Overview of the Last Article

One of the most critical assets that a business or a corporation can own is its data. Whether it is in the form of large or small datasets, or even Big Data, this is probably the most valuable Intellectual Property at stake. After all, it is from this where the management team can not only learn about customer buying habits but can also keep their market advantage in the wake of their competitors.

However, the usage and storage of data is just as much critical from a Security standpoint as well. For instance, as it was eluded to in the last article, to keep up with the proverbial “Cat and Mouse” game, it is very important for the IT staff to analyze the trends which can be gleaned from this data in real time.

By doing so, any breaches or Cyberattacks which could be occurring can be potentially thwarted off immediately. Also, the by further examining the Security data, the attack signatures and profiles of Cyber attackers can be cataloged very easily, and be used to predict any future anomalies.

It is important to keep in mind that the repository used to store and query for all of this information, namely the database, must be heavily fortified and protected as well. This holds true even for the Biometrics Database, because after all, they house both the Enrollment and Verification Templates which are used to confirm the identity of an individual. Also, these transactions are conducted at this same level as well.

There is much more to securing a Biometrics Database than just simply adding layers of protocols. This also includes considering the structure and the requirements of it before it is created. Creating the needed documentation for all of this comes into play in the Biometrics Project Management plan.

Whether a Biometric System deployment is simple or complex, if it involves the use of a customized database, it must be planned for well ahead of time. The last article reviewed these key points with regards to mapping out the Biometrics Database in the Project Plan:

  1. Subsystem Deployment Considerations:

    This aspect provides the overview of how the Biometrics Database will look like, the requirements of it, how the Biometrics Templates will be stored in it, and more importantly, how the entire repository will be managed. A key consideration here is the implications of storing the raw images from which the Biometrics Templates are created from.

  2. The Database Management System (also known as the “DBMS”):

    These are the tools (the software packages) which are used to create the Biometrics Database. It can be created from either Closed Source or Open Sourced tools, and the advantages/disadvantages of using both approaches were critically examined.

  3. Determining the Security Threshold:

    As it has been discussed previously, the Verification and/or Identification transactions occur at the level of the Biometrics Database. There is no such thing as two identical Templates, therefore; the closeness between the Verification and the Enrollment is examined. The degree of closeness which is deemed to be acceptable is determined by the threshold which is established.

  4. Penetration Testing the Biometrics Database:

    Various Penetration Testing scenarios were examined, as well as specific tools. Also, an actual Penetration Test was depicted on a Biometrics Database developed on a SQL Server platform.

This article continues with the theme of the Biometrics Project Management Plan, with a focus now on Biometric Systems testing and maintenance, and other related issues.

Introduction to Testing and Maintenance

In all of these articles, we have provided the details that are needed for the C-Level Executive to properly plan the procurement and deployment of a Biometric System. We now approach the last major phase, which is that of testing and maintenance. This is now where it will all be tested in a live environment, to see if the Biometric System will deliver on the Security requirements and goals as outlined in the Project Management Plan.

Specific areas which need to be examined in this last phase include the following:

  1. Subsystem Implementation and Testing
  2. System Deployment and Integration
  3. Middleware
  4. The Biometric Interface
  5. System Maintenance
  6. Fine Tuning/Future Upgrades

Subsystem Implementation and Testing


The testing of a Biometric System can be broken down into three distinct phases:

  1. Biometric Subsystem Level Testing:

    This is when the Biometric modalities which comprise the entire system are tested individually and in a standalone mode.

  2. Biometric System Integration Level Testing:

    This occurs when the individual modalities are all joined into their respective subgroups, and tested together to make sure that they work seamlessly.

  3. Biometric System Wide Level Testing:

    This is when the Biometric System is tested in its complete entirety, or as one cohesive Security unit, to fully ensure and guarantee 100% that everything is working perfectly.

Throughout these three phases, a key aspect of prime importance is that of the Quality Control (QC) checks that have to take place. The QA lifecycle ensures that all of the bugs and errors found during the system testing have been fully corrected and that the entire Biometric System functions fully at the level it was designed and intended to do.

The QA lifecycle includes the following:

  1. Verification:

    This is the process which assures that the newly implemented Biometric System is totally free of errors in both the hardware and the software.

  2. Validation:

    This is the QA check that helps to ensure that the results of the newly implemented Biometric System match the intentions of the original Project Management plan.

Another type of QA test is that of the Biometric System Prototype testing. This is when a smaller version of the entire Biometric System, or a snapshot of it, is implemented at the business or corporation, in a simulated environment. The ultimate goal of this kind of test is to see how a representative sample of the entire Biometric System will work in a live environment.

In this type of QA test, it is important to fully understand what the benefits and the risks will be before deploying a full-fledged Biometric System. In other words, the IT staff can take calculated risks to see if the proposed Biometric technology to be implemented will meet the Security requirements which have been established in the Biometric Project Management plan.

