[BreachExchange] Is there a weak link in blockchain security?

[Destry Winant]

https://www.helpnetsecurity.com/2019/06/10/weak-link-blockchain-security/

Recent research revealed that blockchain is set to become ubiquitous
by 2025, entering mainstream business and underpinning supply chains
worldwide.

This technology is set to provide greater transparency, traceability
and immutability, allowing people and organizations to share data
without having to be concerned about security. However, blockchain is
only as strong as its weakest link. Despite the hails surrounding
blockchain’s immutable security, there are still risks surrounding it
that organizations must be aware of – and mitigate – prior to
implementation.

It is important to understand that there are two types of blockchain –
permissionless and permissioned. The most prominent example of
permissionless blockchain is Bitcoin – a public blockchain network
that anyone can participate in. Cryptocurrencies like bitcoin favor
this type of blockchain technology because it enables all users to
track, verify and confirm transactions, regardless of whether users
choose to be anonymous or not.

The other blockchain model is permissioned (also known as private
blockchain) – and is mainly used for business applications. These
networks are only accessible to known entities such as partners,
suppliers or customers. With permissioned blockchain, a company
establishes protocols to achieve consensus, and verify and assemble
blocks. This set up can deliver thousands of transactions per second
and provide granular management and control over who sees and accesses
the transactions.

In both cases, the main benefit is the trust and transparency that
blockchain brings – all parties involved in the network have total
visibility into the transactions recorded in the blockchain ledger and
each block is tied to the block before it.

This transparency makes blockchain extremely difficult to manipulate
at scale. While the blockchain platform itself may be secure, there is
still some work to be done to ensure organizations are equipped to
make their networks secure end to end. For true security,
organizations must focus on the last mile connection between a
physical event and the digitized record of this event.

If these points of entry to the platform are tampered with, the
blockchain is rendered worthless. It is therefore imperative that
organizations secure all points of entry, and assess the risks, before
they consider deploying blockchain on a broad scale. They will need to
consider security at all layers, most importantly:

Infrastructure

This starts with ensuring data and transactions entered in the
blockchain ecosystem are adequately protected from manipulation. The
infrastructure these networks resides on must also have the necessary
protections in place. With blockchain, you are only as strong as your
weakest link.

If integration points are compromised, the entire blockchain ecosystem
could be at risk, meaning that blockchain credentials and data could
be exposed to unauthorized users.

Identity and access management

To prevent unauthorized parties from accessing blockchain data, a
combination of encryption and identity management tools are needed.
Stolen credentials could potentially allow a cybercriminal to access
the blockchain platform, regardless of how secure it is. Organizations
must deploy identity and access management controls. Encryption should
also be deployed to ensure that data is not stolen, manipulated or
leaked in transit.

End users

The insider threat should be a focal concern when it comes to
blockchain too. Organizations must consider that employees, partners
and suppliers – be it unintentionally or maliciously – can cause
security incidents that impact the blockchain.

To mitigate this, organizations should deploy security awareness
training for employees and outline clear security parameters and
responsibilities with partners. This will stop employees from making
careless mistakes and may also ward off malicious insiders. In line
with these requirements, blockchain can provide advanced security
controls – for example, leveraging the public key infrastructure (PKI)
to authenticate and authorize parties, and encrypt their
communications.

Data governance

Blockchain-based networks are built on shared business interests
creating a system of trust. However, as the network grows,
participating entities could leave the network and new ones may join,
leading to ambiguities around operational considerations around data
sharing and data ownership. These could result in serious regulatory
and reputational repercussions for organizations as data owners,
unable to secure the customer data.

Interoperability

Organizations are multi-faceted and have multiple revenue streams,
often linked to each other. One of the major challenges to blockchain
adoption has been a lack of interoperability across different
blockchain networks. There have been recent developments, with major
players embarking on developing interoperable networks, which could
boost blockchain interest to a different level, at the same time
introducing additional levels of vulnerability.

Smart contracts

A key component of blockchain networks is the Smart Contracts, which
are developed using different languages on the platform being used,
like Solidity being used in Ethereum. These languages allow developers
to make changes to the underlying blockchain networks, causing
vulnerabilities. However, from an enterprise blockchain perspective, a
solid governance mechanism using permissioned chain can establish a
secure system in place to restrict the privileges to governing body.

To achieve the most value from blockchain, both now and in the future,
organizations must take responsibility for their safety and security
at all levels – application, Infrastructure, data and partners.

By conducting a blockchain risk assessment and addressing key risks,
organizations can make sure they are well positioned to leverage the
efficiencies, transparency and cost-effectiveness provided by
blockchain without opening themselves up to unexpected risks. The most
pragmatic way for organizations interested in blockchain is to test
the concept through pilot programs. Pilots should be focused on the
areas that offer organizations the most control and companies should
take these weak links into consideration.

Ultimately, blockchain has the ability to solve business issues
relating to traceability, responsiveness, and trust. By taking a
carefully planned approach to implementation, and understanding
blockchain’s weak links, organizations can unlock the true value of
blockchain, creating new opportunities and reducing inefficiencies.