What is Blockchain?

I’ve been working with a number of customers in recent weeks where Blockchain has been a central component of a broader ‘de-risking’ project. To better understand how to minimise risk, we first need to understand what blockchain is and it's potential weaknesses.

Often described as distributed ledgers, blockchains are, in short, very clever open spreadsheets. Think of the Google Sheet app where the editor has given access to you and everyone/anyone else. More than that, it’s not just one blockchain, but many where each digital asset has its own blockchain. Now for the clever bit - the code that makes the spreadsheet actually work is encrypted (did you know that the ‘crypto' as in cryptocurrency comes from this?) Now, anyone can look at a blockchain spreadsheet, but in order to make changes or edit it (for a transaction) you need to have the exact code or key and you must be entering a change that makes sense in context to what's gone before. So even though anyone can view blockchains, they are almost impossible to hack - although in recent times we’re hearing more about blockchain or crypto hacks (lots of them in fact, and most of the hacks involve gaining access to key codes, which are stored off the blockchain. More on that later).

Blockchain is a dispersed and irreversible arithmetical recording technology that secures all records, and verifies transactions across a network. It relies on cryptographic techniques to ensure data integrity and transparency, making it tamper proof (more likely, resistant). Each transaction is linked to the transaction that came before it, forming a chain of blocks and creating a transparent and trusted system without a central authority. In other words, cryptography is at the core of blockchain security. It ensures that data transmitted and stored on the blockchain remains confidential, authentic, and tamper proof (or resistant – whatever). There are lots of cryptographic techniques used in blockchain systems, and some of the most popular are:

• Hashing Functions
• Digital Signatures
• Merkle Trees
• Elliptic Curve Cryptography (ECC)
• Consensus Mechanisms (such as Proof of Work, Proof of Stake and more) *

All of these are considered resistant to tampering. What does that mean though? With blockchain technology being tamper resistant means that once data is recorded, it becomes practically impossible to change or delete without detection ensuring the integrity and security of the information stored on the distributed ledger.

Where has blockchain been adopted? The fact that blockchains make markets more transparent is a significant benefit for the technology as everyone gets the same information at the same time. Many industry NED’s are saying that the most immediate areas for growth for blockchain are in functions that are linked to trading and cash markets. Connecting blockchain recorded transactions to those recorded off a blockchain has been the hiccup though. However, some clever people have been developing software that connects blockchains with external data where they can transfer value from one blockchain to another, allowing the open, siloed, networks to communicate with one another.

As is often the way though, innovation drives Threat Actors – they see it as a challenge. While blockchain offers promising advantages, it also presents a unique set of cybersecurity challenges. ?As a distributed ‘record book’ technology, blockchain has introduced a dramatic shift in how data is stored, verified, and transmitted. At its core is decentralisation, consensus mechanisms, and immutability. This makes it an attractive choice for various applications such as supply chain management, healthcare, finance, and more. Despite these numerous advantages, blockchain is not immune to cybersecurity risks. Why? ?The list of common cryptography techniques (as above*) used in blockchain are linked to some serious challenges:

51% attacks – when an attacker gains control of more than half of the networks computing power.

Smart contract vulnerabilities – these are self-executing pieces of code. Vulnerabilities in their design can lead to severe breaches. Look at what happened back in 2016 with the DAO Hack.

Private Key Management – Blockchain users must manage their private keys! Human error. Enough said on that one!

Sybal Attacks – Multiple fake ID’s being created to gain control of a network.

Insider Threats - ?Individuals with authorised access abuse their privileges to compromise the blockchain system. This could happen within the development team if they were unhappy, or a Trojan horse employee. Sounds almost impossible because people developing blockchain technologies are trusted, right? You’d hope so, but would you bet your mortgage on it? It happens.

DDoS attacks – Decentralised applications and Blockchain nodes are predisposed to DDoS attacks.

Consensus protocol threats - Blockchains use consensus protocols to reach agreement among participants when adding a new block.

Breach of privacy and confidentiality - Sensitive and private data exposure.

Other vulnerabilities - Server security misconfigurations, broken access control, insufficient logging and monitoring, cross-site scripting, and outdated components and software.

What can we do to ensure that blockchain and it’s use remains secure?

• To improve your blockchain security you need to provide education and training (that’s true of any new technology).
• Public or Private or hybrid blockchain? One for your organisation to decide on.
• Plan how to recover if things go wrong – blockchain depends on networks; yours and others, and on client software. All have long histories of compromises, security events and human error so it’s a must to review these layers and plan on how to recover when things go ‘oops!’. ?
• You could ensure that you implement sensible ongoing cybersecurity assessments to mitigate risks, and provide continuous monitoring of new threats and incidents.
• What’s secure today may not be tomorrow! Plan for critical events and evaluate your preparedness and incident response capabilities.
• Better yet, talk to us!

NCC Group has the experience, and some the industry’s best people all at your service. Whether it be Blockchain Implementation Analysis, Access Control, Distributed Ledger Consensus, Node to Node communications, Transaction Processing, Cryptographic best practices, Analysis of implantation of cryptographic primitives or more broadly External Attack Surface Management, Online Exposure Management, MXDR, DFIR we have the people, the knowledge and the tools to help you.

To ensure you can operate 24/7 securely you first need to understand your own unique threat landscape. Risk touches everyone in your organisation. Office to office, network to network, from the basement to the Boardroom. Knowing when, where, and how vulnerabilities become risks can help you stay secure. Our Global Threat Intelligence team can help you decide how to invest and prepare in such a way that your cybersec needs are aligned to your organisations risk profile.

• Threats constantly evolve – we’ll help you cut through the noise to determine possible, probable and definite risks to your business.
• Data you can do something with – respond appropriately to existing or emerging threats with actionable, expert guidance.
• DON’T BE THE NEXT BIG HEADLINE – We take data from some of the worst cyber emergencies happening arounds the world, identify the indicators or concern and compromise (IoC’s) involved and analyse the strategies Threat Actors are using – so you can avoid the same fate. The right responses to incidents as they unfold can mitigate their impact and position your organisation to actively change the attack course. It’s not just your organisations name at risk. Half measures, or wrong moves during active threats put everything and everyone on the line. You might lose assets and data, worse yet, you could find that Threat Actors have doxed your customers, team members and leaders. Ouch.

NCC Group – people powered, tech enabled cybersecurity.

Get in touch with me and I'd be happy to set up a meeting to discuss how we can help you.

Thanks for reading.