TeAM

YYeP

G

DN: cn=TeAM YYePG, c=US, o=TeAM YYePG, ou=TeAM YYePG,

email=yyepg@msn. com

Fifth Edition

Information

Security

AUERBACH PUBLICATIONS

www.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: orders@crcpress.com

AUERBACH PUBLICATIONS

A CRC Press Company

Boca Raton London New York Washington, D.C.

Fifth Edition

Edited by

Harold F. Tipton, CISSP

Micki Krause, CISSP

Information

Security

This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher.

All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is ISBN 0-8493-1997-8 /03/$0.00+$1.50. The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying.

Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe.

Visit the CRC Press Web site at www.crcpress.com

© 2004 by CRC Press LLC Auerbach is an imprint of CRC Press LLC

No claim to original U.S. Government works International Standard Book Number 0-8493-1997-8

Library of Congress Card Number 2003061151

Library of Congress Cataloging-in-Publication Data

Information security management handbook / Harold F. Tipton, Micki Krause, editors.—5th ed. p. cm.

Includes bibliographical references and index. ISBN 0-8493-1997-8 (alk. paper)

1. Computer security—Management—Handbooks, manuals, etc. 2. Data protection—Handbooks, manuals, etc. I. Tipton, Harold F. II. Krause, Micki.

QA76.9.A25I54165 2003

658¢.0558—dc22 2003061151

collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.” “To purchase your own copy of this or any of Taylor & Francis or Routledge’s

v nologies. All rights reserved.

Chapter 18, “Packet Sniffers and Network Monitors,” by James S. Tiller, CISA, CISSP, and Bryan D. Fish, CISSP, ©_{Lucent Technologies. All rights reserved.}

Chapter 30, “ISO/OSI Layers and Characteristics,” by George G. McBride, CISSP, ©_{Lucent Technologies. All} rights reserved.

Chapter 32, “IPSec Virtual Private Networks,” by James S. Tiller, CISA, CISSP, ©_{INS. All rights reserved.}

Chapter 58, “Security Patch Management,” by Jeffrey Davis, CISSP, ©_{Lucent Technologies. All rights reserved.}

Chapter 62, “Trust Governance in a Web Services World,” by Daniel D. Houser, CISSP, MBA, e-Biz+, © Nation-wide Mutual Insurance Company. All rights reserved.

Chapter 68, “Security Assessment,” by Sudhanshu Kairab, ©_{Copyright 2003 INTEGRITY. All rights reserved.}

Chapter 70, “A Progress Report on the CVE Initiative,” by Robert Martin, Steven Christey, and David Baker, ©_{Copyright 2003 MITRE Corp. All rights reserved.}

Chapter 87, “How to Work with a Managed Security Service Provider,” by Laurie Hill McQuillan, ©_{2003. Laurie} Hill McQuillan. All rights reserved.

Chapter 99, “Digital Signatures in Relational Database Applications,” by Mike R. Prevost, ©_{2002 Mike R. Prevost} and Gradkell Systems, Inc. Used with permission.

Chapter 108, “Three New Models for the Application of Cryptography,” by Jay Heiser, CISSP, ©_Lucent Tech-nologies. All rights reserved.

Chapter 110, “Message Authentication,” by James S. Tiller, CISA, CISSP, ©_{INS. All rights reserved.}

Chapter 128, “Why Today’s Security Technologies Are So Inadequate: History, Implications, and New Approaches,” by Steven Hofmeyr, Ph.D., ©_{2003 Sana Security. All rights reserved.}

Chapter 131, “Improving Network-Level Security through Real-Time Monitoring and Intrusion Detection,” by Chris Hare, CISSP, CISA, ©_{International Network Services. All rights reserved.}

Chapter 142, “Liability for Lax Computer Security in DDOS Attacks,” by Dorsey Morrow, JD, CISSP, ©_2003. Dorsey Morrow. All rights reserved.

Chapter 152, “CIRT: Responding to Attack,” by Chris Hare, CISSP, CISA, ©_{International Network Services. All} rights reserved.

