Sec2_Task - Computer Science
Overview
In this module, you learned about some of the common attacks affecting businesses and organizations and the defenses they must put in place to reduce the risk to their systems and to any private information that should not be publicly accessed. Security controls take many forms and can be categorized into three main groups: administrative, technical, and physical controls. As you also learned, you can have a control in each group protecting the same asset, meaning you have layered your defenses.
In this activity, you will read about how First American Financial Corporation (FAF) exposed over 85 million records on its public website in 2019. Not only were these records exposed, but the company was not aware of the breach until it was notified by renowned security expert Brian Krebs.
For this week’s activity:
· Read the case study and the articles provided in the Supporting Materials section.
· Consider ways in which First American Financial Corporation could have proactively defended against the record breach.
· Respond to the provided case study questions.
Prompt
Case Study: In 2019, one of the largest data breaches in history occurred when First American Financial Corporation, a real estate title insurance company, exposed over 885 million records on its public website. Included in these records was information such as Social Security numbers, bank account information, images of driver’s licenses, mortgage statements, tax documents, and wire transfer records dating all the way back to 2003. The company was not aware of the problem until it was notified by security expert Brian Krebs, an outside source.
A real estate developer outside of FAF first noticed this concern when they found that anyone who knew the URL for a valid document could then access any other document simply by changing a number in the URL. The company’s website, firstam.com, was leaking hundreds of millions of private documents not intended to be viewed by just any user. This means that any individual who had previously been emailed a link from FAF could possibly gain access to a plethora of sensitive and private documents. No authentication was required in order to access these documents, nor were they protected in any other way. This left a lot of personal and private information exposed for those with malicious intent to use in nefarious ways, for example, identity theft.
When FAF was notified of the breach, it shut down its website and immediately conducted an internal review. The initial findings noted that there was a “design defect in an application that made possible unauthorized access to customer data” (Newman, 2019). The identified defect could be referred to as a business logic flaw, which is “a category of vulnerabilities specific to an application and business domain . . . [It] allows an attacker to misuse the application by circumventing the business rules of the application” (Conikee, 2019). Only a user with an appropriate link would be able to access these documents. However, a user would not be asked to verify their identity. Therefore, access was easy and unauthenticated.
References
Conikee, C. (2019, July 26). 3 takeaways from the First American Financial breach. DarkReading. https://www.darkreading.com/breaches/3-takeaways-from-the-first-american-financial-breach/a/d-id/1335278
Newman, L. H. (2019, May 24). Hack brief: 885 million sensitive financial records exposed online. Wired. https://www.wired.com/story/first-american-data-exposed/
Supporting Materials
These articles will provide you with greater insight into the scenario provided and help you prepare for your response to the case study questions:
·
Hack Brief: 885 Million Sensitive Financial Records Exposed Online
·
3 Takeaways from the First American Financial Breach
·
Understanding the First American Financial Data Leak: How Did It Happen and What Does It Mean?
Guidelines for Submission
Security professionals should take the time to reflect on past incidents in order to prevent similar problems from occurring. Respond to the case study questions below related to the Module Two case study. Your submission should be 1 to 2 pages, double-spaced, and submitted as a Word document (.docx). Resources must be appropriately cited using APA style. You are allowed, although not required, to use resources outside of those provided within Module One, Module Two, and the Supporting Materials section.
Your responses should be in complete paragraphs and should contain the following:
· Answer all of the case study questions thoroughly and completely. Write out the questions in your submission.
· Make direct connections between the issues identified in the case study and the concepts covered in the provided resources in Modules One and Two, as well as the Supporting Materials.
· Support your answers with appropriate examples and facts drawn from the case study.
· Use correct grammar, sentence structure, and spelling, and demonstrate an understanding of audience and purpose.
Case Study Questions
· How did this breach occur? Briefly summarize the incident.
· Which pillars of the CIA triad were explicitly violated, given the scenario?
· What kinds of security controls could First American Financial Corporation have put in place to defend against this kind of data breach? Why?
