Is blockchain as secure as it seems?

Is blockchain as secure as it seems?

Thursday May 24 2018

Blockchain is being heralded as one of the most important inventions of the 21st century because it offers the potential to change the way the world shares and stores information. This digital, public ledger records transactions that the blockchain users verify to be true and accurate. The information is stored on all computers participating in the blockchain network, making it decentralized, immune to outages and harder to hack because there is no single point of failure.  In addition, the blockchain information is difficult to alter because a change can cause the chain to break, making the alteration fairly obvious.

This combination of elements offers a high level of cybersecurity because the technology almost guarantees that information is accurate and safe. Blockchain entrepreneur Omri Barzilay points out in a Forbes article that Bitcoin’s blockchain has successfully thwarted cyberattacks for at least 8 years — that’s a better track record than the computer systems of several major companies.

Performance and features like this are attracting the interest of a variety of organizations, including the U.S. government and military, for example. In fact, the results of a U.S. government-commissioned study about blockchain cybersecurity are due to Congress in just a few weeks. In December, President Donald Trump signed a $700 billion military spending bill into law, requiring the Department of the Defense to investigate “potential offensive and defensive cyber applications” of blockchain technology, CoinDesk reports.

In the private sector, defense company Lockheed Martin contracted enterprise blockchain company Guardtime Federal to integrate a blockchain, among other cyber-related elements, into its systems engineering processes, supply chain risk management and software development efforts. IBM partnered with Walmart and food companies Dole, Driscoll’s, Golden State Foods, Kroger, McCormick & Company, McLane Company, Nestlé, Tyson Foods and Unilever to test how blockchain can add more transparency and traceability to the food supply chain.

International Data Corporation reports that $945 million was spent on blockchain in 2017 and predicts that this amount will more than double this year. Furthermore, the Framingham, Mass.-based market intelligence firm expects that blockchain spending will grow to $9.7 billion by 2021.

In spite of all of this hype, blockchain is not a cure-all for data security woes. As is the case for other cybersecurity technologies, hackers will soon find ways into these networks and use the information for their malicious purposes. Even right now, if cybersecurity experts are not careful, their blockchains could have some weak links that let in the wrong users or allow information corruption.

 

Deloitte’s report “Blockchain and Cyber Security. Let’s Discuss” points out the following cybersecurity holes in blockchains:

  • Not-so-restrictive access: Blockchains were designed to be public ledgers, so they do not inherently have protocols for limiting information access to specific parties. Private companies need to apply their own security controls at the application level to limit access to their own employees and partners.
     
  • Identity theft: One way to limit access is to allow only users with recognized private keys to decrypt the encrypted information on the blockchain. However, there is a high risk of theft of these private keys, especially if they are used from multiple devices and locations. Artur D’Assumpção, head of cyber risk and cyber security [V2]  at Deloitte Portugal, recommends using special-purpose key vaults that implement technologies such as hardware security modules to create a tamper-proof environment.
     
  • Incorrect or damaged sources: Blockchains only ensure the accuracy and quality of information that is already in the system. If a trusted source or oracle submits inaccurate information — whether by mistake or intentionally — the integrity of the blockchain information is compromised. “A corrupted oracle could potentially cause a domino effect across the entire network,” explains Prakash Santhana, advisory managing director at Deloitte U.S. He adds that oracles can be directly attacked or indirectly attacked via third parties connected to the oracle.

     

  • Deloitte recommends using multiple oracles to increase the integrity of the data entering the blockchain.
     
  • Majority rules: Blockchains operate on the principle of majority rule, which means that 51 percent of users need to agree that a transaction is valid before it is added to the blockchain. This opens up blockchains to what’s known as a 51% attack. In this case, an entity gains control of 51 percent of the blockchain’s computing power, which, in turn, gives this majority the ability to disrupt the network by preventing or reversing transactions. Deloitte notes that organizations should monitor their users — also known as nodes — for any significant increases in their processing power or number of transactions. This can help limit damage in the event of a 51% attack. 
     
  • Distributed Denial of Service: Like other technology services, blockchains are vulnerable to DDoS attacks. However, DDoS attacks on these distributed platforms are more difficult and more costly for hackers than other types of DDoS attacks as the cybercriminals have to work to overpower the network with large volumes of small transactions. Although DDoS attacks on blockchains are uncommon, they’ve already happened. The Bitcoin network withstood a DDoS attack in 2014. But this is not the end of the threat. Peter Gooch, partner at Deloitte UK’s risk advisory practice, predicts that DDoS attacks will continue and will probably increase in size and scale, making them more effective.

 

As blockchain use continues, hackers will discover even more blockchain vulnerabilities and craft creative ways to hack blockchains. To protect against new and evolving threats, Deloitte recommends that cybersecurity professionals employ this three-step approach:

1. Be secure. Have risk-prioritized controls to defend the blockchain.

2. Be vigilant. Know the warning signs of and be on the lookout for harmful behavior.

3. Be resilient. Have a plan for minimizing the impact of and recovering from cyberattacks.

 
 

Cyber Security Event Series USA

Don't miss out, be a part of cyber security’s fastest growing event series, providing events that uniquely cover the entire security landscape. These innovative events offer invaluable security insight from industry experts on all facets of cyber security and risk mitigation, right in the center of your city.

 
CYBER SECURITY CHICAGO , 26-27 SEPTEMBER 2018, McCormick Place

CYBER SECURITY ATLANTA , 17-18 OCTOBER 2018, Georgia World Congress Center

CYBER SECURITY DALLAS , 31 OCT – 1 NOV 2018, Gaylord Texan Resort

 
To keep up to date with the latest cyber security news and trends, join our LinkedIn Group.

Top