vii

Table of Contents

Contributors

... xxiii

Introduction

... xli

1 ACCESS CONTROL SYSTEMS AND METHODOLOGY

... 1

Section 1.1

Access Control Techniques

1 Enhancing Security through Biometric Technology... 5

Stephen D. Fried, CISSP

2 Biometrics: What’s New?... 21

Judith M. Myerson

3 Controlling FTP: Providing Secured Data Transfers ... 27

Chris Hare, CISSP, CISA

Section 1.2

Access Control Administration

4 Privacy in the Healthcare Industry... 45

Kate Borten, CISSP

5 The Case for Privacy... 55

Michael J. Corby, CISSP

Section 1.3

Identification and Authentication Techniques

6 Biometric Identification... 61

Donald R. Richards, CPP

7 Single Sign-On for the Enterprise ... 77

Ross A. Leo, CISSP

Section 1.4

Access Control Methodologies and Implementation

viii

Christina M. Bird, Ph.D., CISSP

Section 1.5

Methods of Attack

10 Hacker Tools and Techniques ... 121

Ed Skoudis, CISSP

11 A New Breed of Hacker Tools and Defenses ... 135

Ed Skoudis, CISSP

12 Social Engineering: The Forgotten Risk ... 147

John Berti, CISSP and Marcus Rogers, Ph.D., CISSP

13 Breaking News: The Latest Hacker Attacks and Defenses ... 155

Ed Skoudis, CISSP

14 Counter-Economic Espionage... 165

Craig A. Schiller, CISSP

Section 1.6

Monitoring and Penetration Testing

15 Penetration Testing ... 179

Stephen D. Fried, CISSP

16 Penetration Testing ... 191

Chuck Bianco, FTTR, CISA, CISSP

2 TELECOMMUNICATIONS, NETWORK, AND

INTERNET SECURITY

... 197

Section 2.1

Communications and Network Security

17 Understanding SSL ... 203

Chris Hare, CISSP, CISA

18 Packet Sniffers and Network Monitors... 217

James S. Tiller, CISA, CISSP and Bryan D. Fish, CISSP

19 Secured Connections to External Networks... 235

Steven F. Blanding

20 Security and Network Technologies... 249

Chris Hare, CISSP, CISA

ix

Steven F. Blanding

23 What’s Not So Simple about SNMP? ... 287

Chris Hare, CISSP, CISA

24 Network and Telecommunications Media: Security from the

Ground Up... 297

Samuel Chun, CISSP

25 Security and the Physical Network Layer ... 311

Matthew J. Decker, CISSP, CISA, CBCP

26 Security of Wireless Local Area Networks ... 319

Franjo Majstor, CISSP

27 Securing Wireless Networks ... 329

Sandeep Dhameja, CISSP

28 Wireless Security Mayhem: Restraining the Insanity

of Convenience... 339

Mark T. Chapman, MSCS, CISSP, IAM

29 Wireless LAN Security Challenge ... 349

Frandinata Halim, CISSP, CCSP, CCDA, CCNA, MSCE and Gildas Deograt, CISSP

30 ISO/OSI Layers and Characteristics ... 363

George G. McBride, CISSP

Section 2.2

Internet/Intranet/Extranet

31 Enclaves: The Enterprise as an Extranet ... 373

Bryan T. Koch, CISSP

32 IPSec Virtual Private Networks ... 383

James S. Tiller, CISA, CISSP

33 Firewalls: An Effective Solution for Internet Security... 407

E. Eugene Schultz, Ph.D., CISSP

34 Internet Security: Securing the Perimeter... 413

Douglas G. Conorich

35 Extranet Access Control Issues... 423

Christopher King, CISSP

x

Keith Pasley, CISSP

38 Security of Communication Protocols and Services ... 457

William Hugh Murray, CISSP

39 An Introduction to IPSec ... 467

William Stackpole, CISSP

40 VPN Deployment and Evaluation Strategy... 475

Keith Pasley, CISSP

41 How to Perform a Security Review of a Checkpoint Firewall... 493

Ben Rothke, CISSP

42 Comparing Firewall Technologies ... 513

Per Thorsheim

43 The (In) Security of Virtual Private Networks ... 523

James S. Tiller, CISA, CISSP

44 Cookies and Web Bugs... 539

William T. Harding, Ph.D., Anita J. Reed, CPA, and Robert L. Gray, Ph.D.