2
I D E N T I F I C A T I O N A N D
A U T H E N T I C A T I O N
When you’re developing security measures,
whether they’re specific mechanisms or
entire infrastructures, identification and
authentication are key concepts. In short, iden-
tification makes a claim about what someone or some
thing is, and authentication establishes whether this
claim is true. You can see such processes taking place
daily in a wide variety of ways.
One common example of an identification and authentication
transaction is the use of payment cards that require a personal identifi
cation number (PIN). When you swipe the magnetic strip on the card,
you’re asserting that you’re the person indicated on the card. At this
point, you’ve given your identification, but nothing more. When you’re
prompted to enter the PIN associated with the card, you’re completing
the authentication portion of the transaction, proving you’re the legiti
mate cardholder.
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
24 Chapter 2
Some of the identification and authentication methods that we use
daily are particularly fragile, meaning they depend largely on the honesty
and diligence of those involved in the transaction. If you show your ID card
to buy alcohol, for example, you’re asking people to trust that your ID is
genuine and accurate; they can’t authenticate it unless they have access to
the system that maintains the ID in question. We also depend on the com
petence of the person or system performing the authentication; they must
be capable not only of performing the act of authentication but also of
detecting false or fraudulent activity.
You can use several methods for identification and authentication, from
requiring simple usernames and passwords to implementing purposebuilt
hardware tokens that serve to establish your identity in multiple ways. In
this chapter, I’ll discuss several of these methods and explore their uses.
Identification
Identification, as you just learned, is simply an assertion of who we are. This
may include who we claim to be as people, who a system claims to be over
the network, or who the originating party of an email claims to be. You’ll
see some methods for determining identity and examine how trustworthy
those methods are.
Who We Claim to Be
Who we claim to be is a tenuous concept at best. We can identify ourselves
by our full names, shortened versions of our names, nicknames, account
numbers, usernames, ID cards, fingerprints, or DNA samples. Unfortunately,
with a few exceptions, such methods of identification are not unique, and
even some of the supposedly unique methods of identification, such as finger
prints, can be duplicated.
Who we claim to be can, in many cases, be subject to change. For
instance, women often change their last names upon getting married. In
addition, we can generally change logical forms of identification—such as
account numbers or usernames—easily. Even physical identifiers, such as
height, weight, skin color, and eye color, can change. One of the most crucial
factors to realize is that a claim of identity alone is not enough.
Identity Verification
Identity verification is a step beyond identification, but it’s still a step short of
authentication, which I’ll discuss in the next section. When you’re asked to
show a driver’s license, Social Security card, birth certificate, or other similar
form of identification, this is generally for identity verification, not authen
tication. It’s the rough equivalent of someone claiming the identity John
Smith; you asking if the person is indeed John Smith and being satisfied with
an answer of “Sure, I am” from the person (plus a little paperwork).
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
Identification and Authentication 25
We can take the example a bit further and validate the form of identi
fication (say, a passport) against a database holding an additional copy of
the information that it contains, matching the photograph and physical
specifications with the person standing in front of us. This may get us a bit
closer to ensuring we’ve correctly identified the person, but it still doesn’t
qualify as authentication; we may have validated the status of the ID itself,
and we know that the person meets the general specifications of the person
it was originally issued to, but we’ve taken no steps to prove that the person
is really the right one. The more than we trend toward verification and away
from authentication, the weaker our controls are.
Computer systems use identity verification, too. When you send an
email, the identity you provide is taken to be true; the system rarely takes
any additional steps to authenticate you. Such gaps in security contribute
to the enormous amount of spam traffic, which Cisco’s Talos Intelligence
Group estimated to have accounted for approximately 85 percent of all
emails sent from mid2017 to mid2018.1
Falsifying Identification
As I’ve discussed, methods of identification are subject to change. As such,
they are also subject to falsification. Minors often use fake IDs to get into
bars or nightclubs, while criminals and terrorists might use them for a vari
ety of more nefarious tasks. You could use some methods of identification,
such as birth certificates, to gain additional forms of identification, such as
Social Security cards or driver’s licenses, thus strengthening a false identity.
