Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Multiparty Encryption Allows Companies to Solve Security-Data Conundrum

An interdisciplinary research team constructs a way for companies to share breach data without revealing specific details that could exposes businesses to legal risk.

A system that allows companies to submit breach data anonymously and then benefit from the aggregate statistics for their industries could give executives and policymakers a more accurate understanding of how breaches impact businesses and give companies the timely threat intelligence they need to prepare for attacks.

The Secure Cyber Risk Aggregation and Measurement (SCRAM) system — created by an interdisciplinary team of policy, financial, and computer-science researchers at the Massachussetts Institute of Technology (MIT) — uses a special type of encryption to allow various calculations to be performed on protected data in the context of a multiparty computation (MPC) system. An initial proof-of-concept trial not only delivered aggregate breach data for a group of six companies, but it also collected information about the adoption rate of security controls and the controls blamed for the greatest loss. 

Related Content:

Companies' 'Anonymized' Data May Violate GDPR, Privacy Regs

Special Report: Computing's New Normal, a Dark Reading Perspective

New From The Edge: Next-Gen Firewalls 101: Not Just a Buzzword

The researchers plan to next conduct a larger trial of the technology with 60 to 70 companies in several industries to gather sector-specific data, says Taylor Reynolds, technology policy director of MIT's Internet Policy Research Initiative.

"We have shown that firms are willing to share this really sensitive data as long as they know it is going to be protected," he says. "And what that does is it opens up a whole new set of data and statistics for us that will allow us better to better defend our networks."

The research could solve one of the most enduring problems of cybersecurity: the lack of good data on breaches and information on what controls are working. While several industries — most notably healthcare — are required to disclose information on cybersecurity incidents, the practice remains relatively uncommon and minor cybersecurity events have always been underreported. 

A privacy-preserving system could solve the major hurdle preventing such sharing of data, says Darren Van Booven, lead principal consultant at security-services firm Trustwave.

"One of the things that I've always noticed over the course of my career is the difficulty in being able to get quality information on what works and what doesn't, what have other organizations found to be more effective in the way of controls, and what exactly are the losses that have been occurred," he says. "This impacts the job of every CISO because they are trying to report to their executive leadership on what exactly the real risk to their company is right now."

The idea for the system came out of interviews with executives in critical-infrastructure industries, such as financial, oil and gas, and the electric industries. Each industry wanted data, but no executive wanted to put their business at risk by acknowledging breaches, says MIT's Reynolds

"One of the messages that kept coming out was they needed a better way to share data and share information because the current methods are not working," he says. "We put our minds together and knew we had the pieces ... let's get together and devise a way that firms can share data securely without having to reveal it or disclose it to anyone else."

The group of researchers created an MPC system that preserves privacy. The system is enabled by a special type of encryption that allows some types of math to be performed on the encrypted values. Known as threshold homomorphic encryption, the technique is a special way of protecting data by allowing each party to encrypt the information and then decrypt the results of any aggregate calculation. 

The technique solves two problems with other methods of aggregation. Take, for example, a gathering of people who wants to share information on salaries. They could give all the information to a trusted third party, which could then do the calculations and provide an average income for the group. The third party, however, could be compromised or, in the end, found untrustworthy, resulting in a leak of information on a specific person's salary — a violation of privacy. Alternatively, the group could put all the information into a hat and then aggregate the data, but participants could potentially be identified from just knowing the details of any single incident.

However, if each participant added a large random number to their salary, then passed along the total to the next person, no individual salary would be compromised. In a second round of calculation, each person could subtract the large random amount they had previously added, resulting in the exact sum of their incomes.

"Nowhere along that path did anyone have to reveal their own salary in order for us to run that computation," Reynolds says. "It is that type of mathematical modeling that allows us to run those computations on the platform."

The SCRAM system uses a similar approach with homomorphic encryption, a type of privacy-preserving cryptography that allows calculations on encrypted data. 

The pilot project collected data on more than 49 security incidents from the six large private-sector firms and the specific security-control failures that the companies blamed for each incident. Centralized log management was the top control failure linked to breaches, associated with almost $6 million in aggregate losses over the 49 security incidents.

Future trials will attempt to structure the questions and answers to reveal stronger links between controls and breach damages, says Reynolds.

"The Holy Grail here is trying to understand return on investment of security controls," he says. "If I spend the money on X, what will be the return on investment that I get on that when I do risk modeling?"

With the privacy-preserving system, such data may no longer be out of reach.

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.