45 Leveraging Virtual Private Networks ... 549

James S. Tiller, CISA, CISSP

46 Wireless LAN Security ... 561

Mandy Andress, CISSP, SSCP, CPA, CISA

47 Security for Broadband Internet Access Users... 567

James Trulove

48 New Perspectives on VPNs ... 575

Keith Pasley, CISSP

49 An Examination of Firewall Architectures ... 581

Paul A. Henry, CISSP, CNE

Section 2.3

E-mail Security

50 Instant Messaging Security Issues ... 601

William Hugh Murray, CISSP

Section 2.4 Secure Voice Communications

xi

Valene Skerpac, CISSP

Section 2.5

Network Attacks and Countermeasures

53 Packet Sniffers: Use and Misuse... 639

Steve A. Rodgers, CISSP

54 ISPs and Denial-of-Service Attacks ... 649

K. Narayanaswamy, Ph.D.

3 INFORMATION SECURITY MANAGEMENT

... 667

Section 3.1

Security Management Concepts and Principles

55 The Human Side of Information Security... 663

Kevin Henry, CISA, CISSP

56 Security Management ... 677

Ken Buszta, CISSP

57 Measuring ROI on Security ... 685

Carl F. Endorf, CISSP, SSCP, GSEC

58 Security Patch Management... 689

Jeffrey Davis, CISSP

Section 3.2

Change Control Management

59 Configuration Management: Charting the Course for the

Organization ... 697

Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM

Section 3.3

Data Classification

60 Information Classification: A Corporate Implementation

Guide... 715

Jim Appleyard

Section 3.4

Risk Management

xii

Daniel D. Houser, CISSP, MBA, e-Biz+

63 Risk Management and Analysis ... 751

Kevin Henry, CISA, CISSP

64 New Trends in Information Risk Management... 759

Brett Regan Young, CISSP, CBCP

65 Information Security in the Enterprise ... 767

Duane E. Sharp

66 Managing Enterprise Security Information ... 779

Matunda Nyanchama, Ph.D., CISSP and Anna Wilson, CISSP, CISA

67 Risk Analysis and Assessment ... 795

Will Ozier

68 Security Assessment ... 821

Sudhanshu Kairab, CISSP, CISA

69 Cyber-Risk Management: Technical and Insurance Controls

for Enterprise-Level Security... 829

Carol A. Siegel, Ty R. Sagalow, and Paul Serritella

Section 3.5

Employment Policies and Practices

70 A Progress Report on the CVE Initiative ... 845

Robert Martin, Steven Christey, and David Baker

71 Roles and Responsibilities of the Information Systems

Security Officer ... 865

Carl Burney, CISSP

72 Information Protection: Organization, Roles, and Separation

of Duties ... 871

Rebecca Herold, CISSP, CISA, FLMI

73 Organizing for Success: Some Human Resources Issues

in Information Security ... 887

Jeffrey H. Fenton, CBCP, CISSP and James M. Wolfe, MSM

74 Ownership and Custody of Data ... 899

William Hugh Murray, CISSP

xiii 76 Information Security Policies from the Ground Up ... 917

Brian Shorten, CISSP, CISA

77 Policy Development... 925

Chris Hare, CISSP, CISA

78 Toward Enforcing Security Policy: Encouraging Personal

Accountability for Corporate Information Security Policy ... 945

John O. Wylder, CISSP

79 The Common Criteria for IT Security Evaluation ... 953

Debra S. Herrmann

80 A Look at the Common Criteria ... 969

Ben Rothke, CISSP

81 The Security Policy Life Cycle: Functions

and Responsibilities ... 979

Patrick D. Howard, CISSP

Section 3.7

Security Awareness Training

82 Maintaining Management’s Commitment... 989

William Tompkins, CISSP, CBCP

83 Making Security Awareness Happen ... 999

Susan D. Hansche, CISSP

84 Making Security Awareness Happen: Appendices... 1011

Susan D. Hansche, CISSP

Section 3.8

Security Management Planning

85 Maintaining Information Security during Downsizing... 1023

Thomas J. Bray, CISSP

86 The Business Case for Information Security: Selling Management on the Protection of Vital Secrets

and Products ... 1029

Sanford Sherizen, Ph.D., CISSP

xiv

Michael J. Corby, CISSP

89 Outsourcing Security ... 1061

James S. Tiller, CISA, CISSP

4 APPLICATION PROGRAM SECURITY

... 1073

Section 4.1 APPLICATION ISSUES

90 Security Models for Object-Oriented Databases... 1077

James Cannady

91 Web Application Security... 1083

Mandy Andress, CISSP, SSCP, CPA, CISA

92 Security for XML and Other Metadata Languages ... 1093

William Hugh Murray, CISSP

93 XML and Information Security ... 1101

Samuel C. McClintock

94 Application Security ... 1109

Walter S. Kobus, Jr., CISSP

95 Covert Channels... 1115

Anton Chuvakin, Ph.D., GCIA, GCIH

96 Security as a Value Enhancer in Application Systems

Development ... 1123

Lowell Bruce McCulley, CISSP

97 Open Source versus Closed Source... 1139

Ed Skoudis, CISSP

Section 4.2

Databases and Data Warehousing

98 Reflections on Database Integrity... 1157

William Hugh Murray, CISSP

99 Digital Signatures in Relational Database Applications... 1165

Mike R. Prevost

100 Security and Privacy for Data Warehouses:

xv 101 Enterprise Security Architecture... 1193

William Hugh Murray, CISSP

102 Certification and Accreditation Methodology ... 1205

Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM

103 System Development Security Methodology... 1221

Ian Lim, CISSP and Ioana V. Carastan, CISSP

104 A Security-Oriented Extension of the Object Model for the

Development of an Information System... 1235

Sureerut Inmor, Vatcharaporn Esichaikul, and Dencho N. Batanov

Section 4.4

Malicious Code

105 A Look at Java Security ... 1251

Ben Rothke, CISSP

106 Malware and Computer Viruses ... 1257

Robert M. Slade, CISSP

Section 4.5

Methods of Attack

107 Methods of Auditing Applications ... 1287

David C. Rice, CISSP and Graham Bucholz

5 CRYPTOGRAPHY

... 295

Section 5.1

Use of Cryptography

108 Three New Models for the Application of Cryptography... 1299

Jay Heiser, CISSP

109 Auditing Cryptography: Assessing System Security ... 1309

Steve Stanek

Section 5.2 Cryptographic Concepts, Methodologies, and Practices

110 Message Authentication ... 1313

James S. Tiller, CISA, CISSP

xvi

Javek Ikbel, CISSP

113 Hash Algorithms: From Message Digests to Signatures ... 1349

Keith Pasley, CISSP

114 A Look at the Advanced Encryption Standard (AES) ... 1357

Ben Rothke, CISSP

Section 5.3

Private Key Algorithms

115 Principles and Applications of Cryptographic Key

Management ... 1365

William Hugh Murray, CISSP

Section 5.4

Public Key Infrastructure (PKI)

116 Preserving Public Key Hierarchy ... 1379

Geoffrey C. Grabow, CISSP

117 PKI Registration ... 1385

Alex Golod, CISSP

Section 5.5

System Architecture for Implementing Cryptographic

Functions

118 Implementing Kerberos in Distributed Systems ... 1397

Joe Kovara, CTP and Ray Kaplan, CISSP, CISA, CISM

Section 5.6

Methods of Attack

119 Methods of Attacking and Defending Cryptosystems ... 1447

Joost Houwen, CISSP

6 ENTERPRISE SECURITY ARCHITECTURE

... 146

Section 6.1

Principles of Computer and Network Organizations,

Architectures, and Designs

xvii Architecture Primer ... 1475

Chris Hare, CISSP, CISA

122 The Reality of Virtual Computing... 1489

Chris Hare, CISSP, CISA

123 Overcoming Wireless LAN Security Vulnerabilities... 1507

Gilbert Held

Section 6.2

Principles of Security Models, Architectures and

Evaluation Criteria

124 Formulating an Enterprise Information Security Architecture ... 1513

Mollie Krehnke, CISSP, IAM and David Krehnke,CISSP, CISM, IAM

125 Security Architecture and Models ... 1531

Foster J. Henderson, CISSP, MCSE and Kellina M. Craig-Henderson, Ph.D.

Section 6.3

Common Flaws and Security Issues — System

Architecture and Design

126 Common System Design Flaws and Security Issues... 1547

William Hugh Murray, CISSP

7 OPERATIONS SECURITY

... 1555

Section 7.1

Concepts

127 Operations: The Center of Support and Control ... 1559

Kevin Henry, CISA, CISSP

128 Why Today’s Security Technologies Are So Inadequate: History,

Implications, and New Approaches... 1565

Steven Hofmeyr, Ph.D.

Section 7.2

Resource Protection Requirements

xviii

130 Auditing the Electronic Commerce Environment ... 1585

Chris Hare, CISSP, CISA

Section 7.4

Intrusion Detection

131 Improving Network-Level Security through Real-Time

Monitoring and Intrusion Detection ... 1601

Chris Hare, CISSP, CISA

132 Intelligent Intrusion Analysis: How Thinking Machines Can

Recognize Computer Intrusions ... 1619

Bryan D. Fish, CISSP

Section 7.5

Operations Controls

133 Directory Security ... 1633

Ken Buszta, CISSP

8 BUSINESS CONTINUITY PLANNING

... 1641

Section 8.1

Business Continuity Planning

134 Reengineering the Business Continuity Planning Process ... 1645

Carl B. Jackson, CISSP, CBCP

135 The Changing Face of Continuity Planning ... 1657

Carl B. Jackson, CISSP, CBCP

136 The Role of Continuity Planning in the Enterprise Risk

Management Structure ... 1667

Carl B. Jackson, CISSP, CBCP

Section 8.2

Disaster Recovery Planning

137 Restoration Component of Business Continuity Planning... 1679

John Dorf, ARM and Martin Johnson, CISSP

138 Business Resumption Planning and Disaster Recovery:

A Case History ... 1689

Kevin Henry, CISA, CISSP

xix 140 The Business Impact Assessment Process ... 1709

Carl B. Jackson, CISSP, CBCP

9 LAW, INVESTIGATION, AND ETHICS

... 1725

Section 9.1

Information Law

141 Jurisdictional Issues in Global Transmissions ... 1729

Ralph Spencer Poore, CISSP, CISA, CFE

142 Liability for Lax Computer Security in DDoS Attacks ... 1737

Dorsey Morrow, JD, CISSP

143 The Final HIPAA Security Rule Is Here! Now What?... 1743

Todd Fitzgerald, CISSP, CISA

144 HIPAA 201: A Framework Approach to HIPAA Security Readiness... 1759

David MacLeod, Ph.D., CISSP, Brian Geffert, CISSP, CISA, and David Deckter, CISSP

Section 9.2

Investigations

145 Computer Crime Investigations: Managing a Process

without Any Golden Rules ... 1771

George Wade, CISSP

146 Computer Crime Investigation and Computer Forensics... 1785

Thomas Welch, CISSP, CPP

147 Operational Forensics ... 1813

Michael J. Corby, CISSP

148 What Happened ... 1819

Kelly J. Kuchta, CPP, CFE

Section 9.3

Major Categories of Computer Crime

149 The International Dimensions of Cybercrime... 1823

Ed Gabrys, CISSP

Section 9.4

Incident Handling

xx

Chris Hare, CISSP, CISA

152 Incident Response Management ... 1861

Alan B. Sterneckert, CISA, CISSP, CFE, CCCI

153 Managing the Response to a Computer Security Incident ... 1871

Michael Vangelos, CISSP

154 Cyber Crime: Response, Investigation, and Prosecution ... 1881

Thomas Akin, CISSP

155 Incident Response Exercises... 1887

Ken M. Shaurette, CISSP, CISA, CISM, IAM and Thomas J. Schleppenbach

156 Software Forensics... 1897

Robert M. Slade, CISSP

Section 9.5

Ethics

157 Ethics and the Internet ... 1911

Micki Krause, CISSP

10 PHYSICAL SECURITY

... 1921

Section 10.1

Facility Requirements

158 Physical Security: A Foundation for Information Security ... 1925

Christopher Steinke, CISSP

159 Physical Security: Controlled Access and Layered Defense ... 1935

Bruce R. Mathews, CISSP

160 Computing Facility Physical Security ... 1947

Alan Brusewitz, CISSP, CBCP

xxi 162 Types of Information Security Controls... 1965

Harold F. Tipton, CISSP

Section 10.3

Environment and Life Safety

163 Physical Security: The Threat after September 11th ... 1975

Jaymes Williams, CISSP

xxiii

Contributors

Thomas Akin, CISSP, has worked in information security for almost a decade. He is the founding director of the Southeast Cybercrime Institute, where he also serves as chairman for the Institute's Board of Advisors. He is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations. He has published several articles on Information Security and is the author of Hardening Cisco Routers. He developed Kennesaw State University’s highly successful UNIX and Cisco training programs and, in addition to his security certifications, is also certified in Solaris, Linux, and AIX; is a Cisco Certified Academic Instructor (CCAI), and is a Certified Network Expert (CNX). He can be reached at takin@kennesaw.edu.

