-tion security for AT&T, Avaya, and Lucent Technologies. In more recent history, Stephen has developed the information security program for two Fortune 500 companies, leading the development of security strategy, architecture, and deployment while dealing with such ever-changing topics as policy development, risk assess-ment, technology development and deployment and security outsourcing. He is a Certified Information Systems Security Professional and is also an instructor with the SANS Institute. Stephen holds a BS in Telecommunications Management and an MS in Computer Science.
xxviii
specializes in information systems controls and solutions. Geffert has worked on the development of HIPAA assessment tools and security services for healthcare industry clients to determine the level of security readiness with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. In addition, he has implemented solutions to assist organizations addressing their HIPAA security readiness issues. Finally, Geffert is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA).
Karen Gibbs is a senior data warehouse architect with Teradata, Dayton, Ohio.
Alex Golod, CISSP, is an infrastructure specialist for EDS in Troy, Michigan.
Robert Gray, Ph.D., is currently Chair of the Quantitative Methods and Computer Information Systems Department at Western New England College and has more than 20 years of academic and management experience in the IT field.
Frandinata Halim, CISSP, MCSE, a senior security consultant at ITPro Citra Indonesia, PT, has ample expe-rience and qualifications in providing clients with managed security services, information system security consulting, secure network deployment, and other services. In addition, he is competent and knowledgeable in the use and hardening of the Windows environment, Cisco security devices, the number of IDSs, firewalls, and others, currently holding certifications such as CISSP from the (ISC)2, CCSP, CCDA, and CCNA from Cisco Systems, and MCSE from Microsoft. He obtained his bachelor’s degree in electronic engineering from Trisakti University, Jakarta, and his master’s degree in information system management from Bina Nusantara University, Jakarta.
Susan D. Hansche, CISSP, is a senior manager for information system security awareness and training at PEC Solutions, based in Fairfax, Virginia. She has designed numerous training courses on information technology and information systems security for both private-sector and government clients. Susan is co-author of the Official (ISC)2 Guide to the CISSP Exam. She can be reached via e-mail at susan.hansche@pec.com.
William T. Harding, Ph.D., is Dean of the College of Business Administration and an associate professor at Texas A & M University, in Corpus Christi.
Chris Hare, CISSP, CISA, is an Information Security and Control Consultant with Nortel Networks in Dallas, Texas. His experience encompasses over sixteen years in the computing industry with key positions ranging from application design, quality assurance, system administration/engineering, network analysis, and security consulting, operations and architecture. His management career, coupled with in-depth technical knowledge, provides the foundation to integrate the intricate risks of technology to the ongoing survival of major corpo-rations. Chris periodically shares his knowledge in speaking engagements, published articles, books, and other publications. He has written a number of articles for Sys Admin magazine, ranging from system administration and tutorial articles to management and architecture. Chris is now writing for Auerbach’s Data Security Management, Information Security Management Handbook, and Data Communication Management, and is co-author the Official (ISC)2 Guide to the CISSP Exam. Chris has taught information security at Algonquin College (Ottawa, Canada) and was one of the original members of the Advisory Council for this program. He frequently speaks at conferences on UNIX, specialized technology and applications, security, and audit.
xxix in both Europe and America for his entertaining and thought-provoking presentations, Mr. Heiser has an MBA in International Management from the American Graduate School of International Management.
Gilbert Held is an award-winning author and lecturer. Gil is the author of over 40 books and 450 technical articles. Some of Gil’s recent book titles include Building a Wireless Office and The ABCs of IP Addressing, published by Auerbach Publications. Gil can be reached via e-mail at gil_held@yahoo.com.
Foster Henderson, CISSP, MCSE, CRP, CNA, is an information assurance analyst for Analytic Services, Inc. (ANSER). He is currently a member of the Network Operations and Security Branch within the federal government, covering a wide range of IA matters.