Identity theft based on falsified information is a major concern today;
identity thieves stole an estimated $16.8 billion from US consumers in
2017.2 This type of attack is unfortunately common and easy to execute.
Given a minimal amount of information—usually a name, address, and
Social Security number are sufficient—it’s possible to impersonate some
one just enough to be able to conduct a variety of transactions in their
name, such as opening a line of credit. Such crimes occur because many
activities lack authentication requirements. Although most people think
identity verification is sufficient, verification is easy to circumvent by using
falsified forms of identification.
Many of the same difficulties exist in computer systems and environ
ments. For example, it’s entirely possible to send an email from a falsified
email address. Spammers use this tactic on a regular basis. I’ll address such
issues at greater length in Chapter 9.
Authentication
In information security, authentication is the set of methods used to estab
lish whether a claim of identity is true. Note that authentication does not
decide what the party being authenticated is permitted to do; this is a sepa
rate task, known as authorization. I’ll discuss authorization in Chapter 3.
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
26 Chapter 2
Factors
There are several approaches to authentication: something you know, some
thing you are, something you have, something you do, and where you are.
These approaches are known as factors. When you’re attempting to authen
ticate a claim of identity, you’ll want to use as many factors as possible. The
more factors you use, the more positive your results will be.
Something you know, a common authentication factor, includes passwords
or PINs. However, this factor is somewhat weak, because if the information
the factor depends on is exposed, your authentication method may no longer
be unique.
Something you are is a factor based on the relatively unique physical attri
butes of an individual, often referred to as biometrics. Although biometrics can
include simple attributes such as height, weight, hair color, or eye color, these
aren’t usually distinctive enough to make very secure identifiers. Complex
identifiers such as fingerprints, iris or retina patterns, or facial characteristics
are more common. These are a bit stronger than, say, a password, because
forging or stealing a copy of a physical identifier is somewhat more difficult,
although not impossible. There is some question as to whether biometrics
truly count as an authentication factor or whether they only constitute verifi
cation. I’ll discuss this again later in this chapter, when I cover biometrics in
greater depth.
Something you have is a factor generally
based on a physical possession, although
it can extend into some logical concepts.
Common examples are automatic teller
machine (ATM) cards, state or federally
issued identity cards, or softwarebased
security tokens, as shown in Figure 21.3
Some institutions, such as banks, have
begun to use access to logical devices,
such as cell phones or email accounts, as
methods of authentication, as well.
This factor can vary in strength
depending on the implementation. If
you wanted to use a security token sent
to a device that doesn’t belong to you,
you’d need to steal the device to falsify
the authentication method. On the other
hand, if the security token was sent to an
email address, it would be much easier to
intercept, and you’d have a measure of
considerably less strength.
Something you do, sometimes considered a variation of something you
are, is a factor based on the actions or behaviors of an individual. This may
include an analysis of the individual’s gait or handwriting or of the time
delay between keystrokes as he or she types a passphrase. These factors
Figure 2-1: Sending a security
token to a mobile phone is a
common authentication method.
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
Identification and Authentication 27
present a strong method of authentication and are difficult to falsify. They
do, however, have the potential to incorrectly reject legitimate users at a
higher rate than some of the other factors.
Where you are is a geographically based authentication factor. This factor
operates differently than the other factors, as it requires a person to be
present in a specific location. For example, when changing an ATM PIN,
most banks will require you to go into a branch, at which point you will
also be required to present your identification and account number. If the
bank allowed the PIN to be reset online, an attacker could change your PIN
remotely and proceed to clean out your account. Although potentially less
useful than some of the other factors, this factor is difficult to counter with
out entirely subverting the system performing the authentication.
Multifactor Authentication
Multifactor authentication uses one or more of the factors discussed in the
preceding section. When you’re using only two factors, this practice is also
sometimes called two-factor authentication.
Let’s return to the ATM example because it illustrates multifactor
authentication well. In this case, you use something you know (your PIN)
and something you have (your ATM card). Your ATM card serves as both
a factor for authentication and a form of identification. Another example
of multifactor authentication is writing checks. In this case, you’re using
something you have (the checks themselves) and something you do (signing
them). Here, the two factors involved in writing a check are rather weak, so
you sometimes see a third factor—a fingerprint—used with them.
