[BreachExchange] Blockchain and Cyber Security: the Demise of Hackers?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Sep 26 19:12:37 EDT 2017
https://themarketmogul.com/blockchain-cyber-security/?hvid=2WV9QN
In sheer scale, the Equifax breach is small, impacting 143m people, when
compared to other data breaches of the past year such as Yahoo’s 1bn user
account violation. However, Avivah Litan, a fraud analyst at Gartner notes
that Equifax’s hack is much more dangerous in terms of risk to the
consumer. What makes this breach especially damaging is the type of data
that was interdicted, the sensitivity rends the breach incomparably harmful
and, in total, the credit card numbers for 209,000 consumers were stolen.
Blockchain as a Solution?
Blockchain’s composition lends itself well to cybersecurity. The very
nature of how blockchain applications work means they are hard to hack and
harder to corrupt; they are secure and tamper-proof by design. For
starters, the distributed nature of Blockchain ledgers means that no single
user will own the data (in a community project, for example) and that the
data will be supported by several nodes in the company (where one company
possesses all the data). For public projects, using blockchain technology
to encrypt data and then storing such data on a cloud service not only
means the data can be kept on your device, but any data stored on the cloud
cannot be read by that platform. This removes the need for blind trust in
third parties and makes it easier to keep your data safe. Moreover,
blockchain transactions can be validated as they happen in real time
without the need for later processing by human or software intermediaries.
As for attacks, hackers breach networks long before any actual damage takes
place. Often, hackers will need to locate data, decrypt, exfiltrate data or
damage systems and these activities can take some time to set up and
execute effectively. Additionally, hackers need to cover their footprints
and remove evidence of intrusion, which again increases the length of time
it takes to execute an attack.
With blockchain, however, the distributed ledger system makes these type of
attacks impossible. Any change on a node that alters the data or signature
of the data can be identified and isolated from the network. If one node is
changed, the other nodes can detect the disagreement and isolate it from
the ledger network, thus alerting network administrators and cybersecurity
personnel there has been an attempted hack. Further, the existence of
identical nodes complicates altering information.
Harder to Hack
Not only could blockchain be extremely efficient in detecting attempted
attacks, altering the data is also nearly impossible. The ledgers are
practically incorruptible and even if one node is altered, it will not
match and agree with other nodes in the network. This is further
complicated when the network consists of multiple nodes, all validating
transactions of data in real time. Furthermore, this provides a boost to
anomaly detection, when data is transmitted, the information can be logged
– from who, to whom, size, file type and so on. Any alteration or minuscule
variation can be detected as it will not comply with established parameters.
Compromising data becomes a gargantuan task when financial information is
stored across a network of computers. Breaching one server is not enough;
attempts to commit fraud, falsify information and change entries requires a
majority of the network to be altered. Moreover, each node updates in real
time, requiring the attack to change the majority of nodes simultaneously.
The combination of the peer to peer nature, the number of nodes, the
network infrastructure and changing cyber security protocols and operating
in a distributed, 24/7 manner make the platform operationally resilient.
Limitations
Despite Bitcoin’s seemingly perfect fit to protecting sensitive data, there
are still limitations to the platform. Whilst hackers might not be able to
compromise the blockchain itself, damage can still be done to the
underlying systems. A DDoS attack to deny service can still interrupt
processes, essentially rendering any network inoperable for the period of
attack. Whilst the data will be safe, the network cannot continue to
operate, meaning further changes to the ledger could be compromised.
Moreover, the attacks are not just limited to the blockchain portion of the
infrastructure, should the company operate AI or use IoT technology, DDoS
attacks could disrupt those systems by, for example, interrupting
manufacturing processes by AI bots on a factory floor. As a result, the
blockchain system would still be vulnerable to the inoperability of the
technology that it underpins.
Harder Punishments
A key tool in combating cyber attacks is ensuring that a company’s cyber
infrastructure is secure. Thus, it is necessary to regulate the minimum
commitment to securing their networks to both protect themselves, other
entities and their clients. Fundamentally, therefore, the law presents a
powerful opportunity to set high standards and diminish the scope of power
available to attackers. Certainly, the law will heed to technological
advancements in the future but, by having a standard of cyber security that
firms must adhere to, one can significantly reduce the risk of successful
hacks.
Wharton professor, Gad Allon, opines that the technology in itself is not
enough and rather governments must engage with tougher cybersecurity
standards and encourage companies to adopt better practices through
creating regulation designed to espouse cyber security principles. “The
penalty for firms has to be heavier. We should also have specific
regulations about who has the liability in these cases and how quickly
firms should admit [they have been hacked],” Allon said, adding “We see
more and more situations where firms only acknowledge these things months
after they happen.… This is why people have to go to jail for these things.”
According to Suchitra Nair, Director at Deloitte U.K.’s Risk Advisory
practice, “Operational resilience of the blockchain will be a key focus
area for regulators and will need to be rigorously tested and evidenced by
the firm to gain regulatory assurance.” The requirement to comply with
cyber standards will be a key power of the law, hopefully shifting security
to a key topic for consideration by CEOs and boards. One such legislative
tool is the EU General Data Protection Regulation (GDPR).
The EU GDPR aims to reflect the exponential growth of personal data
processing as the internet services continue to develop. Further, the
regulation aims to put individuals in control of their data, instating
strict conditions over consent for data to be captured and stored. This
creates new obligations in areas such as data anonymisation, compulsory
breach notifications and the appointment of Data Protection Officers,
requiring organisations handling EU citizens’ data to make major changes in
the way they operate. Comparatively, companies wanting to conduct business
in Europe, either directly themselves or indirectly through a European
subsidiary, will have to comply with certain standards. Thus this
regulation has the potential to reach beyond the member states.
On the penalty issue, this regulation includes the appointment of dedicated
Data Protection Officers within companies and the requirement to notify
relevant authorities of a breach within 72 hours of becoming aware of it.
Furthermore, non-compliance with the regulation could cost up to 4% of a
company’s annual turnover or €20m, whichever is higher. As such, this
figure is both eye-watering and attention-grabbing and is certain to not go
unnoticed among executive-level decision makers.
Final Thoughts
The high level of dependency on technology, data and soon AI, mandates that
companies adapt and adopt security protocols to protect themselves and
their business partners, consumers and stakeholders. New business models
and revenue streams have been facilitated by greater internet connectivity
but with this “comes new gaps and opportunities for cyber attackers to
exploit.” Ed Powers, Deloitte’s U.S. Cyber Risk Lead, states that “while
still nascent, there is promising innovation in blockchain towards helping
enterprises tackle immutable cyber risk challenges such as digital
identities and maintaining data integrity.”
Certainly, no cybersecurity defence is 100% impregnable, blockchain may
present today’s companies with a better option.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170926/10af1216/attachment.html>
More information about the BreachExchange
mailing list