//////////////////////////////////////////////////////////////////////////
Historical records, pictures, complex indexes
and other large datasets are not good for
blockchain technology. This is one of the
problems everyone needs to understand.
Think of a blockchain implementation like
old school peer-to-peer network technology
from Napster, LimeWire, or BearShare. Each
node contains a database of all records
and any new entries need to propagate to
all other nodes for validity. While a peer-to-
peer network queries its peers for entries,
blockchain actually contains a duplicate of
all entries compared to its peers. This means
tampering with one node does not invalidate
the entire blockchain; it means that an entry
has to be properly validated (via work in the
case of bitcoins) to be accepted as a ledger
entry and propagated to other nodes. This is
where security comes into play.
Entries into the blockchain ledger needed
to be validated for fraudulent activity and
more importantly, the hosts containing
blockchain implementations secured against
vulnerabilities and privileged attacks that
could compromise or tamper with blockchain
insertions. Blockchain implementations
can have nodes that are explicitly trusted
(commercial implementations) or out in
the wild (like bitcoin) where the ledger
could by anywhere at any time. To that
end, there is no concept of blockchain
ledger modifications (entry deletion or
modification). This is key to protecting
the integrity of the data. Once an entry
is accepted, it is permanent. Therefore, if
you can attack the server, application and
ledger processes, you can tamper with the
blockchain. This is how some of the recent
cryptocurrency attacks have been occurring.
The server and application have been the
target, not the blockchain directly.
Blockchain implementations are only as
secure as the applications that use them.
Poor security controls for inserting data in
the ledger will lead to tampering. In the
case of bitcoins, beyond a 51% ownership
of all bitcoin servers, the servers themselves
validate mining via work. These are
mathematical computations that prove an
insertion needs to be made and also proves
who owns the bitcoin (mining).
The actual allocation of bitcoins is a
more complex topic out of scope for this
discussion. In either case, since they are
distributed and verified by other servers,
www.intelligentcio.com
FEATURE: BLOCKCHAIN
• New entries into the blockchain should be
secured with dynamic privileges and only
valid for one time usage. This can be done
with privileged password access solutions
and keys or passwords using an API. An
insecure insertion path into the blockchain
can lead to devastating results.
• Reads from the blockchain should be
secured in a similar fashion to ensure the
retrieval is not tampered with (like a man
in the middle attack) before processing by
the application.
Morey Haber, Vice President of Technology,
Office of the CTO, BeyondTrust
tampering is very difficult, if not near
impossible, before an entry is made.
Other cryptocurrency and blockchain
implementations are currently nowhere
near as secure for many reasons.
Securing blockchain
So how do we secure blockchain
implementations? We begin with cybersecurity
basic hygiene since the ledger operates on a
computer just like any other application:
• Privileged access management to
ensure all privileged access to the host is
monitored and properly delegated.
• Vulnerability management to secure the
host and applications from tampering
that could lead to inappropriate read or
write blockchain ledger entries.
• Patch management for prompt
remediation, mitigation, or hardening to
minimise risks.
Once the basics are covered, we need to
consider the unique characteristics of a
blockchain and protect them:
Since modifications and deletions of
blockchain records are not permitted, all
entries must be 100% valid or the entire
model (ledger) could be compromised. Think
of blockchains as just another application
for data storage. It has limited data storage
capabilities, is not very fast, but is designed
to be highly distributed and 100% reliable.
If your application or host can be tampered
with, so can your blockchain. The goal;
securing both during their design and
implementation so this can never occur.
Sample blockchain implementation
To begin securing a blockchain, architects and
security professionals must assume that the
logic of the application approved an entry
into the blockchain. This is dependent on the
application using the blockchain and could be
anything from bitcoins to a manufacturing
or shipping application. Remember, once an
entry is made, it cannot be deleted, modified,
or suppressed; just linked with a new entry.
This makes blockchains suitable only for ‘new’
information and not for any historical or
complex data sets. Thus, all entries must be
100% valid by the business logic and be ‘short
and sweet’ – think very small data records.
The question then turns to ways of securing
that entry so that no malicious activity can
HOPEFULLY YOU HAVE NOT REALISED
TOO LATE THAT THEY ACTUALLY HAVE
A LIMITED PLACE IN BUSINESS AND
NEED TO BE SECURED JUST LIKE ANY
OTHER APPLICATION
INTELLIGENTCIO
61