Flavijus Piliponis â stock.ado
An unprecedented surge in societal interest and institutional investment in blockchain occurred in 2021. The technology born of the Bitcoin cryptocurrency has evolved significantly since its inception over a decade ago. Current blockchain applications span sectors far beyond currency. The distributed ledgers and decentralized economics enabled by cryptocurrencies are an architectural paradigm for the next generation of the web.
Blockchain technology has also ushered in a host of security issues, however. More blockchain security incidents were reported in 2021 than any year prior, resulting in losses exceeding $9 billion. These exploits include traditional attacks, such as phishing or network attacks, as well as novel threats unique to blockchain infrastructure, including cryptojacking, rug pulls, 51% attacks and more.
Although blockchain technologies offer several security benefits, every technology represents new opportunities for malicious attackers -- not to mention user errors.
In a world of distributed record-keeping and decentralized applications, individuals must assume greater responsibility for their online security, and businesses must mitigate threats far beyond their own walls and proprietary assets. For both, this begins with a security mindset.
Consumer, employee, executive: Cybersecurity hygiene applies to all
A security mindset means supporting security education, resources and participation as part of an organization's culture and values. It's an orientation for decision-making, such as in email, identity management, security updates, product and network design decisions, partnerships, insurance and beyond.
Although core blockchain technologies are typically abstracted from end-user view, the interfaces used to interact with applications, crypto assets or related identity management systems are just as much targets for bad actors. Phishing, for example, is used by threat actors to steal private keys or enter an enterprise network -- an upstream tactic that still threatens blockchain-powered assets or interactions.
Thus, certain best practices apply to everyone, including the following:
- implementing two-factor authentication
- allowlisting trusted senders and recipients
- using strong private key management
- installing security updates and patching
- understanding custodial services
- using cold (hardware) wallet storage
- using VPNs
Blockchain-specific mitigations and security best practices
Security leaders must balance an agnostic technology approach to security strategy, while also engaging deeply with the risks new tools or architectures enable. For example, governance of security decisions, orchestration and response should span technologies, while simultaneously accounting for the particulars of specific architectures. This helps maintain clarity and accountability, as well as organizational alignment, regardless of what technologies are brought on board.
To prepare for the particulars of distributed processing, organizations should incorporate the following blockchain-specific mitigations:
- Governance specific to blockchain. Determine how new users or organizations join or leave the network and enable mechanisms to remove bad actors, manage errors, protect data and address conflicts between parties. This should also include frameworks to guide design decisions and incorporate compliance regimes.
- Data security on-chain vs. off-chain. Although data minimization is a general best practice for determining what data is stored on-chain, additional security measures should be applied to sidechains, hash data, data in transit, cloud storage and so forth.
- Blockchain network security. The multiparty nature of blockchain means network connections from multiple parties beyond a single corporate network must interact. This includes IT and networking infrastructure, databases, servers and more, all of which introduce potential for security flaws or exploits. Part of governance, therefore, must include reviews of users' and vendors' security postures, safeguards and protocols in the event of an incident.
- Blockchain application security. Applications are how data and many use cases are accessed on the blockchain. They're a point of vulnerability and should be secured with strong user authentication and endpoint protections. In permissioned blockchains, where access and use are only open to vetted or known participants, this may include variable levels of access that could change over time.
- Smart contracts security. Smart contracts, also called chaincode, are sets of code within a blockchain, which trigger transactions based on programmed conditions. They create another point of vulnerability because their integrity determines the reliability of the operation and trustworthiness of the results.
- Interoperability. How data, identities and interactions occur across networks, applications and smart contracts at scale is another lens to evaluate in a distributed security landscape. Threats increase as interfaces and systems complexity expand; security flaws and errors at any point in the ecosystem can lead to insufficient user authentication, unauthorized transactions, misconfigurations, data manipulation and other unpredictable results.
- Embracing of privacy-enhancing tech. Several adjacent techniques are emerging to maintain privacy, anonymity, compliance and security without forgoing potential business value of data or blockchains. Panther Protocol, for example, bridges decentralized financial technologies and traditional financial institutions' needs. It uses selective disclosure of private information and zero-knowledge proofs designed around Know Your Customer compliance, enabling users to switch between blockchains, while proving compliance with selected parties without sharing underlying data. Other examples of new techniques that improve security through data minimization include differential privacy, self-sovereign identity protocols and use of synthetic data for modeling.
- Use of trusted auditors and third parties. Security assessments, penetration tests, and audits of smart contracts, source code and blockchain infrastructure should only be conducted by trusted parties. Use these to mitigate emerging threats, such as hacks on cryptographic algorithms, and prepare for novel attack types or automated agents.
Mitigating blockchain-related attacks doesn't require a vastly different approach than other threats. Blockchains may represent a bundle of novel design configurations and stakeholder considerations, but similar to other technologies, they are subject to nefarious use and human error. It's essential, therefore, to incorporate blockchain-specific designs and implications into an existing threat mitigation strategy.