We often talk about the benefits and innovation of new technologies, but just as often we overlook a more than relevant aspect, the security of that technologies. In the last period, fortunately, more and more attention is being paid to cybersecurity in the field of IoT and Artificial Intelligence, but what about Blockchain?
Waiting to share a case study of our own on this issue, we are pleased to share these thoughts from ICT security magazine.
Let’s start talking about the vulnerabilities.
One of the most probable vulnerabilities in the blockchain is outside of the blockchain itself.
Endpoints, just as you might expect, are the spaces where humans and blockchain meet. For the most part, endpoints are the computers that individuals and companies use to access Blockchain services.
Regardless of whether the providers of those services are financial institutions, companies, or cryptocurrencies, the use of a Blockchain begins with the information entered into a computer and ends with the information returned by a computer. It is during the process of accessing the Blockchain that the data on the chain is most vulnerable.
In particular, the credentials required to access the Blockchain can be the element of exposure to attackers on the endpoints. It is indeed a user limitation and this reminds us that in cybersecurity, human behavior is the biggest vulnerability used by attackers.
Public and private key security
Accessing a Blockchain requires both a public and a private key. Since it is impossible to access the data within a Blockchain without the right combination of public and private keys, this represents the strength and weakness of Blockchain technology. Without the right keys, no hacker will ever be able to access the data. In the Blockchain world, key ownership and content ownership are absolutely synonymous.
Since hackers don’t usually waste time guessing, the best chance of obtaining keys is to attack the weakest point in the entire system: the personal computer or mobile device.
Whenever Blockchain keys are entered, displayed or stored unencrypted on such devices, hackers can acquire them. Unfortunately, most people do not adequately protect their devices.
Therefore, you can’t assume that the Blockchain is secure on its own; it only becomes secure if you implement the right forms of protection, such as protecting your laptop or device.
Provider risks – Third Parties applications
The Blockchain by itself has no value, it acquires it if you can transfer information in and out of it. Therefore, the Blockchain has no value if there are no applications running on it. As the adoption of the Blockchain becomes greater and the applications that in turn use it grow, you can expect to see the development of third parties within the Blockchain ecosystem and in particular in these six main areas:
- Blockchain integration platforms
- Payment Processors
- Blockchain payment platforms
- Smart contracts
Organizations looking to deploy third-party Blockchain applications and platforms should be aware that their security depends on their vendor’s security.
No standards and regulations
Governments and financial institutions are pushing for Blockchain to be subjected to regulations.
We are therefore faced with a dilemma. Many of the current users will leave the platforms when more regulations occur, but the same, are needed in most areas where the biggest innovation is Blockchain.
The lack of standard protocols means that Blockchain developers cannot easily benefit from the mistakes of others. With each company, each consortium, and each product operating under a different set of rules, the risks that come with non-standard technology of any kind are real.
Also, at some point, chains may need to be integrated. Lack of standardization can mean new safety risks from merging different technologies.
The solution to the question of standards and regulations is more complex than that of most technical questions.
Blockchain and applications rely on the Internet, on software, on operating systems. This is something that applies to critical infrastructure as well. Vulnerabilities can depend on thousands of factors and can only be tested in production.
For critical infrastructure, it is not possible to apply all security controls because their application is not possible. For example, penetration testing in production is not possible because the risk is to crash a SCADA. Testing in advance is also not possible for Blockchain, as building a replicated environment would be difficult and very expensive.
How to reduce risk? By protecting the endpoint, making sure the vendor is secure, and that means looking for vendors that provide applications and ledgers, checking that they have a PSIRT (Product Security Incident Response Team) and whether they share information. Finally, incentivize the ability to have regulations or self-regulation.
Source: ICT Magazine https://www.ictsecuritymagazine.com/articoli/cybersecurity-per-la-blockchain-e-la-blockchain-per-la-cybersecurity-1-3/