- Ethical Hacking:
a. Ethical hacking and ethical hacker are terms used to describe hacking performed by a company or individual to help identify potential threats on a computer or network.
b. An ethical hacker attempts to bypass system security and search for any weak points that could be exploited by malicious hackers.
c. This information is then used by the organization to improve the system security in an effort to minimize or eliminate any potential attacks.
d. For hacking to be deemed ethical, the hacker must obey the following rules:
i. Expressed (often written) permission to probe the network and attempt to identify potential security risks.
ii. You respect the individual's or company's privacy.
iii. You close out your work, not leaving anything open for you or someone else to exploit at a later time.
iv. You let the software developer or hardware manufacturer know of any security vulnerabilities you locate in their software or hardware, if not already known by the company.
e. Ethical hackers use the same methods and techniques to test and bypass a system's defences as their less-principled counterparts, but rather than taking advantage of any vulnerability found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security.
f. The purpose of ethical hacking is to evaluate the security of a network or system's infrastructure.
g. It entails finding and attempting to exploit any vulnerability to determine whether unauthorized access or other malicious activities are possible.
h. Vulnerabilities tend to be found in poor or improper system configuration, known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures.
i. One of the first examples of ethical hacking occurred in the 1970s, when the United States government used groups of experts called "red teams" to hack its own computer systems.
j. It has become a sizable sub-industry within the information security market and has expanded to also cover the physical and human elements of an organization's defences.
k. A successful test doesn't necessarily mean a network or system is 100% secure, but it should be able to withstand automated attacks and unskilled hackers.
l. Any organization that has a network connected to the internet or provides an online service should consider subjecting it to a penetration test.
m. Various standards such as the Payment Card Industry Data Security Standard require companies to conduct penetration testing from both an internal and external perspective on an annual basis and after any significant change in the infrastructure or applications.
n. Many large companies such as IBM maintain employee teams of ethical hackers, while there are plenty of firms that offer ethical hacking as a service.
o. Trustwave Holdings Inc. has an Ethical Hacking Lab for attempting to exploit vulnerabilities that may be present in ATMs, point-of-sale devices and surveillance systems.
- Bioemtric Authentication:
a. Biometric authentication is one of the most exciting technical improvements of recent history and looks set to change the way in which the majority of individuals live.
b. The use of biometric systems for personal authentication is a response to the rising issue of authentication and security. The most widely used method of biometric authentication is fingerprint recognition.
c. Biometric authentication is considered the identity verification of an individual.
d. Biometric characteristics can be separated into two main categories:
Physiological characteristics: They are related to the shape of the body. The trait that has been used the longest for over one hundred years are fingerprints. Other examples are face recognition, hand geometry and iris recognition.
Behavioural characteristics: They are related to the behaviour of a person. The first characteristic to be used that is still widely used today is the signature.
e. A simple biometric system consists of four basic components:
Sensor module which acquires the biometric data.
Feature extraction module where the acquired data is processed to extract feature vectors.
Matching module where feature vectors are compared against those in the template.
Decision making module in which the user’s identity is established or a channel identity is accepted or rejected.
f. Any human physiological trait can serve as a biometric characteristic as long as it satisfies the following requirements:
Universality: Everyone should have it.
Distinctiveness: No two should be the same.
It should be invariant over a given period of time.
In real life applications, three additional factors should also be considered: performance (accuracy, speed and resource requirements), acceptability (it must be harmless to users) and circumvention (it should be robust enough to various fraudulent methods).
g. Functional model of Biometric Authentication System:
Biometric samples are collected using an appropriate sensor.
Segmentation/ identification are performed to extract/ recognize the desired attributes from the biometric samples.
Measurements performed on these attributes give features depending upon the representation method.
The features so obtained are used to form a biometric template. The biometric template is stored in one of the many encrypted forms so as to avoid spoofing.
Once the database is ready, a query template needs to be authenticated using a matcher so as to determine its similarity with templates in the database.
The output of the matcher is a matching score which gives the degree of similarity of the query template with various templates. This is used to arrive at a decision using a classifier.