Mandy Andress, CISSP, SSCP, CPA, CISA, is Founder and President of ArcSec Technologies, a security con-sulting firm specializing in product/technology analysis. Before starting ArcSec Technologies, Mandy worked for Exxon, USA and several Big 5 accounting firms, including Deloitte & Touche and Ernst & Young. After leaving the Big 5, Mandy became Director of Security for Privada, Inc., a privacy start-up in San Jose. At Privada, Mandy helped develop security policies, secure network design, develop Firewall/VPN solutions, increase physical security, secure product design, and periodic network vulnerability testing. Mandy has written numerous security product and technology reviews for various computer trade publications. A member of the Network World Global Test Alliance, she is also a frequent presenter at conferences, including Net-world+Interop, Black Hat, and TISC. Mandy holds a BBA in accounting and an MS in MIS from Texas A&M University. She is the author of Surviving Security, 2nd Edition (Auerbach Publications, 2003).

Jim Appleyard is a senior security consultant with the IBM Security and Privacy Services consulting practice. With 33 years of technical and management experience in information technology, he specializes in enterprise-wide information security policies and security architecture design. He has specific expertise in developing information security policies, procedures, and standards; conducting business impact analysis; performing enterprisewide security assessments; and designing data classification and security awareness programs.

David W. Baker is a member of the CVE Editorial Board. As a Lead INFOSEC Engineer in MITRE’s Security and Information Operations Division, he has experience in deployment and operation of large-scale intrusion detection systems, critical infrastructure protection efforts, and digital forensics research. A member of the American Academy of Forensic Sciences, Baker holds a bachelor’s degree from The State University of New York, and a Master of Forensic Science degree from George Washington University.

Dencho N. Batanov is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand.

xxiv

various information security-related incidents for a large telecommunications company in Manitoba, relating to computer and toll fraud crimes.

Chuck Bianco, FTTR, CISA, CISSP, is an IT Examination Manager for the Office of Thrift Supervision in Dallas, Texas. He has represented his agency on the IT Subcommittee of the FFIEC. Bianco has experienced more than 600 IT examinations, participated in six IT symposia, written OTS’ original Disaster Recovery Bulletin, and led the Interagency Symposium resulting in SP–5. He was awarded the FFIEC Outstanding Examiner Award for significant contributions, and received two Department of the Treasury Awards for Outstanding Performance.

Christina M. Bird, Ph.D., CISSP, is a senior security analyst with Counterpane Internet Security in San Jose, California. She has implemented and managed a variety of wide-area-network security technologies, such as firewalls, VPN packages and authentication systems; built and supported Internet-based remote access systems; and developed, implemented, and enforced corporate IS security policies in a variety of environments. Tina is the moderator of the Virtual Private Networks mailing list, and the owner of "VPN Resources on the World Wide Web," a highly regarded vendor neutral source of information about VPN technology. Tina has a BS in physics from Notre Dame and an MS and Ph.D. in astrophysics from the University of Minnesota.

Steven F. Blanding, CIA, CISA, CSP, CFE, CQA, was, when his contributions were written, the Regional Director of Technology for Arthur Andersen, based in Houston, Texas. Steve has 25 years of experience in the areas of financial auditing, systems auditing, quality assurance, information security, and business resumption planning for large corporations in the consulting services, financial services, manufacturing, retail electronics, and defense contract industries. Steve earned a BS in accounting from Virginia Tech and an MS in business information systems from Virginia Commonwealth University.

David Bonewell, CISSP, CISA, is a chief security architect with Teradata, Cincinnati, Ohio.

Kate Borten, CISSP, a nationally recognized expert in health information security and privacy, is president of The Marblehead Group. She has over 20 years at Harvard University teaching hospitals, health centers, and physician practices; as information security head at Massachusetts General Hospital, and Chief Information Security Officer at CareGroup in Boston. She is a frequent speaker at conferences sponsored by AHIMA, AMIA, CHIM, CHIME, CPRI, and HIMSS, and an advisor and contributor to “Briefings on HIPAA.”

Dan M. Bowers, CISSP, is a consulting engineer, author, and inventor in the field of security engineering.

Thomas J. Bray, CISSP, is a Principal Security Consultant with SecureImpact. He has more than 13 years of information security experience in banking, information technology, and consulting. Tom can be reached at tjbray@secureimpact.com. SecureImpact is a company dedicated to providing premier security consulting expertise and advice. SecureImpact has created its information and network service offerings to address the growing proliferation of security risks being experienced by small to mid-sized companies. Information about SecureImpact can be obtained by visiting www.secureimpact.com.

Allen Brusewitz, CISSP, CBCP, has more than 30 years of experience in computing in various capacities, including system development, EDP auditing, computer operations, and information security. He has contin-ued his professional career leading consulting teams in cyber-security services with an emphasis on E-commerce security. He also participates in business continuity planning projects and is charged with developing that practice with his current company for delivery to commercial organizations.

Graham Bucholz is a computer security research for the U.S. government in Baltimore, Maryland.

xxv ten years of IT experience and six years of InfoSec experience. He served in the U.S. Navy’s intelligence community before entering the consulting field in 1994. Should you have any questions or comments, he can be reached at Infosecguy@att.net.

James Cannady is a research scientist at Georgia Tech Research Institute. For the past seven years he has focused on developing and implementing innovative approaches to computer security in sensitive networks and systems in military, law enforcement, and commercial environments

Ioana V. Carastan, CISSP, is a manager with Accenture’s global security consulting practice. She has written security policies, standards, and processes for clients in a range of industries, including financial services, high-tech, resources, and government

Mark T. Chapman, CISSP, CISM, IAM, is the Director of Information Security Solutions for Omni Tech Corporation in Waukesha, Wisconsin. Mark holds an MS in computer science from the University of Wisconsin, Milwaukee, in the area of cryptography and information security. He has published several papers and has presented research at conferences in the United States, Asia, and Europe. He is the author of several security-related software suites, including the NICETEXT linguistic steganography package available at www.nicet-ext.com. Mark is a member of the executive planning committee for the Eastern Wisconsin Chapter of InfraGard. For questions or comments, contact Mark at mark.chapman@omnitechcorp.com.

