This article focuses on malicious software, malware, on a server that contains biometrics sensitive information. This scenario happens hundreds or thousands of times each day around the world. The impact of malware on a biometric server can be devastating. It is therefore critical to plan for this scenario. Planning for this scenario must consider at least the followings:
- Clear definition of what is a malware.
- Clear guidelines on the use of biometric systems.
- Clear action plan to follow in an emergency situation.
The problem in this scenario is what you don’t know: Suppose you discover that a program with some sort of ill intent has been installed on a system containing your biometric database and you don’t know for sure what that program code may have done or had access to. In the worst-case scenario, it granted hackers direct access to that server (and possibly the rest of your network) and the hackers downloaded all the information to see what they could do with it. All the information on that system may be in the hands of someone that intends to do you harm. The biometric data on the database could have been compromised. The action plan to follow will depend on what action the malware performed on the database. If the biometric information was not compromised, all you need to do is eliminate the malware. On the other hand, if the biometric data was compromised, a strict action plan is required to ensure that the impact to the system and users is minimal.
Any action on the biometric database must address the followings:
- What are the security requirements for the installation?
- What is the legal, regulatory and public relations environment for the organization?
- If the malware is well known to the antivirus/antispyware community, do you also know what it really does?
The other biometric scenarios to plan for are (i) high security hosting which focuses on a high volume of people requiring access to a highly secure facility and access is granted if you are on a master list of authorized individuals. (ii) Other Entry Access which focuses securing all the entry accesses to the facility including side entrances. (iii) Port of entry which focuses a high volume of people requiring access to a highly secure facility without the advantages of a master list for authorised individuals. (iv) And biometrics limitation scenarios which focuses on situations where the chosen biometrics technology may not be suitable.
Researchers at Biometric Research Laboratory (BRL) within Namibia Biometric Systems (NBS) will continue to further highlight the most common use scenarios and some possible pitfall scenarios for biometrics in the next few articles.
More information on the implementation of biometrics based solutions can be requested from firstname.lastname@example.org