Grant-funded partnership between Dartmouth and an innovative IT security company identifies the greatest risk factors for data breaches; urges change
Hanover, NH - March 13 2015 – Researchers at the Dartmouth College’s Institute for Security, Technology, and Society (ISTS) are exploring the weak links, vulnerabilities and economies of scale that have led to the data breach epidemic, and researchers are urging organizations to eliminate the use of vulnerable legacy identity schemes based on username and passwords combinations as a method of authenticating employees and customers, replacing them with stronger identity technologies opaque to attackers.
The year-long research project, funded in part by the New Hampshire Innovation Research Center (NHIRC), is a partnership between ISTS@Dartmouth and Manchester-based WWPass, an information technology company that has developed new and innovative ways to manage and protect an organization’s private and confidential information. The NHIRC Granite State Technology Innovation Grant focuses specifically on data breach prevention for the healthcare industry, but the findings are applicable across all industries.
“When it comes to organizations trying to keep their data private, attackers always seem to win, no matter if the target is a security company like RSA or an entertainment giant like Sony, a regulated health provider like Anthem, a mass retailer like Target or Home Depot, or a leader in technology R&D like Google,” said Dr. Sergey Bratus, Dartmouth’s lead researcher on the project. “There's even worse news: breaches have become merely a matter of scale; it appears that if attackers can scale up their effort they win, no matter how unsophisticated they are.”
Organizations have long relied on usernames and passwords to authenticate employees and customers, but those methods have failed over and over again. Even using second-factor authentication methods to thwart attackers does not seem to have turned the tide. Usernames are problematic because they are guessable and allow attackers to scour the victim’s social media accounts and public records; e.g., knowing an employee’s email will likely lead an attacker to his or her Facebook account and a wealth of other private data. Not surprisingly, according the Verizon’s 2014 report, 76 percent of data breaches occur due to attackers gaining access through stolen user credentials.
A February 15, 2015 report by Dartmouth’s Bratus and WWPass Founder and CEO Gene Shablygin outlines the importance of eliminating usernames and second-factor authentication methods in favor of non-guessable authentication methods such as token authenticators or secure mobile apps. Cyber criminals are more sophisticated than the technologies used by most organizations, and it’s time for that to change.
The elimination of traditional username and password combinations has also received support from notable public figures, including New York’s top banking regulator. Benjamin M. Lawsky, New York’s superintendent of Financial Services, said in February 2015 in a speech at Columbia Law School: “The password system should have been dead and buried many years ago. And it is time that we bury it now.”
Further complicating data security is the issue of economies of scale. Organizations guard against account compromise by checking the strength of their employee and customer passwords, or by requiring several modes of authentication on accounts they control. However, accounts are all too often compromised outside of an organization’s control when hackers gain access using accounts shared by the same person or on the same computer. Once hackers gain access to one person’s account information, they can use “side hops” or lateral movements to access other information. It takes only one compromised username and password from one employee to wreak havoc on a major company.
“Scaling and meshing of everyone's network activities and authentications has shifted the advantage to the attacker. The web of weak accounts makes it too easy for attackers to navigate from victim to victim,” said Shablygin, the WWPass CEO. “We must make it harder for attackers to select and leverage the next round of targets. The only way to beat the scaling effects and end the epidemic of account breaches is to reduce this plethora of weak links by eliminating the use of usernames and passwords.”
The joint research project is expected to wrap up June 30, 2015. It is funded with a $33,000 grant from NHIRC and a company match from WWPass of $33,000. Additional findings and recommendations will be released as research continues.
About the Institute for Security, Technology, and Society at Dartmouth College
The Institute for Security, Technology, and Society (ISTS) at Dartmouth College is dedicated to pursuing research and education to advance information security and privacy throughout society.
ISTS engages in interdisciplinary research, education and outreach programs that focus on information technology (IT) and its role in society, particularly the impact of IT in security and privacy broadly conceived. ISTS nurtures leaders and scholars, educates students and the community, and collaborates with its partners to develop and deploy IT, and to better understand how IT relates to socio-economic forces, cultural values and political influences. ISTS research improves our ability to:
- Design and deploy secure, usable computer systems and protect them from tampering, disruption and attack
- Enable people and organizations to communicate and exchange information securely and privately across networked computing devices
- Address social, economic and policy issues that arise in the development, deployment and regulation of such information technology
Goals of ISTS
- RESEARCH, to extend knowledge and provide insight and innovation in the area of information security
- EDUCATION, to increase the number of students and faculty involved in technology research, and to increase community awareness of privacy and security challenges and solutions related to IT
- OUTREACH, through collaborations that deploy technology and encourage knowledge transfer for both public and private benefit
About New Hampshire Innovation Research Center
The NHIRC was created in 1991 by the New Hampshire Legislature to support innovations through industry and university collaborations, thereby increasing the number of quality jobs in the state. Since its inception, the NHIRC has awarded more than 6 million dollars in state funds to support research projects and has been responsible for the creation or retention of 650 jobs. Awardees have received more than $32 million in federal SBIR grants and over $900 million in investment/acquisition capital.
WWPass Corporation is an Information Technology company based in Manchester, NH. The mission of WWPass is to deliver the innovative technology to manage (access, store, process, exchange) private and confidential information. WWPass provides a convenient, but secure authentication and document repository solution for enterprises and individuals. WWPass was incorporated in 2008 and spent the first four years developing its technology that is covered under four granted and several pending U.S. patents.