Finally, one of the last tests to be conducted is that of the Biometric System Acceptance Testing. This is one of the most important phases of the Biometric Project Management Lifecycle, as this proves that the deployed system is fully operational and functional. Under this type of testing environment, a representative sample of the end user group is also asked to participate. If all goes well, the final sign off occurs, and the Biometric System is now deemed to be 100% live and operational at the business or corporation.

System Deployment and Integration


Another key aspect in the Biometrics Project Management Lifecycle is that of the final integration of the Biometrics System with an existing Security system at the business or corporation. One of the key questions that need to be answered here is if the Biometric System will be the primary layer of Security.

Critical questions which need to be answered at this phase include the following:

  1. Just exactly at which points will the new Biometric System interface with the legacy Security system?
  2. Will the newly implemented Biometric System take second priority over the existing Security infrastructure?

In this situation, the new Biometric System will then become what is known as a “Technical Interface” with the existing Security system. This model can occur in one of three ways:

  1. The Biometric System can exist as a tightly woven interface with the existing Security infrastructure;
  2. The Biometric System can exist as a loosely woven interface with the existing Security Infrastructure;
  3. The Biometric System can act as a Middleware interface with the existing Security infrastructure.

With a loosely woven interface, this is merely a simple matchup of the outputs of the existing Security system with the inputs of the Biometric System. This type of communication is very often used to implement a specific networking protocol between the two systems.

In terms of a tightly woven interface, the C-Level Executives and the IT staff will need to decide how the new Biometrics System will fit into and work seamlessly into the existing Security infrastructure. The result is a Multimodal Security Solution that operates as one, cohesive unit.

Finally, with regards to the Middleware Interface, this is a Biometrics Management System that is sandwiched between the layers of the existing Security system. In other words, Middleware can be considered to be a watered-down version of a full-fledged Biometric device, and it possesses its functionalities as well.

Middleware


Biometrics Middleware can also be considered a cost alternative to a full blown Biometrics System. Middleware serves the following functions:

  1. It acts as an integrating device between various legacy systems;
  2. It has a free flow of communications with other, various Biometric Systems;
  3. It helps to manage the Biometrics Database(s);
  4. It works as a liaison with the networking protocols in the existing Security Infrastructure;
  5. It works in an Open Source hardware and software environment.

It should be noted that Biometrics based Middleware is either Client side or Server side. For example, with the former, the Middleware can support an entire host of Biometric Sensors from all types of Vendors.

However, with the latter, the Middleware assumes all of the backend management of the entire Security system, which involves both Verification and/or Identification transaction processing. If a Biometrics System is deemed to be very large in nature, then the Middleware is considered to be what is known as an “Enterprise Solutions Middleware.”

This too can either Client side or Server side or even both at the same time. This type of Middleware solution is designed to handle much more complex tasks and functions, such as those of large scale Identification based applications.

The Biometric Interface


The interface to the new Biometric System and the existing Security system can be prone to threats and vulnerabilities from both outside and inside the business or corporation, and therefore, the appropriate internal controls need to be applied to mitigate these risks from happening.

The interface can either be a standard out of the box solution, or it can be designed entirely from scratch to meet the exact the requirements. If the Biometrics deployment is large enough, many customized subcomponents will be required such as:

  1. A programming language translator (this is to ensure that the flow of communication between the new Biometrics deployment and the existing Security Infrastructure use the same networking protocols).
  2. Highly specialized Security protocols (note that these will be different than the networking protocols just described).
  3. High-level Cryptography for the scrambling and descrambling of the Biometric information and data.

An often forgotten about an obstacle in implementing an interface is that of logistics, and needs to be included in the Biometrics Project Management plan as well. For instance, dedicated facilities may be required to properly house the Biometric System (depending of course on the specific nature of the application for which it is being used).

System Maintenance


One of the very last steps in the Biometric Project Management Lifecycle is that of the system maintenance. In simple terms, these are the steps that are required to keep the Biometric System running in peak and optimal conditions. Important to this is the data which is recorded by the Biometric System. This can also be used to keep it running in an optimal fashion.

Examples of this type of data include those of the Biometric System logs and the Transactions reports. This includes the following:

  1. The statistics related to the total number of users that have been accepted and rejected, the total number of the FERs, and also the total number of attempts required by the end user before they are ultimately accepted or rejected by the Biometric System.
  2. The actual number of FMNRs recorded by each Biometric device.
  3. The actual FMRs recorded as well by each modality.

A big component of Biometric System maintenance is that of fine tuning. This includes the following duties:

  1. Manually adjusting the Security Threshold levels.
  2. Implementing additional end user training as and when needed.
  3. Calibrating the Biometric hardware devices in the entire system.
  4. Changing or reconfiguring the software that drives the applications of the entire Biometric System.
  5. Tweaking the network performance and bandwidth between the Biometric devices and the central server.
  6. Keeping the mathematical algorithms (especially that of the mathematical algorithms) totally optimized with the latest upgrades and developments as provided by the Vendor.
  7. Keeping the Security Threshold level just at the right point so that the Security needs of the business or corporation will be perfectly met.