Depending on the factors selected, you can assemble stronger or weaker
multifactor authentication schemes particular to each situation. In some
cases, although certain methods may be more difficult to defeat, they’re
not practical to implement. For example, DNA makes for a strong method
of authentication but isn’t practical in most situations. In Chapter 1, I said
that your security should be proportional to what you’re protecting. You
certainly could install iris scanners on every credit card terminal, but this
would be expensive, impractical, and potentially upsetting to customers.
Mutual Authentication
Mutual authentication is an authentication mechanism in which both par
ties in a transaction authenticate each other. These parties are typically
softwarebased. In the standard, oneway authentication process, the client
authenticates to the server. In mutual authentication, not only does the
client authenticate to the server, but the server authenticates to the client.
Mutual authentication often relies on digital certificates, which I’ll discuss
in Chapter 5. Briefly, both the client and the server would have a certificate
to authenticate the other.
In cases where you don’t perform mutual authentication, you leave
yourself open to impersonation attacks, often referred to as man-in-the-
middle attacks. In a maninthemiddle attack, the attacker inserts himself
between the client and the server. The attacker then impersonates the
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
28 Chapter 2
server to the client and the client to the server, as shown in Figure 22, by
circumventing the normal pattern of traffic and then intercepting and for
warding the traffic that would normally flow directly between the client and
the server.
Client Server
Original
connection
Attacker
Attacker’s
connection
Attacker’s
connection
Figure 2-2: A man-in-the-middle attack
This is typically possible because the attacker needs to subvert or
falsify authentication only from the client to the server. If you implement
mutual authentication, this becomes a considerably more difficult attack
because the attacker would have to falsify two different authentications.
You can also combine mutual authentication with multifactor authen
tication, although the latter generally takes place only on the client side.
Multifactor authentication from the server back to the client would be not
only technically challenging but also impractical in most environments
because it would involve some technical heavylifting on the client side,
potentially on the part of the user. You’d likely lose a significant amount
of productivity.
Common Identification and Authentication Methods
I’ll conclude this discussion by exploring three common identification and
authentication methods in detail: passwords, biometrics, and hardware
tokens.
Passwords
Passwords are familiar to most us who use computers regularly. When
combined with a username, a password will generally allow you access to
a computer system, an application, a phone, or a similar device. Although
they’re only a single factor of authentication, passwords can represent
a relatively high level of security when constructed and implemented
properly.
People often describe certain passwords as being strong, but a better
descriptive term might be complex. If you construct a password that uses
lowercase letters only and is eight characters long, you can use a password
cracking utility to crack it quickly, as discussed in Chapter 1. Adding char
acter sets to the password makes it increasingly harder to figure out. If you
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
Identification and Authentication 29
use uppercase letters, lowercase letters, numbers, and symbols, you’ll end
up with a password that is potentially more difficult to remember, such as
$sU&qw!3, but much harder to crack.
In addition to constructing strong passwords, you also need to practice
good password hygiene. Don’t write your password down and post it under
your keyboard or on your monitor; doing so completely defeats the purpose
of having a password in the first place. Applications called password managers
exist to help us manage all the logins and passwords we have for different
accounts, some as locally installed software and others as web or mobile
device applications. There are many arguments for and against such tools;
some people think keeping all of your passwords in one place is a bad idea,
but when used carefully, they can help you maintain good password hygiene.
Another common problem is the manual synchronization of passwords—
in short, using the same password everywhere. If you use the same password
for your email, for your login at work, and for your online knitting discus
sion forum, you’re putting the security of all the accounts in the hands of
those system owners. If any one of them is compromised, all of your accounts
become vulnerable; all an attacker needs to do to access the others is look
up your account name on the internet to find your other accounts and log
in using your default password. By the time the attacker gets into your email
account, the game is over because an attacker can generally use it reset
account credentials for any other accounts you have.
Biometrics
Although some biometric identifiers may be more difficult to falsify than
others, this is only because of the limitations of today’s technology. At some
point in the future, we’ll need to develop more robust biometric characteris
tics to measure or else stop using biometrics as an authentication mechanism.