Kevin Henry, CISA, CISSP, Director–Program Development for (ISC)2 Institute, is a regular speaker at con-ferences and training seminars worldwide, with frequent requests to provide in-depth training, foundational and advanced information systems security and audit courses, and detailed presentations and workshops on key issues surrounding the latest issues in the information systems security field. Kevin combines over twenty years experience in telecom and consulting engagements for major government and corporate clients with an interesting and comfortable learning style that enhances the understanding, relevance, and practical applica-tions of the subject matter. Kevin graduated from Red River College as a computer programmer/analyst and has an Advanced Graduate Diploma in Management from Athabasca University, where he is currently enrolled in their MBA program with a focus on information technology. Kevin has also had several articles published in leading trade journals and in the Handbook of Information Security Management.
Paul A. Henry, MCP+I, MCSE, CCSA, CFSA, CFSO, CISSP, Vice President of CyberGuard Corporation and an information security expert who has worked in the security field for more than 20 years, has provided analysis and research support on numerous complex network security projects in Asia, the Middle East, and North America, including several multimillion dollar network security projects, such as Saudi Arabia’s National Banking System and the DoD Satellite Data Project USA. Henry has given keynote speeches at security seminars and conferences worldwide on topics including DDoS attack risk mitigation, firewall architectures, intrusion methodology, enterprise security, and security policy development. An accomplished author, Henry has also published numerous articles and white papers on firewall architectures, covert channel attacks, distributed denial-of-service (DDoS) attacks, and buffer overruns. Henry has also been interviewed by ZD Net, the San Francisco Chronicle, the Miami Herald, NBC Nightly News, CNBC Asia, and many other media outlets.
Rebecca Herold, CISSP, CISA, FLMI, is Vice President, Privacy Services and Chief Privacy Officer at DelCreo, Inc. Prior to this, she was chief privacy officer and senior security architect for QinetiQ Trusted Information Management, Inc. (Q-TIM). She has more than 13 years of information security experience. Herold was the editor and contributing author for The Privacy Papers, released in December 2001. Most recently she was the co-author of The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach, 2004). She has also written numerous magazine and newsletter articles on information security topics and has given many pre-sentations at conferences and seminars. Herold can be reached at rebecca@delcreo.com.
Debra S. Herrmann is the ITT manager of security engineering for the FAA Telecommunications Infrastructure program. Her special expertise is in the specification, design, and assessment of secure mission-critical systems. She is the author of Using the Common Criteria for IT Security Evaluation and A Practical Guide to Security Engineering and Information Assurance, both from Auerbach Publications.
peer-xxx
program committee for the ACM’s New Security Paradigms Workshop, and is currently on the program committee for the Artificial Immune Systems workshop at the IEEE World Congress on Computational Intelligence. He can be reached at steve.hofmeyr@sanasecurity.com.
Daniel D. Houser, CISSP, MBA, e-Biz+, is a senior security engineer with Nationwide Mutual Insurance Company
Joost Houwen, CISSP, CISA, is the security manager for Network Computing Services at BC Hydro. He has a diverse range of IT and information security experience.
Patrick D. Howard, CISSP, a Senior Information Security Consultant for the Titan Corporation, has over 31 years experience in security management and law enforcement. He has been performing security certification and accreditation tasks for over 14 years as both a security manager and a consultant from both government and commercial industry perspectives. He has experience with implementing security C&A with the Depart-ment of the Army, Nuclear Regulatory Commission, DepartDepart-ment of Agriculture, and DepartDepart-ment of Trans-portation, and has been charged with developing C&A and risk management guidance for organizations such as Bureau of the Public Debt, U.S. Coast Guard, State of California, University of Texas Southwestern Medical School, University of Texas Medical Branch, and corporations including John Hancock, BankBoston, Sprint, eSylvan, and Schering–Plough. He has extensive practical experience in implementing programs and processes based on NIST guidance (FIPS Pub 102, SP 800-18, 800-26, 800-30, 800-37, etc.), OMB Circular A-130, Appendix III, and BS 7799/ISO 17799. He has direct working experience in security plan development for complex systems, sensitivity definition, use of minimum security baselines, risk analysis, vulnerability assess-ment, controls validation, risk mitigation, and documenting certification and accreditation decisions. Mr. Howard has also developed and presented training on all of these processes. He is the author of Building and Implementing a Security Certification and Accreditation Program (Auerbach Publications, 2004).