Fine Tuning/Future Upgrades


Ethical Hacking Training – Resources (InfoSec)

Just like software applications, Biometric Technology has their fair share of upgrades, releases, and versions. These new upgrades can come out for an entire Biometric System or for just the individual devices that comprise it.

An important consideration to take into account when upgrading to a newer Biometric System version is that of Template Aging. This refers to the user’s actual physiological or biological traits which have changed over time. This could also include the behavioral mannerisms as well.

This could be caused by the aging process that we all experience or any weight changes or even any injuries. A perfect example of this is that of Facial Recognition. Over time, a person can go through massive weight loss or massive weight gain, thus rendering the initial Enrollment Templates as useless.

As a result, the Facial Recognition system will not recognize that particular individual, thus causing him or her to go through the entire Enrollment Process yet once again. It should be noted that not all physical and behavioral Biometric Templates are prone to Template Aging.

Another good example of this is that of Iris and Retinal Recognition. As reviewed previously in other articles, the biological and physiological structures of the iris and the retina hardly ever changes over the lifetime of an individual.

However, if the modality is advanced enough where it is using Neural Network technology, the Biometric System can then replicate the original Enrollment Template using other modeling techniques.

This will prevent the end user from having to re-enroll their Biometric Templates again. This specialized technique is known as “Template/Model Adaptation.” In the Biometric System, it could also be the case that the Templates are set to expire at a certain date, thus rendering the for re-enrollment by the end user population.

Typically, Biometric Templates are not set to expire, but for some reason or another, the system administrator may establish this particular requirement.

The method of expiring Biometric Templates involves deleting the Enrollment Templates altogether from the Biometrics database and having the end users (such as the employees) to go through the Enrollment process over again.

Conclusions

In this series of articles, we have closely examined what it takes to procure and deploy a complete Biometric System, whether it is a small scale or a large-scale deployment. Typically, not a lot of planning is required for the former, as this would only involve implementing a few Biometric devices, and they would primarily operate in a standalone mode.

However, in the case of the latter (a large-scale deployment), appropriate and exhaustive planning is needed, which is where the Biometric Project Management plan comes into play. It is often questioned whether this amount of detail is needed, and yes, it should absolutely be a requirement.

Remember, such an implementation is not only a capital expense to the business or the corporation, but there is also another huge factor which comes into play as well –the human and social impacts upon the employees. There are huge ramifications to this, which must be carefully explored and analyzed. This situation is unlike any other Security system installation.

It is also important to keep in mind that a Biometric Project Management plan is an ongoing and dynamic process. It does not just stop after the system has been procured and deployed. As changes and upgrades occur (which was discussed in the last section), the plan needs to be kept updated as well, so that there is a record of what has been happening to the Security Infrastructure of the business or corporation, especially if it is faced by an audit from the Federal Government.

A Biometrics Project Management plan is also needed if the deployment is going to be a Client-Server based one. The networking and communication amongst the Biometric modalities will be much more complex, and in fact, there are other network topologies which should be considered as well. This will be the focal point of our next article.

Sources

http://www.face-rec.org/databases/151436.pdf

http://www.biometrics.gov/documents/biotechstandard.pdf

https://dl.packetstormsecurity.net/papers/attack/Null_Hacking_Biometrics.pdf

https://pdfs.semanticscholar.org/ff92/65c26bfe08cacd4c8c0a281f0452e4fbd8ff.pdf

https://pdfs.semanticscholar.org/abe3/ff8d3af18c0a9cdc3e375bf631188acbd1aa.pdf

https://www.nist.gov/sites/default/files/documents/nvlap/NIST-HB150-25-2009-1.pdf

http://biometrics.cse.msu.edu/Publications/Thesis/KarthikNandakumar_BiometricFusion_MS05.pdf

http://biometrics.cse.msu.edu/Publications/GeneralBiometrics/JainRossPankanti_BiometricsInfoSec_TIFS06.pdf

https://arxiv.org/ftp/arxiv/papers/1210/1210.0829.pdf

http://www.ijicic.org/ijicic-ksi-13.pdf

http://www.planetbiometrics.com/creo_files/upload/article-files/download_3_sn_secunet_biomiddle_fs_gb.pdf

http://embedded-computing.com/pdfs/EzValidation.Nov05.pdf

https://docs.oracle.com/cd/E12839_01/core.1111/e12889.pdf

http://dce.kar.nic.in/Files%20NRR/Genenral/1%20Biometric%20Device,%20Parts%20and%20Operation.pdf

https://biometricperformancemonitoring.files.wordpress.com/2011/07/bestpracticesinbiometricsperformancemonitoringprograms.pdf

http://atvs.ii.uam.es/files/2012_Sec&Pri_BiometricQ.pdf

http://research.ijcaonline.org/volume112/number9/pxc3901440.pdf

https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_9/Accenture-Beating-the-Biometrics-Fraudsters.pdf

http://www.dote.osd.mil/pub/reports/fy2013/pdf/army/2013dodabis.pdf

http://www.oracle.com/us/products/database/motorola-066601.pdf

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.