Flavijus Piliponis â stock.ado
The world has witnessed a surge of societal interest and institutional investment in blockchain in recent years. The technology born of the Bitcoin cryptocurrency has evolved significantly since its inception more than a decade ago. Current blockchain applications span sectors far beyond currency. The distributed ledgers and decentralized economics enabled by cryptocurrencies are an architectural paradigm for the next generation of the web.
Blockchain technology has also ushered in a host of security issues, however. More blockchain security incidents were reported in 2022 than any year prior, resulting in losses exceeding $4 billion. These exploits include traditional attacks, such as phishing or network attacks, as well as novel threats unique to blockchain infrastructure, including cryptojacking, rug pulls, 51% attacks and more.
Although blockchain technologies offer several security benefits, every technology represents new opportunities for malicious attackers -- not to mention user errors.
In a world of distributed record-keeping and decentralized applications, individuals must assume greater responsibility for their online security, and businesses must mitigate threats far beyond their own walls and proprietary assets. To secure blockchain, both individuals and organizations must begin with a security mindset.
Consumer, employee, executive: Cybersecurity hygiene applies to all
A security mindset means supporting security education, resources and participation as part of an organization's culture and values. It's an orientation for decision-making when it comes to email, identity management, security updates, product and network design, partnerships, insurance and beyond.
Although core blockchain technologies are typically abstracted from end-user view, the interfaces for interacting with applications, crypto assets or related identity management systems are just as much targets for bad actors. Phishing, for example, can enable threat actors to steal private keys or enter an enterprise network -- an upstream tactic that still threatens blockchain-powered assets or interactions.
Thus, certain best practices apply to everyone, including the following:
- Implement two-factor authentication.
- Allowlist trusted senders and recipients.
- Use strong private key access management.
- Install security updates and patches.
- Understand custodial services.
- Use cold -- i.e., hardware -- wallet storage.
- Practice strong network security via zero-trust architecture, VPNs, firewalls, etc.
Blockchain-specific mitigations and security best practices
Security leaders must balance an agnostic technology approach to security strategy, while also engaging deeply with the risks new tools or architectures enable. For example, governance of security decisions, orchestration and response should span technologies, while simultaneously accounting for the particulars of specific architectures. This helps maintain clarity and accountability, as well as organizational alignment, regardless of what technologies are brought on board.
To secure blockchain, organizations should prepare for the particulars of distributed processing with the following mitigations:
- Governance specific to blockchain. Determine how new users or organizations join or leave the network, and enable mechanisms to remove bad actors, manage errors, protect data and address conflicts between parties. This should also include frameworks to guide design decisions and incorporate compliance regimes.
- Data security on-chain vs. off-chain. Although data minimization is a general best practice for determining what data is stored on-chain, IT leaders should apply additional security measures to sidechains, hash data, data in transit, cloud storage and so forth.
- Consensus mechanisms. Decentralization is a key feature of blockchain technology, with distributed computing nodes processing and recording data in consensus, as a group. If a single node submits a fraudulent or faulty record a majority of its peers do not recognize, for example, the network will reject the data as illegitimate. This model provides a level of built-in security as -- to successfully manipulate network data -- an attacker would need to seize control of 51% of computing nodes. If, however, threat actors did manage to take over the majority of a network in a successful 51% attack, the results could be disastrous.
Consensus mechanisms help safeguard against such attacks by requiring participants to invest time and money in the process and incentivizing them to act in good faith. They include the following:
- Proof of work (PoW). In PoW, also known as mining, networked computing programs compete to solve complex mathematical puzzles as a means of validating new transaction blocks. When miners successfully verify transactions, they update the blockchain and win rewards.
- Proof of stake (PoS). In the PoS model, a network of validators invests its own resources into a pool in the hope of winning a chance to validate a block of transactions. Once a given number of validators has confirmed a block's accuracy, it's added to the blockchain. Validators receive compensation for their work, but if they incorrectly validate bad data, they pay penalties.
- Delegated PoS. Delegated PoS works similarly to PoS, except third parties are able to invest in validators' staking pools, sharing the financial risks and rewards.
- Private key security strategies. Insecure private key management practices put an organization's assets on the blockchain at serious risk. Security leaders must craft thoughtful strategies for protecting private keys, perhaps through hardware or multisignature wallets, and educate users accordingly. Security awareness training is key -- phishing attacks and human error continue to pose top risks when it comes to both legacy and new technology.
- Smart contract security. Smart contracts, also called chaincode, are sets of code within a blockchain, which trigger transactions based on programmed conditions. They create another point of vulnerability because their integrity determines the reliability of the operation and trustworthiness of the results. Follow smart contract security best practices, such as practicing secure software development, testing smart contracts before deployment, vetting source code for security issues and commissioning smart contract audits.
- Blockchain network security. Corporate blockchain use requires strong enterprise network security. The multiparty nature of blockchain, however, means other organizations' IT and networking environments can introduce potential for security flaws or exploits. Part of governance, therefore, must include reviews of users' and vendors' security postures, safeguards and protocols in the event of an incident.
- Blockchain application security. Applications are how data and many use cases are accessed on the blockchain. They're a point of vulnerability and should be secured with strong user authentication and endpoint protections. In permissioned blockchains, where access and use are only open to vetted or known participants, this may include variable levels of access that could change over time.
- Interoperability. How data, identities and interactions occur across networks, applications and smart contracts at scale is another lens for evaluating a distributed security landscape. Threats increase as interface and system complexity expands. Security flaws and errors at any point in the ecosystem can lead to insufficient user authentication, unauthorized transactions, misconfigurations, data manipulation and other unpredictable results.
- Embracing of privacy-enhancing tech. Several adjacent techniques are emerging to maintain privacy, anonymity, compliance and security without forgoing potential business value of data or blockchains. Panther Protocol, for example, bridges decentralized financial technologies and traditional financial institutions' needs. It uses selective disclosure of private information and zero-knowledge proofs designed around Know Your Customer compliance, enabling users to switch between blockchains, while proving compliance with selected parties without sharing underlying data. Other examples of new techniques that improve security through data minimization include differential privacy, self-sovereign identity protocols and use of synthetic data for modeling.
- Use of trusted auditors and third parties. Security assessments, penetration tests, and audits of smart contracts, source code and blockchain infrastructure should only be conducted by trusted parties. Use these to mitigate emerging threats, such as hacks on cryptographic algorithms, and prepare for novel attack types or automated agents.
To secure blockchain and mitigate related attacks, organizations don't need to adopt a vastly different approach than they use to address other threats. Blockchains may represent a bundle of novel design configurations and stakeholder considerations, but similar to other technologies, they are subject to nefarious use and human error. That said, it's essential to incorporate some blockchain-specific designs and implications into an existing threat mitigation strategy.