Steven Christey is the editor of the CVE List and the chair of the CVE Editorial Board. His operational experience is in vulnerability scanning and incident response. His research interests include automated vul-nerability analysis of source code, reverse-engineering of malicious executable code, and responsible vulnera-bility disclosure practices. He is a Principal INFOSEC Engineer in MITRE's Security and Information Operations Division. He holds a BS in computer science from Hobart College.

Samuel Chun, CISSP, is director for a technology consulting firm in the Washington, D.C., area

Anton Chuvakin, Ph.D., GCIA, GCIH, is a senior security analyst with a major information security company. His areas of InfoSec expertise include intrusion detection, UNIX security, forensics, and honeypots. In his spare time, he maintains his security portal, www.infosecure.org.

Douglas G. Conorich, the Global Solutions Manager for IBM Global Service’s Managed Security Services, with over 30 years of experience with computer security holding a variety of technical and management positions, has responsibility for developing new security offerings, ensuring that the current offerings are standardized globally, and oversees training of new members of the MSS team worldwide. Mr. Conorich teaches people how to use the latest vulnerability testing tools to monitor Internet and intranet connections and develop vulnerably assessments suggesting security-related improvements. Mr. Conorich is also actively engaged in the research of bugs and vulnerabilities in computer operating systems and Internet protocols and is involved in the development of customized alerts notifying clients of new potential risks to security. He has presented papers at over 400 conferences, has published numerous computer security-related articles on information security in various magazines and periodicals, and has held associate professor positions at several colleges and uni-versities.

xxvi

Washington, D.C. Craig-Henderson’s work has been supported by grants from the National Science Foundation and the Center for Human Resource Management at the University of Illinois.

Jeffrey Davis, CISSP, has been working in information security for the past ten years. He is currently a senior manager at Lucent Technologies, involved with intrusion detection, anti-virus, and threat assessment. He holds a bachelor’s degree in electrical engineering and a master’s degree in computer science from Stevens Institute of Technology

Matthew J. Decker, CISSP, CISA, CBCP, has 17 years of professional experience in information security. He has advised private industry and local government on information security issues for the past six years with International Network Services, Lucent Technologies, and KPMG LLP. Prior to this, he devoted two years to the United States Special Operations Command (USSOCOM) as a contractor for Booz Allen Hamilton, and served nine years with the NSA. He earned a BSEE in 1985 from Florida Atlantic University and an MBA in 1998 from Nova Southeastern University. In 1992, the NSA’s Engineering and Physical Science Career Panel awarded him Certified Cryptologic Engineer (CCE) stature. A former president of the ISSA Tampa Bay chapter, he is a member of ISSA and ISACA.

David Deckter, CISSP, a manager with Deloitte & Touche Enterprise Risk Services, has extensive experience in information systems security disciplines, controlled penetration testing, secure operating system, application and internetworking architecture and design, risk and vulnerability assessments, and project management. Deckter has obtained ISC2 _{CISSP certification. He has performed numerous network security assessments for} emerging technologies and electronic commerce initiatives in the banking, insurance, telecommunications, healthcare, and financial services industries, and has been actively engaged in projects requiring HIPAA security solutions.

Gildas Deograt, CISSP, is a CISSP Common Body of Knowledge (CBK) seminar instructor. He has been working in the IT field for more than ten years, with a focus over the past five years on information security. His experience includes network design and implementation, security policy development and implementation, developing security awareness program, network security architecture, assessment and integration, and also firewall deployment. At present, he is an Information System Security Officer for Total Exploration and Production. Before moving to France, he was the Chief Information Security Officer at TotalFinaElf E&P Indonesia and also a board member of the Information System Security Association (ISSA), Indonesia

Sandeep Dhameja, CISSP, is responsible for implementation, management of data, network security, and information security at Morningstar. With more than ten years of IT experience, including five years in information security, Dhameja has held several executive and consulting positions. He is widely published with the IEEE, International Engineering Consortium (IEC), Society of Automotive Engineers (SAE), and at inter-national conferences.

John Dorf, ARM, is a senior manager in the Actuarial Services Group of Ernst & Young. Specializing in insurance underwriting and risk management consulting, John earned his 19 years of experience as a risk manager at several Fortune 500 financial service and manufacturing firms. Before joining Ernst & Young, John was a senior risk manager at General Electric Capital Corporation. John has also held risk management positions at Witco Corporation, National Westminster Bank, and the American Bureau of Shipping. Prior to becoming a risk manager, John spent seven years as an underwriting manager and senior marine insurance underwriter at AIG and Atlantic Mutual. John holds a MBA with a concentration in risk management from the College of Insurance; a BA in Economics from Lehigh University; and an Associate in Risk Management (ARM) designation from the Insurance Institute of America.

xxvii computer security. Mark previously worked for KPMG Information Risk Management Group and IBM’s Privacy and Security Group, where he performed network security assessments, security system reviews, development of security recommendations, and ethical hacking. Other projects included helping companies develop secure and reliable network system architecture for their Web-enabled businesses. Mark was managing editor of the SANS Digest (Systems Administration and Network Security) and contributing editor to the SANS Step-by-Step Windows NT Security Guide. He is co-author of Windows NT: Performance, Monitoring and Tuning, and he developed the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.

Carl F. Endorf, CISSP, is a senior security analyst for one of the largest insurance and banking companies in the United States. He has practical experience in forensics, corporate investigations, and Internet security.

Vatcharaporn Esichaikul is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand.

Jeffrey H. Fenton, CBCP, CISSP, is the corporate IT crisis assurance/mitigation manager and technical lead for IT Risk Management and a senior staff computer system security analyst in the Corporate Information Security Office at Lockheed Martin Corporation. He joined Lockheed Missiles and Space Company in Sunny-vale, California, as a system engineer in 1982 and transferred into its telecommunications group in 1985. Fenton completed a succession of increasingly complex assignments, including project manager for the con-struction and activation of an earthquake-resistant network center on the Sunnyvale campus in 1992, and group leader for network design and operations from 1993 through 1996. Fenton holds a BA in economics from the University of California, San Diego, an MA in economics and an MS in operations research from Stanford University, and an MBA in telecommunications from Golden Gate University. Fenton is also a Certified Business Continuity Planner (CBCP) and a Certified Information Systems Security Professional (CISSP).

Bryan D. Fish, CISSP, isa security consultant for Lucent Technologies in Dallas, Texas. He holds a BS in Computer Engineering and a Master of Computer Science degree with a focus on internetworking and computer system security, both from Texas A&M University. Professional interests include security programs and policies, and applications of cryptography in network security.

Todd Fitzgerald, CISSP, CISA, is the Systems Security Office for United Government Services, LLC, the nation’s largest processor of Medicare hospital claims on behalf of the Centers for Medicare and Medicaid Services (CMS). He has over 24 years of broad-based information technology experience, holding senior IT management positions with Fortune 500 and Global Fortune 250 companies. Todd is a board member of the ISSA–Milwaukee Chapter, co-chair on the HIPAA Collaborative of Wisconsin Security Task Force, participant in the CMS/ Gartner Security Best Practices Group, and is a frequent speaker and writer on security issues.