Javed Ikbal, CISSP, works at a major financial services company as Director, IT Security, where he is involved in security architecture, virus/cyber incident detection and response, policy development, and building custom tools to solve problems. A proponent of open-source security tools, he is a believer in the power of Perl.
Sureerut Inmor is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand. He can be reached at sureerut_earth@hotmail.com.
Carl B. Jackson, CISSP, is Vice President–Enterprise Continuity Planning for DelCreo, Inc., an enterprise risk management company. He is a Certified Information Systems Security Professional (CISSP) with more than 25 years of experience in the areas of continuity planning, information security, and information technology internal control and quality assurance reviews and audits. Prior to joining DelCreo, Inc., he served in the QinetiQ-TIM Corporation and as a Partner with Ernst & Young, where he was the firm’s BCP Service Line Leader. Carl has extensive consulting experience with numerous major organizations in multiple industries, including manufacturing, financial services, transportation, healthcare, technology, pharmaceuticals, retail, aerospace, insurance, and professional sports management. He also has extensive industry business continuity planning experience as an information security practitioner, manager in the field of information security and business continuity planning, and as a university-level instructor. He has written extensively and is a frequent public speaker on all aspects of continuity planning and information security. Carl can be reached at 1+ 936-328-3663 or by e-mail at carl@delcreo.com.
1
Domain 1
The Access Control Systems and Methodology domain addresses the collection of mechanisms that permits system managers to exercise a directing or restraining influence over the behavior, use, and content of a system. Access control permits management to specify what users can do, what resources they can access, and what operations they can perform on a system.
Given the realization that information is valuable and must be secured against misuse, disclosure, and destruction, organizations implement access controls to ensure the integrity and security of the information they use to make critical business decisions. Controlling access to computing resources and information can take on many forms. However, regardless of the method utilized, whether technical or administrative, access controls are fundamental to a well-developed and well-managed information security program.
This domain addresses user identification and authentication, access control techniques and the adminis-tration of those techniques, and the evolving and innovative methods of attack against implemented controls. Biometrics are used to identify and authenticate individuals and are rapidly becoming a popular approach for imposing control over access to information, because they provide the ability to positively identify someone by their personal attributes, typically a person’s voice, handprint, fingerprint, or retinal pattern. Although biometric devices have been around for years, innovations continue to emerge. Understanding the potential as well as the limitations of these important tools is necessary so that the technology can be applied appro-priately and most effectively. We will lay the foundations here and follow up with more detail in Domain 10: Physical Security.
Nowhere is the use of access controls more apparently important than in protecting the privacy, confiden-tiality, and security of patient healthcare information. Outside North America, especially in European countries, privacy has been a visible priority for many years. More recently, American consumers have come to demand an assurance that their personal privacy is protected, a demand that demonstrates awareness that their medical information is becoming increasingly widespread and potentially subject to exposure. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 for medical information and the Gramm–Leach–Bliley Act of 1999 for financial information, just to name two regulations, are definitive evidence that the U.S. Government has heeded the mandate of American citizens.
Malicious hacking has been a successful means of undermining information controls and an increasing challenge to the security of information. Hackers tend to chip away at an organization’s defenses and have been successful on far too many occasions. In this domain, readers learn about the advancing, state-of-the-art attack tools that have led to highly publicized scenarios; for example, the recent defacement of the U.S. Department of Justice Web site and denial-of-service attacks on many commercial sites.
