Beyond Bitcoin: Understanding Blockchain Security Implications
Chief technology officer (CTO) at NetSPI, a leader in penetration testing and attack surface management.
The blockchain market is expected to grow 68.4% over the next four years, with 86% of senior executives believing blockchain will become a mainstream-adopted technology. While the majority of the world has been fixated on various cryptocurrencies—including bitcoin, ethereum and the emerging non-fungible token (NFT) market—organizations have adopted blockchain technology behind the scenes. To do this, the right education and implementation strategies are needed because without proper implementation strategies factoring in architectural nuances, organizations are opening their business up to security risks.
There are a handful of blockchain deployment models: private (or internal), permissioned/consortium and public. While they all possess some common traits, each has its own nuances when it comes to its use and associated security risks.
Private (Or Internal) Deployment
Blockchains on a private network are generally isolated but are intended to solve internal operational efficiency problems. They offer an alternative data plane to traditional database architectures, with smart contracts serving as stored procedures.
Private networks are quicker than other deployment models—largely because all of the infrastructure is within the four walls of the organization –– but most importantly because the consensus model doesn’t require trustless verification that public chains do. When deployed internally, processes become more efficient, so the steps to protect business assets are more controlled. We see this specifically with an organization’s internal supply chain—the blockchain enables a faster and more cost-efficient delivery of services.
The organization that controls the blockchains can set permission requirements and implement its own security precautions. By controlling which users can view, add or change data within the blockchain, private information is protected from third parties.
Alternatively, private blockchains are potentially more vulnerable to fraud, so organizations must understand the interworking of the network in order to patch a vulnerability effectively. If a malicious insider or cyberattack presents itself, the steps to mitigate are essentially the same as with any other cyberthreat: conduct risk assessments, have penetration testing in place to identify security gaps and build a threat detection and response plan. Organizations that have neglected to address blockchain acumen gaps in their IT and cyber resources may find their response playbooks aren’t completely meeting their needs.
Consortium, Or Permissioned, Deployment
Consortium blockchains—or permissioned/federated blockchains—are controlled by multiple entities, which comes with its advantages and disadvantages from a security standpoint. As with private chains, permissioned networks operate at a higher velocity through the selection of a consensus model that supports trusted relationships.
Consortium blockchains are relatively more secure, given their limited exposure to external actors. So, organizations must account for data change within the network and the implications on internal operational impacts. They must also pay attention to the consensus algorithm and ensure privacy protections are in place at the onset of adoption. This ensures only those you want to see the chain can access it. When transaction privacy is required, an organization must ensure the selected technology supports that requirement. These types of precautions are important where there are individual privacy implications—such as when providers are using blockchain technology to share and store personally identifiable information (PII). Privacy teams should be engaged to understand and address the implications of permanent data retention and global privacy legislation.
Understanding how data can be modified in a harmful way is important in every blockchain—especially in a consortium network where multiple access points exist. Threat modeling is one way security leaders can evaluate security concerns within blockchain deployments, as it identifies potential architectural and implementation weaknesses, defining what actions can mitigate the threats in the system. Proactive security testing is just as important as traditional infrastructure and application testing. Organizations need to assess, identify and mitigate vulnerabilities in the solutions they deploy.
Public blockchains are exactly as they sound—public. Anyone with the algorithm (think of it like a key) can join and access the blockchain’s data. They are typically completely decentralized and more transparent. Public blockchains such as bitcoin and ethereum underpin a vibrant ecosystem that is increasingly garnering attention. Its independence from any nation-state or organization creates a mechanism for economic and social innovation. These public distributed ledgers allow people to engage in a global ecosystem in a trusted way, leveraging technology that is inherently trustless.
However, the public network comes with significant security risks that businesses must look out for. We’ve already seen these risks play out with the recent Sky Mavis breach, where hackers stole 173,600 in ethereum cryptocurrency and $25.5 million from the Ronin Network’s Axie Infinity game. We’re going to continue to see these breaches happen in different forms, such as the 51% attack rule, vulnerable smart contracts and network congestion.
In addition to traditional infrastructure and application risks, these are just a few that organizations must consider when interacting with public blockchain networks and monitoring for breaches. As with other deployment models, leaders should ensure their teams have sufficient education and acumen in blockchain technology to assess their risk through tactics such as threat modeling and security testing.
Blockchains are an inevitable part of the technology landscape. It’s one of the biggest technological advancements of the last decade, with even the White House committing to exploring its benefits at a national level. The risks associated with implementing blockchains vary based on the use case and associated deployment model, but the benefits of blockchain outweigh its security risks when managed correctly.
While many aspects of building on top of this technology mirror traditional solutions development, the nuances of using a trustless and distributed data plane require thoughtful consideration. Technology and cybersecurity teams need to understand these architectural nuances as they look to support and defend them. Outside of the technology frame of reference, some models also have privacy and regulatory implications. Once leaders and their teams digest and understand the risks they need to solve, they’ll be empowered to advance their strategies within the ecosystem and unlock the full potential of blockchains.
Discover Past Posts