Stephen D. Fried, CISSP, is the Director of Global Information Security at Lucent Technologies, leading the team responsible for protecting Lucent’s electronic and information infrastructure. Stephen began his profes-sional career at AT&T in 1985 and has progressed through a wide range of technical and leadership positions in such areas as software development, database design, call center routing, computing research, and informa-tion security for AT&T, Avaya, and Lucent Technologies. In more recent history, Stephen has developed the information security program for two Fortune 500 companies, leading the development of security strategy, architecture, and deployment while dealing with such ever-changing topics as policy development, risk assess-ment, technology development and deployment and security outsourcing. He is a Certified Information Systems Security Professional and is also an instructor with the SANS Institute. Stephen holds a BS in Telecommunications Management and an MS in Computer Science.

xxviii

specializes in information systems controls and solutions. Geffert has worked on the development of HIPAA assessment tools and security services for healthcare industry clients to determine the level of security readiness with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. In addition, he has implemented solutions to assist organizations addressing their HIPAA security readiness issues. Finally, Geffert is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA).

Karen Gibbs is a senior data warehouse architect with Teradata, Dayton, Ohio.

Alex Golod, CISSP, is an infrastructure specialist for EDS in Troy, Michigan.

Robert Gray, Ph.D., is currently Chair of the Quantitative Methods and Computer Information Systems Department at Western New England College and has more than 20 years of academic and management experience in the IT field.

Frandinata Halim, CISSP, MCSE, a senior security consultant at ITPro Citra Indonesia, PT, has ample expe-rience and qualifications in providing clients with managed security services, information system security consulting, secure network deployment, and other services. In addition, he is competent and knowledgeable in the use and hardening of the Windows environment, Cisco security devices, the number of IDSs, firewalls, and others, currently holding certifications such as CISSP from the (ISC)2_{, CCSP, CCDA, and CCNA from} Cisco Systems, and MCSE from Microsoft. He obtained his bachelor’s degree in electronic engineering from Trisakti University, Jakarta, and his master’s degree in information system management from Bina Nusantara University, Jakarta.

Susan D. Hansche, CISSP, is a senior manager for information system security awareness and training at PEC Solutions, based in Fairfax, Virginia. She has designed numerous training courses on information technology and information systems security for both private-sector and government clients. Susan is co-author of the Official (ISC)2 _{Guide to the CISSP Exam. She can be reached via e-mail at susan.hansche@pec.com.}

William T. Harding, Ph.D., is Dean of the College of Business Administration and an associate professor at Texas A & M University, in Corpus Christi.

Chris Hare, CISSP, CISA, is an Information Security and Control Consultant with Nortel Networks in Dallas, Texas. His experience encompasses over sixteen years in the computing industry with key positions ranging from application design, quality assurance, system administration/engineering, network analysis, and security consulting, operations and architecture. His management career, coupled with in-depth technical knowledge, provides the foundation to integrate the intricate risks of technology to the ongoing survival of major corpo-rations. Chris periodically shares his knowledge in speaking engagements, published articles, books, and other publications. He has written a number of articles for Sys Admin magazine, ranging from system administration and tutorial articles to management and architecture. Chris is now writing for Auerbach’s Data Security Management, Information Security Management Handbook, and Data Communication Management, and is co-author the Official (ISC)2 _{Guide to the CISSP Exam. Chris has taught information security at Algonquin College} (Ottawa, Canada) and was one of the original members of the Advisory Council for this program. He frequently speaks at conferences on UNIX, specialized technology and applications, security, and audit.

xxix in both Europe and America for his entertaining and thought-provoking presentations, Mr. Heiser has an MBA in International Management from the American Graduate School of International Management.

Gilbert Held is an award-winning author and lecturer. Gil is the author of over 40 books and 450 technical articles. Some of Gil’s recent book titles include Building a Wireless Office and The ABCs of IP Addressing, published by Auerbach Publications. Gil can be reached via e-mail at gil_held@yahoo.com.

Foster Henderson, CISSP, MCSE, CRP, CNA, is an information assurance analyst for Analytic Services, Inc. (ANSER). He is currently a member of the Network Operations and Security Branch within the federal government, covering a wide range of IA matters.

Kevin Henry, CISA, CISSP, Director–Program Development for (ISC)2 _{Institute, is a regular speaker at} con-ferences and training seminars worldwide, with frequent requests to provide in-depth training, foundational and advanced information systems security and audit courses, and detailed presentations and workshops on key issues surrounding the latest issues in the information systems security field. Kevin combines over twenty years experience in telecom and consulting engagements for major government and corporate clients with an interesting and comfortable learning style that enhances the understanding, relevance, and practical applica-tions of the subject matter. Kevin graduated from Red River College as a computer programmer/analyst and has an Advanced Graduate Diploma in Management from Athabasca University, where he is currently enrolled in their MBA program with a focus on information technology. Kevin has also had several articles published in leading trade journals and in the Handbook of Information Security Management.

Paul A. Henry, MCP+I, MCSE, CCSA, CFSA, CFSO, CISSP, Vice President of CyberGuard Corporation and an information security expert who has worked in the security field for more than 20 years, has provided analysis and research support on numerous complex network security projects in Asia, the Middle East, and North America, including several multimillion dollar network security projects, such as Saudi Arabia’s National Banking System and the DoD Satellite Data Project USA. Henry has given keynote speeches at security seminars and conferences worldwide on topics including DDoS attack risk mitigation, firewall architectures, intrusion methodology, enterprise security, and security policy development. An accomplished author, Henry has also published numerous articles and white papers on firewall architectures, covert channel attacks, distributed denial-of-service (DDoS) attacks, and buffer overruns. Henry has also been interviewed by ZD Net, the San Francisco Chronicle, the Miami Herald, NBC Nightly News, CNBC Asia, and many other media outlets.

Rebecca Herold, CISSP, CISA, FLMI, is Vice President, Privacy Services and Chief Privacy Officer at DelCreo, Inc. Prior to this, she was chief privacy officer and senior security architect for QinetiQ Trusted Information Management, Inc. (Q-TIM). She has more than 13 years of information security experience. Herold was the editor and contributing author for The Privacy Papers, released in December 2001. Most recently she was the co-author of The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach, 2004). She has also written numerous magazine and newsletter articles on information security topics and has given many pre-sentations at conferences and seminars. Herold can be reached at rebecca@delcreo.com.

Debra S. Herrmann is the ITT manager of security engineering for the FAA Telecommunications Infrastructure program. Her special expertise is in the specification, design, and assessment of secure mission-critical systems. She is the author of Using the Common Criteria for IT Security Evaluation and A Practical Guide to Security Engineering and Information Assurance, both from Auerbach Publications.

peer-xxx

program committee for the ACM’s New Security Paradigms Workshop, and is currently on the program committee for the Artificial Immune Systems workshop at the IEEE World Congress on Computational Intelligence. He can be reached at steve.hofmeyr@sanasecurity.com.