Contents
Section 1.1
Access Control Techniques
1 Enhancing Security through Biometric Technology... 5
Stephen D. Fried, CISSP
2 Biometrics: What’s New?... 21
Judith M. Myerson
3 Controlling FTP: Providing Secured Data Transfers ... 27
&KULV+DUH&,663&,6$
Section 1.2
Access Control Administration
4 Privacy in the Healthcare Industry... 45
Kate Borten, CISSP
5 The Case for Privacy... 55
Michael J. Corby, CISSP
Section 1.3
Identification and Authentication Techniques
6 Biometric Identification... 61
Donald R. Richards
7 Single Sign-On for the Enterprise ... 77
Ross A. Leo, CISSP
Section 1.4
Access Control Methodologies and Implementation
8 Centralized Authentication Services (RADIUS, TACACS, DIAMETER)... 97
Bill Stackpole, CISSP
9 An Introduction to Secure Remote Access ... 109
&KUL
s
WLQD0%LUG3K'&,663
Section 1.5
Methods of Attack
10 Hacker Tools and Techniques ... 121
Ed Skoudis, CISSP
11 A New Breed of Hacker Tools and Defenses ... 135
Ed Skoudis, CISSP
12 Social Engineering: The Forgotten Risk ... 147
John Berti, CISSP and Marcus Rogers, Ph.D., CISSP
14 Counter-Economic Espionage... 165
Craig A. Schiller, CISSP
Section 1.6
Monitoring and Penetration Testing
15 Penetration Testing ... 179
Stephen D. Fried, CISSP
5
1
Enhancing Security
through Biometric
Technology
Stephen D. Fried, CISSP
Introduction
The U.S. Immigration and Naturalization Service has begun a program that will allow frequent travelers to the United States to bypass the personal interview and inspection process at selected major airports, by taking electronic readings of the visitor’s hand to positively identify the traveler. A similar system is in use at the U.S./Canada border that uses fingerprints and voice recognition to identify people crossing the border.
In 1991, Los Angeles County installed a system that uses fingerprint identification to reduce fraud-ulent and duplicate claims in the county’s welfare system. The county saved more than $5 million in the first six months of use.
Casinos from Las Vegas to Atlantic City use face recognition systems to spot gambling cheats, card counters, and criminals in an attempt to reduce losses and protect their licenses.
All these systems have one thing in common: they all use biometrics to provide for enhanced security of people, locations, or financial interests. Biometrics is becoming one of the fastest growing segments of the security field and has gained a great deal of popularity both in the popular press and within the security profession. The use of biometrics — how it works, how it is used, and how effective it can be — is the subject of this chapter.
Biometrics Basics
Security professionals already have a wide variety of identification and authentication options available to them, including ID badges, passwords, PINs, and smart cards. So why is biometrics different, and why is it considered by many to be the “best” method for accurate identification and authentication? The answer comes from the nature of identification and authentication. Both these processes are based on the concept of unique-ness. They assume that there is some unique aspect to an individual that can be isolated and used to positively identify that individual. However, current forms of identification and authentication all suffer from the same fallacy: the “unique” property they measure is artificially attached to the individual. User IDs and passwords are assigned to users and must be remembered by the user. ID badges or tokens are given to users who must then carry them in their possession. Certificate forms of authentication, such as driver’s licenses, passports, or X.509 public key certificates are assigned to a person by some authority that attests to the matching between the name on the certificate and the picture or public key the certificate contains. None of these infallibly identify or authenticate the named individual. They can all be fooled or “spoofed” in some form or another.
Biometrics approaches the uniqueness problem in a different way. Instead of artificially attaching some type of uniqueness to the subject, the uniqueness is determined through an intrinsic quality that the subject already possesses. Characteristics such as fingerprints, retina patterns, hand geometry, and DNA are something almost all people already possess and are all naturally unique. It is also something that is with the person at all times and thus available whenever needed. A user cannot forget his finger or leave his voice at home. Biometric traits also have an intrinsic strength in their uniqueness. A person cannot choose a weak biometric in the same way he can choose a weak password or PIN. For very high-security applications, or situations where an extremely high assurance level for identification or authentication is required, this built-in uniqueness gives biometrics the edge it needs over its traditional identification and authentication counterparts.
How Does Biometrics Work?
Although the physiology behind biometrics is quite complex, the process of using biometric measurements in an application is relatively simple. The first step is to determine the specific biometric characteristic that must be measured. This is more a function of practicality, personal preference, and user attitude than a strict technology question. The different factors that go into selecting an appropriate biometric measurement are discussed later in this chapter.