Using Biometrics
Biometricsequipped devices are becoming increasingly common and inex
pensive. You can find a wide selection of them for less than $20. It pays to
research such devices carefully before you depend on them for security, as
some of the cheaper versions are easy to bypass.
You can use biometric systems in two ways. You can use them to verify
the identity claim someone has put forth, as discussed earlier, or you can
reverse the process and use biometrics as a method of identification. This
process is commonly used by law enforcement agencies to identify the
owner of fingerprints left on various objects. It can be a timeconsuming
effort, considering the sheer size of the fingerprint libraries held by such
organizations. To use a biometric system in either manner, you need to
put the user through some sort of enrollment process. Enrollment involves
recording the user’s chosen biometric characteristic—for instance, making
a copy of a fingerprint—and saving it in a system. Processing the character
istic may also include noting elements that appear at certain parts of the
image, known as minutiae (Figure 23).
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
30 Chapter 2
Figure 2-3: Biometric minutiae
You can use the minutiae later to match the characteristic to the user.
Characteristics of Biometric Factors
Biometric factors are defined by seven characteristics: universality,
uniqueness, permanence, collectability, performance, acceptability,
and circumvention.4
Universality means you should be able to find your chosen biometric
characteristic in the majority of people you expect to enroll in the system.
For instance, although you might be able to use a scar as an identifier, you
can’t guarantee that everyone will have a scar. Even if you choose a common
characteristic, such as a fingerprint, you should take into account the fact
that some people may not have an index finger on their right hand and be
prepared to compensate for this.
Uniqueness is a measure of how unique a characteristic is among indi
viduals. For example, if you choose to use height or weight as a biometric
identifier, you’d stand a good chance of finding several people in any given
group who have the same height or weight. You should try to select char
acteristics with a high degree of uniqueness, such as DNA or iris patterns,
but even these could be duplicated, whether intentionally or otherwise. For
example, identical twins have the same DNA, and an attacker could repli
cate a fingerprint.
Permanence tests how well a characteristic resists change over time and
with advancing age. If you choose a factor that can easily vary, such as height,
weight, or hand geometry, you’ll eventually find yourself unable to authenti
cate a legitimate user. It’s better to use factors such as fingerprints, which are
unlikely to change without deliberate action.
Collectability measures how easy it is to acquire a characteristic. Most com
monly used biometrics, such as fingerprints, are relatively easy to acquire,
which is one reason they are common. On the other hand, a DNA sample is
more difficult to acquire because the user must provide a genetic sample to
enroll and to authenticate again later.
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
Identification and Authentication 31
Performance measures how well a given system functions based on factors
such as speed, accuracy, and error rate. I’ll discuss the performance of bio
metric systems at greater length later in this section.
Acceptability is a measure of how acceptable the characteristic is to the
users of the system. In general, systems that are slow, difficult to use, or
awkward to use are less likely to be acceptable to the user.5 Systems that
require users to remove their clothes, touch devices that have been repeat
edly used by others, or provide tissue or bodily fluids are unlikely to have
a high degree of acceptability.
Circumvention describes how easy it is to trick a system by using a falsified
biometric identifier. The classic example of a circumvention attack against
the fingerprint as a biometric identifier is the “gummy finger.” In this type
of attack, a fingerprint is lifted from a surface and used to create a mold
with which the attacker can cast a positive image of the fingerprint in gelatin.
Some biometric systems have secondary features specifically designed to
defeat such attacks by measuring skin temperature, pulse, or pupillary
response.
Measuring Performance
There are many ways to measure the performance of a biometric system,
but a few primary metrics are particularly important. The false acceptance
rate (FAR) and false rejection rate (FRR) are two of these.6 FAR measures how
often you accept a user who should be rejected. This is also called a false
positive. FRR measures how often we reject a legitimate user and is some
times called a false negative.
You want to avoid both of these situations in excess. You should aim for a
balance between the two error types, referred to as an equal error rate (EER).
