Professional Documents
Culture Documents
Smart Nation:
People are empowered by technology to lead meaningful and fulfilled lives. Through
harnessing the power of networks, data and info‐comm technologies, we seek to improve
living, create economic opportunity and build a closer community. Cyber Security is key!
Biometrics
Many different types: Handwriting, face recognition (2D and 3D), vein, fingerprints, hand
geometry, retinal scans, iris scans, etc.
Problems
False positive: incorrectly identifies someone as a match, e.g. a terrorist, an authorized user, etc.
False negative: incorrectly not identifying someone as a match
Retina Scan
Retina scan works off the blood vessels on the back of the eye. Pattern is different even for
twins. Eye is situated within 0.5 inch of the capture device and the users looks at a rotating
green light. > 400 points taken (fingerprint is 30‐40 points). Very accurate. Low False Accept
rate 0.0001%. It’s not popular, as it is costly (overtaken by iris)
Lecture 3
Iris Recognition:
Iris recognition is one of the top biometrics ID technologies in a study conducted by the
National Physical Laboratory, UK. Achieved 1.8% false rejection rate, compared to 10~25%
for others. Among the fastest in user transaction speed. Only ID technology to achieve close to
0% false acceptance rate.
Challenges of Biometrics:
Database to store only just the template, actual image is not reproducible.
System accuracy, Speed, Scalability
Security attacks (fake iris, fake fingers, backend storage etc.)
A fuzzy return, how to make sense and be sure about the results. Biometrics is a science of
providing estimates, but this is not well understood.
Does it tell more than what we thought? Is it sexist? Racist? (gene monitoring)
More Fears
Privacy – work site monitoring.
In some countries, the privacy commission has specific regulations. What are these and am
I in compliance? Big debate.
Discriminatory? A bad story for the handicapped.
User Fears – damage to eyes, cultural rejection
Lecture 3
Biometrics Glossary
FAR (False Acceptance Rate) Probability of cases for which a biometric system fallaciously
authorizes an unauthorized person. It happens when a biometric system, solution or
application inaccurately matches a biometric input with a stored template, fallaciously returning
a match and granting access to an unauthorized person. It is one of the commonly used metrics
in biometric recognition systems for assessing the performance of the system. False acceptance
is an undesirable result from a biometric system. It is expressed as the percentage of instances
Lecture 3
where system will authorize an unauthorized person. For example, if FAR = 0.1% that means
that in 1 out of 1000 cases, a biometric system, solution of application have probability to grant
access to an unauthorized individual. In systems where the level of security is high, the
existence of false positives is a serious problem; for these systems FAR = 0 is will be a desirable
scenario, i.e. there should be no false positives.
False Rejection Rate (FAR) Probability of cases for which a biometric system fallaciously denies
access to an authorized person. This would be a false negative!
Equal Error Rate (EER) Performance measure used to predetermine the threshold values for
its False Match Rate (FMR) and its False Non‐Match Rate (FNMR). Plotting gets us a point
where two curves generated by FMR and FNMR intersects, at the EER. EER is the point where
false match and false non‐match rates are minimal and optimal. Lower EER value is
considered good for a biometric system. ERR value indicates that the proportion of false
acceptances is equal to the proportion of false rejections. The lower the equal error rate value,
the higher the accuracy of the biometric system.
Why is it easy to bring down SCADA systems? Designed long ago, at a time when there’s no
awareness of security. Running non stop, so there’s no opportunity to upgrade them, repair
weaknesses or to patch the systems In some cases, no one knows enough about what needs to
be done, what is installed where, what happens when something is turned off.
* Supervisory control and data acquisition (SCADA) is a system of software and hardware
elements that allows industrial organizations to: Control industrial processes locally or at
remote locations. Monitor, gather, and process real-time data.
Stuxnet
Stuxnet is a computer virus that targets Siemens Control Systems for Supervisory Control And
Data Acquisition (SCADA) system. Root kit on SCADA systems, 4 zero day attack vectors,
capability to reprogram the PLCs and hide its changes. Most sophisticated weapon ever seen so
far. Very selective. By writing code to the PLC, Stuxnet can potentially control or alter how the
system operates. It did damage the Iranian nuclear centrifuges.
Duqu
Precursor to the malware Stuxnet. (there are others: Flame, Gauss …)
Evidence show that it may have been originated from the same parents. One instance of Duqu
attack on Iranian companies. Duqu main aim to gather data on the activities of a series of
activities of Iranian companies and government agencies.
Lecture 3
Highlighted during the Google attacks in late 2009 and later, many other US companies said
that they too were victims. (Wikileak has a mention):
http://www.wired.com/threatlevel/2010/02/apt‐hacks/
2009 APEC attack when hosted by Singapore: https://www.todayonline.com/singapore/mindef-
internet-system-hacked-personal-data-850-personnel-stolen
Attack are so good that traditional firewalls, anti‐virus and intrusion detection systems will be
bypassed.
Arms Race ! Each country tries to do outdo the other via better cyber weapons, because:
- Cyber weapons are cheap to build and yet extremely potent.
- Attribution (who attacked you) is typically impossible.
- Harmonising global legislation is very difficult.
Used soda can bomb to take down Russian airliner over Egypt late Oct 2015, killing more than
200 people. Extremist groups have leveraged the power of the Internet to gain support for
years, ISIS stands in a league of its own. The terrorist organization has seemingly mastered
online propaganda and recruitment, using modern technology to promote a medieval ideology
involving mass killings, torture, rape, and enslavement. Anonymous declared "war" on ISIL in
its largest operation to date, and by the second day, it had taken down 3,824 pro‐ISIL Twitter
accounts and doxxed multiple recruiters. Rumoured that the planning of this terrorist attack
exploited Xbox communications, hence evading intelligence monitoring. (may not be true)
Economics of Security
Security is complex, because all systems are trending to be highly complex. Software
manufacturers don’t pay for their bugs. You do. A perfect firewall will be bought as your first
and last device. Testing of security products is immature, so can’t tell if the things bought are of
any good. Mostly, fail but can’t return. No one wants to pay for someone else to benefit; e.g.
the cost of security evaluation. Cyber insurance is not readily available and is un‐organised.
Lecture 3
How would you know if a software is trustworthy? Knowing is very expensive and may be often
impossible. (AppStore ok ?)
Speed is vital to keep ahead of the curve; but if security is not handled, the rollout will fail.
Security must be factored in right at the start. Impact: Big Data and new business intelligence
systems, Startups, Cloud Systems, Driverless cars, AI systems replacing humans
https://www.youtube.com/watch?v=P2HPcj8lRJE#t=303.737
https://www.youtube.com/watch?v=vXMpKYRhpmI (Intuitive understanding, 6 min)
Deep Mind AlphaGo Zero – AI that learns without data from humans
AI (Deep Learning)
Why important to Security?
Security Automation
Detect attacks from logs via abnormality correlation
Superior biometrics
Superior image analysis
Faster response than humans
Automated learning