Once the specific characteristic to be measured has been determined, a reading of that biometric is taken through some mechanical or technical means. The specific means will be based on the biometric characteristic selected, but biometric readings are generally taken by either (1) photographing or scanning an image of the characteristic, or (2) measuring the characteristic’s life signs within the subject. Once the reading is taken, it needs to be modified into a form that makes further comparison easier. Storing the entire scanned or read image for thousands of people would take up large amounts of storage space, and using the whole image for comparison is inefficient. In reality, only a small portion of the entire image contains significant information that is needed for accurate comparison. These significant bits are called match points. By identifying and gathering only the match points, biometric measurements can be made accurately and data storage require-ments can be significantly reduced.
The match points are collected into a standard format called a template. The template is used for further comparison with other templates stored in the system or collected from users. Templates are stored for later retrieval and comparison in whatever data storage system the biometric application is using. Later, when a user needs to be identified or authenticated, another biometric reading is taken of the subject. The template is extracted from this new scan and compared with one or more templates stored in the database. The existence or absence of a matching template will trigger an appropriate response by the system.
Biometric Traits
Randotypic traits are those traits that are formed early in the development of the embryo. Many of the body features that humans possess take on certain patterns during this stage of development, and those patterns are distributed randomly throughout the entire population. This makes duplication highly improbable and, in some cases, impossible. Examples of randotypic traits are fingerprints, iris patterns, and hand-vein patterns.
Behavioral traits are those aspects of a person that are developed through training or repeated learning. As humans develop, they learn certain modes of behavior that they carry throughout their lives. Interestingly, behavioral traits are the one type of biometric trait that can be altered by a person through re-training or behavior modification. Examples of behavioral traits include signature dynamics and keyboard typing patterns.
Common Uses for Biometrics
The science and application of biometrics has found a variety of uses for both security and non-security purposes. Authentication of individuals is one of the most popular uses. For example, hand scanners can be used to authenticate people who try to access a high-security building. The biometric reading taken of the subject is then compared against the single record belonging to that individual in the database. When used in this form, biometric authentication is often referred to as positive matching or one-to-one matching.
Very often, all that is needed is basic identification of a particular subject out of a large number of possible subjects. Police in the London borough of Newham use a system of 140 cameras mounted throughout the borough to scan the faces of people passing through the district. Those faces are compared against a database of known criminals to see if any of them are wandering around Newham’s streets. In this particular use, the biometric system is performing negative matching orone-to-many matching. Unlike the single-record lookup used in positive matching, each sample face scanned by the Newham cameras is compared against all the records in the police database looking for a possible match. In effect, the system is trying to show that a particular face is not in the database (and, presumably, not an identified criminal).
Fraud prevention is another common use for biometrics. When a user goes through biometric authentication to access a system, that user’s identity is then associated with every event, activity, and transaction that the user performs. If a fraudulent transaction is discovered or the system becomes the subject of an investigation or audit, an audit trail of that user’s actions can be produced, confirming or refuting their involvement in the illicit activity. If the personnel using the system are made aware of the ID tagging and audit trails, the use of biometrics can actually serve as a deterrent to prevent fraud and abuse.
Biometrics can also be used as a basic access control mechanism to restrict access to a high-security area by forcing the identification of individuals before they are allowed to pass. Biometrics are generally used for identification only in a physical security access control role. In other access control applications, biometrics is used as an authentication mechanism. For example, users might be required to biometrically authenticate themselves before they are allowed to view or modify classified or proprietary information. Normally, even in physical access control, it is not efficient to search the database for a match when the person can identify himself (by stating his name or presenting some physical credential) and have the system quickly perform positive matching.
A less security-oriented use of biometrics is to improve an organization’s customer service. A supermarket can use facial recognition to identify customers at the checkout line. Once customers are identified, they can be given the appropriate “frequent-shopper” discounts, have their credit cards automatically charged, and have their shopping patterns analyzed to offer them more personally targeted sales and specials in the future — all without the customer needing to show a Shopper’s Club card or swipe a credit card. Setting aside the privacy aspect of this type of use (for now), this personalized customer service application can be very desirable for consumer-oriented companies in highly competitive markets.