If you plot both the FAR and the FRR on a graph, as I’ve done in Figure 24,
the EER marks the point where the two lines intersect. We sometimes use
EER as a measure of the accuracy of biometric systems.
Threshold
Pe
rc
en
t o
f F
A
R
an
d
FR
R
FAR FRR
ERR
Figure 2-4: The equal error rate is the intersection
of the false acceptance rate and false rejection rate.
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
32 Chapter 2
Flaws in Biometric Systems
Biometric systems are prone to several common issues. As I mentioned
when discussing circumvention, it’s easy to forge some biometric identifiers.
Moreover, once they’re forged, it’s hard to reenroll a user in the system. For
example, if you enroll a user with both index fingers and those fingerprints
get compromised, you could remove these from the system and enroll two
of their other fingers. However, if you’ve already enrolled all of their fingers
in the system, you’d have no means of reenrolling them using fingers at all.
Depending on the system in question, you may be able to select a different set
of minutiae for the same identifier, but this avoids the point of the discussion,
which is that biometric identifiers are finite. This issue became tangible in
2015, when an attacker hacked the US Office of Personnel Management and
stole the fingerprint records of 5.6 million federal employees holding security
clearances.7
You also face possible privacy issues in the use of biometrics. When
you’re enrolled in a biometric system, you’re essentially giving away a copy of
the identifier, whether it’s a fingerprint, iris pattern, or DNA sample. Once
such an item has been entered into a computer system, you have little, if any,
control over what happens to it. We can hope that once you’re no longer
associated with the institution in question, the institution would destroy such
materials, but you have no way to guarantee this. Particularly in the case of
DNA sampling, the repercussions of surrendering genetic material could
affect you for the rest of your life.
Hardware Tokens
A standard hardware token (Figure 25) is a small device, typically in the
general form factor (size and shape) of a credit card or keychain fob.8 The
simplest hardware tokens look identical to universal serial bus (USB) flash
drives and contain a certificate or unique identifier. They’re often called
dongles. More complex hardware tokens incorporate liquidcrystal displays
(LCDs), keypads for entering passwords, biometric readers, wireless devices,
and additional features to enhance security.
Figure 2-5: A hardware token
Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309.
Created from snhu-ebooks on 2021-08-24 01:30:06.
C
o
p
yr
ig
h
t
©
2
0
1
9
.
N
o
S
ta
rc
h
P
re
ss
,
In
co
rp
o
ra
te
d
.
A
ll
ri
g
h
ts
r
e
se
rv
e
d
.
Identification and Authentication 33
Many hardware tokens contain an internal clock that generates a code
based on the device’s unique identifier, an input PIN or password, and
other potential factors. Usually, the code is output to a display on the token
and changes on a regular basis, often every 30 seconds. The infrastructure
used to keep track of these tokens can predict what the proper output will
be at any given time in order to authenticate the user.
The simplest kind of hardware token represents only the something you
have factor and is thus susceptible to theft and potential use by a knowledge
able criminal. Although these devices represent an increased level of security
for the user’s …
CATEGORIES
Economics
Nursing
Applied Sciences
Psychology
Science
Management
Computer Science
Human Resource Management
Accounting
Information Systems
English
Anatomy
Operations Management
Sociology
Literature
Education
Business & Finance
Marketing
Engineering
Statistics
Biology
Political Science
Reading
History
Financial markets
Philosophy
Mathematics
Law
Criminal
Architecture and Design
Government
Social Science
World history
Chemistry
Humanities
Business Finance
Writing
Programming
Telecommunications Engineering
Geography
Physics
Spanish
ach
e. Embedded Entrepreneurship
f. Three Social Entrepreneurship Models
g. Social-Founder Identity
h. Micros-enterprise Development
Outcomes
Subset 2. Indigenous Entrepreneurship Approaches (Outside of Canada)
a. Indigenous Australian Entrepreneurs Exami
Calculus
(people influence of
others) processes that you perceived occurs in this specific Institution Select one of the forms of stratification highlighted (focus on inter the intersectionalities
of these three) to reflect and analyze the potential ways these (
American history
Pharmacology
Ancient history
. Also
Numerical analysis
Environmental science
Electrical Engineering
Precalculus
Physiology
Civil Engineering
Electronic Engineering
ness Horizons
Algebra
Geology
Physical chemistry
nt
When considering both O
lassrooms
Civil
Probability
ions
Identify a specific consumer product that you or your family have used for quite some time. This might be a branded smartphone (if you have used several versions over the years)
or the court to consider in its deliberations. Locard’s exchange principle argues that during the commission of a crime
Chemical Engineering
Ecology
aragraphs (meaning 25 sentences or more). Your assignment may be more than 5 paragraphs but not less.
