Security plan

Contents
Overview ....................................................................................................................................................... 2
Purpose ......................................................................................................................................................... 2
Critical Risks in Voice as Password ................................................................................................................ 3
Approach Used to Protect Voice Recognition............................................................................................... 3
Overview
Biometric technologies have been in adoption in the past decade. These technologies include
fingerprint scanners on laptops as well as cameras with face recognition capabilities at the airport
terminals and voice recognition for smartphones and bank access. Voice recognition is one of the
biometric authentication technology that is growing very fast due to the unparalleled
convenience it offers.
The human voice is easily captured over very long distances without the need of any special
readers just through standard phones. Voice recognition scores higher than the other biometric
recognition technologies because it gives the user the freedom they need when accessing signals.
There are two forms of voice recognition;
1. Text dependent
2. Text independent
In Text Independent voice recognition, the speaker is not interested in knowing the text spoken
while to text dependent recognition and the speaker is concerned about the text of the spoken
words to match it on the user. Due to the vast development of mobile computing as well as voice,
recognition is more preferred when choosing biometric authentication. This concept is done in a
way that, in one commercial speaker, to avoid playback effects, the voice recognition is done
verification of the speaker. The user is supposed to recite a phrase that is used ass his or her
passcode, when the user speech matches the passcode, the user is granted access to the next
text independent step.

Purpose
The purpose of this security plan is to give a detailed information on the highest critical risks as
well as methods to address it with a structured approach. In addition, this document also gives a
list of all controls that are required as well as mentioned in the security plan to protect and
prevent the system from threats or failure.
Critical Risks in Voice as Password
Life is becoming effortless for most of smartphone users in the United States of America due to
the adoption of voice recognition technology that has enabled a great number of users to
command cars as well as phone searches without holding or typing any text. The commands are
given just through words. Some of voice recognition technologies used are the Google now and
the Siri by apple users. Banks have also opted in to voice recognition in the United Kingdom as
well as some parts of United States by giving up PIN numbers and adopting passphrases to allow
access to the accounts.
The institutions such as banks that have been put into place claim that the voice cannot be
distorted by noise because the voice is matched to over 100 unique voice identifiers linked to a
particular person and therefore preventing anyone from mimicking another person.
Though the users are enjoying the effortless hands free way of operating most of their devices,
the fate of voice recognition is yet to be decided on. Some of the issues causing security concern
are discussed below.
In a normal attack on the voice recognition system, fraudulent voice samples are used to evade
the any typical security controls in place for that system. Voice recognition technology is
vulnerable to attacks using voice samples or audios found in the internet e.g. YouTube as well as
industry. This was realized from researchers at the University of Alabama at Birmingham. They
also found out that the videos that are stored in private accounts in the cloud could be used to
work as voice samples. Other sources of these voice samples is the captured recordings as well
as through phone calls.
The voice recognition technology is the easiest to hack because it is very simple to capture voice
samples as compared to other biometric authentication methods such as fingerprints. In
addition, an organization can be breached using an individual employees smartphone or even
company owned smartphones.
Below are some of the security scenarios that make voice recognition technology vulnerable.
Take for instance a game that was created by the AVG Company that commands the users to
recite the voice commands in the Google Now. People outside the company to send other
commands to the smartphone can then use these commands. Later when the organization is
used to access the network of an organization, the malware downloaded can breach the whole
system

Approach Used to Protect Voice Recognition

To avoid any security vulnerability, every organization that is aiming at protecting its data is
supposed to employ a multi-layered approach in order to protect its data as well as systems. To
make security control stronger, the employees of the organization should be couched and made
to realize that there are many ways their voice could be cloned as well as how they can avoid
attacks on their smartphones. By using the concept of recognized detect-and respond type of
defense, it is very easy for an organization to protect the organization from some known threats
no matter where they come from.
The future of voice recognition is great, but as technology advances, there is need to put the user
privacy into consideration as a security measure to avoid some privacy breaches. There are
several security measures researchers have come up with that can be used to protect from
unauthorized access to the user's voice recognition devices. Based on the research, the best
weapon of defense is creation of a voice authentication technology that will be resistant to all
voice imitation attacks.
Such a technology would be a significant contribution to the field of speech recognition.
Moreover, researchers who have tested the vulnerabilities of Siri advise the developers of voice
recognition applications to better shield on the earphone cord. Moreover, a powerful
electromagnetic sensor could contribute to preventing a voice impersonation attack. The users
of voice recognition software like Siri or Google Now, can significantly improve their security
by regularly removing the headphones from their devices as well as creating own customized
words that will be used for launching their software.
Firewalls are important tools in security the prevent intruders from entering into the software.
The antivirus normally offers them. They are good in preventing hackers. If firewalls can be used
together with voice password, the software used would be much more secure in its operations.

Security control
L/M/H shows that the risk level for the system. Three risk levels are offered
L LOW
M MIDDLE
H HIGH
L/M/H Security Control
L Review all accounts and check active
or not.
L All accounts have recorded a basic
voice data with users.
L All accounts monitor regularly and
log off users automatically after a
period of inactivity.
L According to the standard risk
criteria, all accounts are categorized
management.
L Few people has administrative
privileges so that the system will not
be change.
L Minimize the use of administrative
privileges and monitor for
administrator and anomalous
behaviour.
L Use account lockouts. After some
attempts to failed login, the account
is locked for a period.
M Use network to monitor authorized
system.
L Require that users change voice
password database in a standard
period.
M Automatically report of locked out
accounts.
H Establish the use of secure
configuration for system
Remove unnecessary service
Close open and unused
network ports in system
Implement intrusion
detection systems and host
based firewalls
M Use secure routing protocols
M Deny use of source routing
Purpose
Attackers frequently discover and exploit
legitimate but inactive accounts to attack
legitimate users.
Ensure accounts to be reviewed regularly and
renew their voice.
Regular force users to re- authenticate their
voice database.
A sensitive voice should be recognized by
different authentication factors.
Prevent unauthorized software to install on
voice database and abused of administrator
privileges.
Prevent the malicious activity to attack
system.
Account lockouts prevent attacks on system.
Network can prevent unauthorized risk for
system.
Reduce the chance that people record users
voice to attack accounts.
Check the situation for locked out account
and prevent attacks.
Standard secure configurations for system
reduce risks, vulnerabilities and attack
vectors.
Avoids the disclosure of information on
internal routing.
Prevents denial-of-service attacks.
M Ensure that proper certificate and
key management. The encryption
key is easy to change if cryptography
is failure.
M Need a trusted third party to test
network security penetration.
M Protect data in transit.
Cryptography protection is important for the
voice.
Ensure that system communications are
secure.
Preserve data in transit is correctly.

M Ensure that the system ca not auto- Removable media can be a hardware vector.
run content from removable media,
such as USB, CD/DVD and
attachment devices.
H Application firewalls that inspect all Firewalls are an effective security control for
traffic flowing to the web application reducing information security risks.
for common web application attacks,
such as structured query language
injection.
M Manage network devices using two- Encrypted sessions protect data.
factor authentication to log in voice
system and encrypted sessions.
M Use proven encryption techniques. Secure for system.