Daniel D. Houser, CISSP, MBA, e-Biz+, is a senior security engineer with Nationwide Mutual Insurance Company

Joost Houwen, CISSP, CISA, is the security manager for Network Computing Services at BC Hydro. He has a diverse range of IT and information security experience.

Patrick D. Howard, CISSP, a Senior Information Security Consultant for the Titan Corporation, has over 31 years experience in security management and law enforcement. He has been performing security certification and accreditation tasks for over 14 years as both a security manager and a consultant from both government and commercial industry perspectives. He has experience with implementing security C&A with the Depart-ment of the Army, Nuclear Regulatory Commission, DepartDepart-ment of Agriculture, and DepartDepart-ment of Trans-portation, and has been charged with developing C&A and risk management guidance for organizations such as Bureau of the Public Debt, U.S. Coast Guard, State of California, University of Texas Southwestern Medical School, University of Texas Medical Branch, and corporations including John Hancock, BankBoston, Sprint, eSylvan, and Schering–Plough. He has extensive practical experience in implementing programs and processes based on NIST guidance (FIPS Pub 102, SP 800-18, 800-26, 800-30, 800-37, etc.), OMB Circular A-130, Appendix III, and BS 7799/ISO 17799. He has direct working experience in security plan development for complex systems, sensitivity definition, use of minimum security baselines, risk analysis, vulnerability assess-ment, controls validation, risk mitigation, and documenting certification and accreditation decisions. Mr. Howard has also developed and presented training on all of these processes. He is the author of Building and Implementing a Security Certification and Accreditation Program (Auerbach Publications, 2004).

Javed Ikbal, CISSP, works at a major financial services company as Director, IT Security, where he is involved in security architecture, virus/cyber incident detection and response, policy development, and building custom tools to solve problems. A proponent of open-source security tools, he is a believer in the power of Perl.

Sureerut Inmor is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand. He can be reached at sureerut_earth@hotmail.com.

Carl B. Jackson, CISSP, is Vice President–Enterprise Continuity Planning for DelCreo, Inc., an enterprise risk management company. He is a Certified Information Systems Security Professional (CISSP) with more than 25 years of experience in the areas of continuity planning, information security, and information technology internal control and quality assurance reviews and audits. Prior to joining DelCreo, Inc., he served in the QinetiQ-TIM Corporation and as a Partner with Ernst & Young, where he was the firm’s BCP Service Line Leader. Carl has extensive consulting experience with numerous major organizations in multiple industries, including manufacturing, financial services, transportation, healthcare, technology, pharmaceuticals, retail, aerospace, insurance, and professional sports management. He also has extensive industry business continuity planning experience as an information security practitioner, manager in the field of information security and business continuity planning, and as a university-level instructor. He has written extensively and is a frequent public speaker on all aspects of continuity planning and information security. Carl can be reached at 1+ 936-328-3663 or by e-mail at carl@delcreo.com.

1

Domain 1

The Access Control Systems and Methodology domain addresses the collection of mechanisms that permits system managers to exercise a directing or restraining influence over the behavior, use, and content of a system. Access control permits management to specify what users can do, what resources they can access, and what operations they can perform on a system.

Given the realization that information is valuable and must be secured against misuse, disclosure, and destruction, organizations implement access controls to ensure the integrity and security of the information they use to make critical business decisions. Controlling access to computing resources and information can take on many forms. However, regardless of the method utilized, whether technical or administrative, access controls are fundamental to a well-developed and well-managed information security program.

This domain addresses user identification and authentication, access control techniques and the adminis-tration of those techniques, and the evolving and innovative methods of attack against implemented controls. Biometrics are used to identify and authenticate individuals and are rapidly becoming a popular approach for imposing control over access to information, because they provide the ability to positively identify someone by their personal attributes, typically a person’s voice, handprint, fingerprint, or retinal pattern. Although biometric devices have been around for years, innovations continue to emerge. Understanding the potential as well as the limitations of these important tools is necessary so that the technology can be applied appro-priately and most effectively. We will lay the foundations here and follow up with more detail in Domain 10: Physical Security.

Nowhere is the use of access controls more apparently important than in protecting the privacy, confiden-tiality, and security of patient healthcare information. Outside North America, especially in European countries, privacy has been a visible priority for many years. More recently, American consumers have come to demand an assurance that their personal privacy is protected, a demand that demonstrates awareness that their medical information is becoming increasingly widespread and potentially subject to exposure. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 for medical information and the Gramm–Leach–Bliley Act of 1999 for financial information, just to name two regulations, are definitive evidence that the U.S. Government has heeded the mandate of American citizens.

Malicious hacking has been a successful means of undermining information controls and an increasing challenge to the security of information. Hackers tend to chip away at an organization’s defenses and have been successful on far too many occasions. In this domain, readers learn about the advancing, state-of-the-art attack tools that have led to highly publicized scenarios; for example, the recent defacement of the U.S. Department of Justice Web site and denial-of-service attacks on many commercial sites.

Contents

Section 1.1

Access Control Techniques

1 Enhancing Security through Biometric Technology... 5

Stephen D. Fried, CISSP

2 Biometrics: What’s New?... 21

Judith M. Myerson

3 Controlling FTP: Providing Secured Data Transfers ... 27

&KULV+DUH&,663&,6$

Section 1.2

Access Control Administration

4 Privacy in the Healthcare Industry... 45

Kate Borten, CISSP

5 The Case for Privacy... 55

Michael J. Corby, CISSP

Section 1.3

Identification and Authentication Techniques

6 Biometric Identification... 61

Donald R. Richards

7 Single Sign-On for the Enterprise ... 77

Ross A. Leo, CISSP

Section 1.4

Access Control Methodologies and Implementation

8 Centralized Authentication Services (RADIUS, TACACS, DIAMETER)... 97

Bill Stackpole, CISSP

9 An Introduction to Secure Remote Access ... 109

&KUL

s

WLQD0%LUG3K'&,663

Section 1.5

Methods of Attack

10 Hacker Tools and Techniques ... 121

Ed Skoudis, CISSP

11 A New Breed of Hacker Tools and Defenses ... 135

Ed Skoudis, CISSP

12 Social Engineering: The Forgotten Risk ... 147

John Berti, CISSP and Marcus Rogers, Ph.D., CISSP

14 Counter-Economic Espionage... 165

Craig A. Schiller, CISSP

Section 1.6

Monitoring and Penetration Testing

15 Penetration Testing ... 179

Stephen D. Fried, CISSP

5

1

Enhancing Security

through Biometric

Technology

Stephen D. Fried, CISSP

Introduction

The U.S. Immigration and Naturalization Service has begun a program that will allow frequent travelers to the United States to bypass the personal interview and inspection process at selected major airports, by taking electronic readings of the visitor’s hand to positively identify the traveler. A similar system is in use at the U.S./Canada border that uses fingerprints and voice recognition to identify people crossing the border.