INSTRUCTIONS:
To access the FNU Online Library for journals and articles you can go the FNU library link here:
https://www.fnu.edu/library/
In order to
n that draws upon the theoretical reading to explain and contextualize the design choices. Be sure to directly quote or paraphrase the reading
ce to the vaccine. Your campaign must educate and inform the audience on the benefits but also create for safe and open dialogue. A key metric of your campaign will be the direct increase in numbers.
Key outcomes: The approach that you take must be clear
Mechanical Engineering
Organic chemistry
Geometry
nment
Topic
You will need to pick one topic for your project (5 pts)
Literature search
You will need to perform a literature search for your topic
Geophysics
you been involved with a company doing a redesign of business processes
Communication on Customer Relations. Discuss how two-way communication on social media channels impacts businesses both positively and negatively. Provide any personal examples from your experience
od pressure and hypertension via a community-wide intervention that targets the problem across the lifespan (i.e. includes all ages).
Develop a community-wide intervention to reduce elevated blood pressure and hypertension in the State of Alabama that in
in body of the report
Conclusions
References (8 References Minimum)
*** Words count = 2000 words.
*** In-Text Citations and References using Harvard style.
*** In Task section I’ve chose (Economic issues in overseas contracting)"
Electromagnetism
w or quality improvement; it was just all part of good nursing care. The goal for quality improvement is to monitor patient outcomes using statistics for comparison to standards of care for different diseases
e a 1 to 2 slide Microsoft PowerPoint presentation on the different models of case management. Include speaker notes... .....Describe three different models of case management.
visual representations of information. They can include numbers
SSAY
ame workbook for all 3 milestones. You do not need to download a new copy for Milestones 2 or 3. When you submit Milestone 3
pages):
Provide a description of an existing intervention in Canada
making the appropriate buying decisions in an ethical and professional manner.
Topic: Purchasing and Technology
You read about blockchain ledger technology. Now do some additional research out on the Internet and share your URL with the rest of the class
be aware of which features their competitors are opting to include so the product development teams can design similar or enhanced features to attract more of the market. The more unique
low (The Top Health Industry Trends to Watch in 2015) to assist you with this discussion.
https://youtu.be/fRym_jyuBc0
Next year the $2.8 trillion U.S. healthcare industry will finally begin to look and feel more like the rest of the business wo
evidence-based primary care curriculum. Throughout your nurse practitioner program
Vignette
Understanding Gender Fluidity
Providing Inclusive Quality Care
Affirming Clinical Encounters
Conclusion
References
Nurse Practitioner Knowledge
Mechanics
and word limit is unit as a guide only.
