Biometrics are supposed to provide a more secure and easier way of protecting sensitive data. Using your fingerprint, your face, or your voice to sign into an account or retrieve personal information is considered a better and safer option than trying to juggle an array of passwords. Biometry-based authentication is being used to access government and commercial offices, industrial automation systems, corporate computers, personal laptops, and mobile phones.
But what about the computers that collect, process, and store biometric data? Are they secure, and if not, how do you better protect those systems? A study released Wednesday by Kaspersky describes how malware has affected servers and workstations with biometric data and offers advice on how to safeguard those computers.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
Looking at the first nine months of 2019, Kaspersky ICS CERT experts investigated cybertheats which targeted computers used to gather, process, and store biometric data. Specifically, the computers analyzed were ones that ran Kaspersky security products so the company could fully examine them.
Just for the third quarter, some 37% of the computers included in the study were hit by at least one malware infection, all of which were blocked by Kaspersky software. Specifically, 5.4% of the threats detected and blocked were modern remote-access Trojans, 5.1% were malware used in phishing attacks, 1.9% were ransomware, and 1.5% were Trojan bankers (Figure A).
The internet popped up as the top source for the malware attacks, accounting for 14.4% of the infections analyzed and blocked by Kaspersky. These types of attacks included threats found on malicious and phishing websites as well as web-based email services.
Next, removable media was the culprit in 8% of the attacks discovered, most often used to distribute worms. After hitting a computer, worms can download spyware, remote access Trojans, and ransomware.
Email threats ranked third, accounting for 6.1% of the attacks in this scenario. In most instances, these were the usual phishing emails with phony messages about the delivery of goods and services or the payment of invoices. The messages contained links to malicious websites or attached Microsoft Office documents with malicious code.
“Our research shows that the existing situation with biometric data security is critical and needs to be brought to the attention of industry and government regulators, the community of information security experts, and the general public,” Kirill Kruglov, senior security expert at Kaspersky ICS CERT, said in a press release. “Though we believe our customers are cautious, we need to emphasize that infection caused by the malware we detected and prevented could have negatively affected the integrity and confidentiality of biometric processing systems. This is particularly the case for databases where biometric data is stored, if those systems were not protected.”
To help organizations better secure the computers that handle biometric data, Kaspersky offers the following recommendations:
1) Minimize the exposure of biometric systems to the internet and internet-related threats. Ideally, such systems should be part of an air-gapped infrastructure, which means no connection (wired or wireless) to the internet and no connection to any other systems that connect to the internet. Cybersecurity should be of the highest priority when new systems like this are designed and implemented.
2) Ensure that the highest-level of cybersecurity requirements are applied to the biometric systems. This recommendation includes the following measures:
- Extensively train the operating personnel on how to resist potential cyberattacks.
- Make sure that all necessary cybersecurity controls are in place.
- Enlist a dedicated team of highly-skilled security experts to keep track of infrastructure security.
- Regularly conduct security audits to identify and eliminate possible vulnerabilities.
- Ensure that current strategic and tactical threat intelligence is constantly provided to the cybersecurity team.