In 1991, Los Angeles County installed a system that uses fingerprint identification to reduce fraud-ulent and duplicate claims in the county’s welfare system. The county saved more than $5 million in the first six months of use.

Casinos from Las Vegas to Atlantic City use face recognition systems to spot gambling cheats, card counters, and criminals in an attempt to reduce losses and protect their licenses.

All these systems have one thing in common: they all use biometrics to provide for enhanced security of people, locations, or financial interests. Biometrics is becoming one of the fastest growing segments of the security field and has gained a great deal of popularity both in the popular press and within the security profession. The use of biometrics — how it works, how it is used, and how effective it can be — is the subject of this chapter.

Biometrics Basics

Security professionals already have a wide variety of identification and authentication options available to them, including ID badges, passwords, PINs, and smart cards. So why is biometrics different, and why is it considered by many to be the “best” method for accurate identification and authentication? The answer comes from the nature of identification and authentication. Both these processes are based on the concept of unique-ness. They assume that there is some unique aspect to an individual that can be isolated and used to positively identify that individual. However, current forms of identification and authentication all suffer from the same fallacy: the “unique” property they measure is artificially attached to the individual. User IDs and passwords are assigned to users and must be remembered by the user. ID badges or tokens are given to users who must then carry them in their possession. Certificate forms of authentication, such as driver’s licenses, passports, or X.509 public key certificates are assigned to a person by some authority that attests to the matching between the name on the certificate and the picture or public key the certificate contains. None of these infallibly identify or authenticate the named individual. They can all be fooled or “spoofed” in some form or another.

Biometrics approaches the uniqueness problem in a different way. Instead of artificially attaching some type of uniqueness to the subject, the uniqueness is determined through an intrinsic quality that the subject already possesses. Characteristics such as fingerprints, retina patterns, hand geometry, and DNA are something almost all people already possess and are all naturally unique. It is also something that is with the person at all times and thus available whenever needed. A user cannot forget his finger or leave his voice at home. Biometric traits also have an intrinsic strength in their uniqueness. A person cannot choose a weak biometric in the same way he can choose a weak password or PIN. For very high-security applications, or situations where an extremely high assurance level for identification or authentication is required, this built-in uniqueness gives biometrics the edge it needs over its traditional identification and authentication counterparts.

How Does Biometrics Work?

Although the physiology behind biometrics is quite complex, the process of using biometric measurements in an application is relatively simple. The first step is to determine the specific biometric characteristic that must be measured. This is more a function of practicality, personal preference, and user attitude than a strict technology question. The different factors that go into selecting an appropriate biometric measurement are discussed later in this chapter.

Once the specific characteristic to be measured has been determined, a reading of that biometric is taken through some mechanical or technical means. The specific means will be based on the biometric characteristic selected, but biometric readings are generally taken by either (1) photographing or scanning an image of the characteristic, or (2) measuring the characteristic’s life signs within the subject. Once the reading is taken, it needs to be modified into a form that makes further comparison easier. Storing the entire scanned or read image for thousands of people would take up large amounts of storage space, and using the whole image for comparison is inefficient. In reality, only a small portion of the entire image contains significant information that is needed for accurate comparison. These significant bits are called match points. By identifying and gathering only the match points, biometric measurements can be made accurately and data storage require-ments can be significantly reduced.

The match points are collected into a standard format called a template. The template is used for further comparison with other templates stored in the system or collected from users. Templates are stored for later retrieval and comparison in whatever data storage system the biometric application is using. Later, when a user needs to be identified or authenticated, another biometric reading is taken of the subject. The template is extracted from this new scan and compared with one or more templates stored in the database. The existence or absence of a matching template will trigger an appropriate response by the system.

Biometric Traits

Randotypic traits are those traits that are formed early in the development of the embryo. Many of the body features that humans possess take on certain patterns during this stage of development, and those patterns are distributed randomly throughout the entire population. This makes duplication highly improbable and, in some cases, impossible. Examples of randotypic traits are fingerprints, iris patterns, and hand-vein patterns.

Behavioral traits are those aspects of a person that are developed through training or repeated learning. As humans develop, they learn certain modes of behavior that they carry throughout their lives. Interestingly, behavioral traits are the one type of biometric trait that can be altered by a person through re-training or behavior modification. Examples of behavioral traits include signature dynamics and keyboard typing patterns.

Common Uses for Biometrics

The science and application of biometrics has found a variety of uses for both security and non-security purposes. Authentication of individuals is one of the most popular uses. For example, hand scanners can be used to authenticate people who try to access a high-security building. The biometric reading taken of the subject is then compared against the single record belonging to that individual in the database. When used in this form, biometric authentication is often referred to as positive matching or one-to-one matching.

Very often, all that is needed is basic identification of a particular subject out of a large number of possible subjects. Police in the London borough of Newham use a system of 140 cameras mounted throughout the borough to scan the faces of people passing through the district. Those faces are compared against a database of known criminals to see if any of them are wandering around Newham’s streets. In this particular use, the biometric system is performing negative matching orone-to-many matching. Unlike the single-record lookup used in positive matching, each sample face scanned by the Newham cameras is compared against all the records in the police database looking for a possible match. In effect, the system is trying to show that a particular face is not in the database (and, presumably, not an identified criminal).

Fraud prevention is another common use for biometrics. When a user goes through biometric authentication to access a system, that user’s identity is then associated with every event, activity, and transaction that the user performs. If a fraudulent transaction is discovered or the system becomes the subject of an investigation or audit, an audit trail of that user’s actions can be produced, confirming or refuting their involvement in the illicit activity. If the personnel using the system are made aware of the ID tagging and audit trails, the use of biometrics can actually serve as a deterrent to prevent fraud and abuse.

Biometrics can also be used as a basic access control mechanism to restrict access to a high-security area by forcing the identification of individuals before they are allowed to pass. Biometrics are generally used for identification only in a physical security access control role. In other access control applications, biometrics is used as an authentication mechanism. For example, users might be required to biometrically authenticate themselves before they are allowed to view or modify classified or proprietary information. Normally, even in physical access control, it is not efficient to search the database for a match when the person can identify himself (by stating his name or presenting some physical credential) and have the system quickly perform positive matching.

A less security-oriented use of biometrics is to improve an organization’s customer service. A supermarket can use facial recognition to identify customers at the checkout line. Once customers are identified, they can be given the appropriate “frequent-shopper” discounts, have their credit cards automatically charged, and have their shopping patterns analyzed to offer them more personally targeted sales and specials in the future — all without the customer needing to show a Shopper’s Club card or swipe a credit card. Setting aside the privacy aspect of this type of use (for now), this personalized customer service application can be very desirable for consumer-oriented companies in highly competitive markets.

Biometric Measurement Factors