The assessment may be re-attempted on two further occasions (maximum three attempts in total). All assessments must be resubmitted 3 days within receiving your unsatisfactory grade. You must clearly indicate “Re-su
Trigonometry
Article writing
Other
5. June 29
After the components sending to the manufacturing house
1. In 1972 the Furman v. Georgia case resulted in a decision that would put action into motion. Furman was originally sentenced to death because of a murder he committed in Georgia but the court debated whether or not this was a violation of his 8th amend
One of the first conflicts that would need to be investigated would be whether the human service professional followed the responsibility to client ethical standard. While developing a relationship with client it is important to clarify that if danger or
Ethical behavior is a critical topic in the workplace because the impact of it can make or break a business
No matter which type of health care organization
With a direct sale
During the pandemic
Computers are being used to monitor the spread of outbreaks in different areas of the world and with this record
3. Furman v. Georgia is a U.S Supreme Court case that resolves around the Eighth Amendments ban on cruel and unsual punishment in death penalty cases. The Furman v. Georgia case was based on Furman being convicted of murder in Georgia. Furman was caught i
One major ethical conflict that may arise in my investigation is the Responsibility to Client in both Standard 3 and Standard 4 of the Ethical Standards for Human Service Professionals (2015). Making sure we do not disclose information without consent ev
4. Identify two examples of real world problems that you have observed in your personal
Summary & Evaluation: Reference & 188. Academic Search Ultimate
Ethics
We can mention at least one example of how the violation of ethical standards can be prevented. Many organizations promote ethical self-regulation by creating moral codes to help direct their business activities
*DDB is used for the first three years
For example
The inbound logistics for William Instrument refer to purchase components from various electronic firms. During the purchase process William need to consider the quality and price of the components. In this case
4. A U.S. Supreme Court case known as Furman v. Georgia (1972) is a landmark case that involved Eighth Amendment’s ban of unusual and cruel punishment in death penalty cases (Furman v. Georgia (1972)
With covid coming into place
In my opinion
with
Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA
The ability to view ourselves from an unbiased perspective allows us to critically assess our personal strengths and weaknesses. This is an important step in the process of finding the right resources for our personal learning style. Ego and pride can be
· By Day 1 of this week
While you must form your answers to the questions below from our assigned reading material
CliftonLarsonAllen LLP (2013)
5 The family dynamic is awkward at first since the most outgoing and straight forward person in the family in Linda
Urien
The most important benefit of my statistical analysis would be the accuracy with which I interpret the data. The greatest obstacle
From a similar but larger point of view
4 In order to get the entire family to come back for another session I would suggest coming in on a day the restaurant is not open
When seeking to identify a patient’s health condition
After viewing the you tube videos on prayer
Your paper must be at least two pages in length (not counting the title and reference pages)
The word assimilate is negative to me. I believe everyone should learn about a country that they are going to live in. It doesnt mean that they have to believe that everything in America is better than where they came from. It means that they care enough
Data collection
Single Subject Chris is a social worker in a geriatric case management program located in a midsize Northeastern town. She has an MSW and is part of a team of case managers that likes to continuously improve on its practice. The team is currently using an
I would start off with Linda on repeating her options for the child and going over what she is feeling with each option. I would want to find out what she is afraid of. I would avoid asking her any “why” questions because I want her to be in the here an
Summarize the advantages and disadvantages of using an Internet site as means of collecting data for psychological research (Comp 2.1) 25.0\% Summarization of the advantages and disadvantages of using an Internet site as means of collecting data for psych
Identify the type of research used in a chosen study
Compose a 1
Optics
effect relationship becomes more difficult—as the researcher cannot enact total control of another person even in an experimental environment. Social workers serve clients in highly complex real-world environments. Clients often implement recommended inte
I think knowing more about you will allow you to be able to choose the right resources
Be 4 pages in length
soft MB-920 dumps review and documentation and high-quality listing pdf MB-920 braindumps also recommended and approved by Microsoft experts. The practical test
g
One thing you will need to do in college is learn how to find and use references. References support your ideas. College-level work must be supported by research. You are expected to do that for this paper. You will research
Elaborate on any potential confounds or ethical concerns while participating in the psychological study 20.0\% Elaboration on any potential confounds or ethical concerns while participating in the psychological study is missing. Elaboration on any potenti
3 The first thing I would do in the family’s first session is develop a genogram of the family to get an idea of all the individuals who play a major role in Linda’s life. After establishing where each member is in relation to the family
A Health in All Policies approach
Note: The requirements outlined below correspond to the grading criteria in the scoring guide. At a minimum
Chen
Read Connecting Communities and Complexity: A Case Study in Creating the Conditions for Transformational Change
Read Reflections on Cultural Humility
Read A Basic Guide to ABCD Community Organizing
Use the bolded black section and sub-section titles below to organize your paper. For each section
Losinski forwarded the article on a priority basis to Mary Scott
Losinksi wanted details on use of the ED at CGH. He asked the administrative resident