By Ted Harrington
As leaders around the globe investigate how to leverage the benefits of blockchain technologies, security is often a primary concern. They may be aware of the many security benefits inherent with a blockchain, such as cryptography, immutability, decentralization. But questions remain, such as: what is the best approach to blockchain as a technical problem? How are attackers compromising blockchain technologies? Given its inherent security qualities, how would an attacker even compromise a blockchain?
Leaders today must challenge conventional wisdom and think differently, in order to achieve the highest possible security in the context of blockchain. Here are three key considerations, each with a series of insights based on security research and other data, to empower leaders to act on these challenges.
1. Security is not just a technical problem, it is a leadership problem
Most organizations today do not recognize cybersecurity as the core leadership discipline that it is. Take, for example, the informal investigation by security journalist Brian Krebs. His study, researching the leadership webpages of the 100 largest companies in the world by market value, found that only 5% listed any sort of cybersecurity leader. This vividly demonstrates that most companies do not consider cybersecurity to be a key component of the overall business leadership team.
It also echoes one of the key findings of a two-year study recently published on healthcare security, where one of the major structural flaws was that “decision-makers at healthcare facilities have little insight or control over the security practices”. These examples demonstrate a powerful measure of what many of us in the security industry already know to be true: too many leaders consider security to be a technical issue rather than a leadership issue.
However, the markets have spoken, and industries around the world are starting to consider security as the core leadership issue that it is. In the fallout of the infamous Target breach: both the Chief Executive and the Chief Information Officer were fired as a result. The Director of the US Government Office of Personnel Management (OPM) was forced to resign when her agency suffered a catastrophic breach; as was the Co-chairman of Sony Pictures Entertainment after their infamous breach.
What all of these have in common is that these leaders – in both the public and private sectors – probably would not have considered cybersecurity to be core to their job responsibilities prior to the breaches. But the consensus across their respective organizations was that cybersecurity is the responsibility of the top levels of leadership; they were held accountable for failures in security.
What can leaders do about this?
⦁ Establish a security leadership position in your organization and ensure that they are empowered to take action where necessary. This leader needs to be able to effectively advocate for the security needs of the organization, particularly when security needs come into conflict with the functional needs of the organization.
⦁ Educate yourself on core secure design principles in order to be better informed when interacting with your designated security leader. This ultimately makes you more effective in stewarding this domain, for which you are ultimately responsible.
2. Exploitation is not just a result of attacker capabilities, but also of developer errors
With the advent of blockchain technologies, attackers have shown the ability to deploy new and exotic attack techniques that are only relevant in this context, such as a “51% attack” – the technique whereby an attacker gains controls of more than half of the blockchain, and thus can achieve various malicious outcomes.
Headline news would have you believe that the major breaches we read about nearly every day are the result of extremely skilled attackers leveraging exotic, previously unknown vulnerabilities to pursue their devious ends. This may be true to a degree, but it is only a small part of the overall challenge.
Instead, leaders should recognize that the most common exploits result from failure to understand and sufficiently implement security measures that are known to be effective.
For example, the OWASP Top 10, a collection of vulnerabilities that “represents a broad consensus about the most critical security risks to web applications” includes commonly occurring issues like injection attacks, broken authentication, security misconfiguration and more.
These are well understood, well documented issues, about which defenders have known for many years; and yet, they continue to plague organizations all over the world and make up the majority of the security vulnerabilities that leaders today should be aware of and concerned about.
What can leaders do about this?
⦁ Train your developers on security. They don’t need to become the next celebrity at the annual security conclave DEF CON, they just need to understand the core principles of security – particularly cryptography, given its core application to blockchain – and how to implement these principles in the solutions they are building.
⦁ Recognize that the security essentials matter just as much as – if not more than – the exotic novelties. This calls for an important leadership mindset shift because, unlike worrying about the unknown, you have a tremendous amount of control over assessing your own technology for the ways in which attackers of all skills might try to exploit common developer mistakes.
3. While attackers do compromise a blockchain itself, they more commonly exploit the configuration of the technology leveraging a blockchain
While attackers may try to – and in many cases, succeed in their efforts to – compromise a blockchain itself, attackers far more commonly try to compromise the deployment of the blockchain.
As previously noted, attackers know that human error can often result in exploitable vulnerabilities being unwittingly injected into the design and implementation of the overall system. Furthermore, attackers make cost-benefit analyses just like any other leader: they consider the effort required to attack something and the potential outcome that might result; then they go after those types of activities that will deliver the highest potential yield for the lowest effort investment.
Given the combination of these factors, attackers tend to focus more commonly on breaking the implementation, due to the high likelihood that a developer has inadvertently made errors in deployment.
Consider this analogous story: recently, a friend of mine suffered a break-in of his storage unit. He had it secured with a big, expensive padlock. That was a good decision because, just like it matters how well-built a blockchain is, it matters how well-built a padlock is.
However, the thieves actually didn’t bother with the lock, and weren’t deterred by how well-built the lock was. Instead, they simply broke the weakly installed latch hardware from the door itself. My friend had selected a robust lock, had it properly installed, but his security was violated because of how the system around it was built. This is why configuration of your blockchain deployment matters.
What can leaders do about this?
⦁ Build out your threat model to understand who your potential adversaries are; why they are interested in exploiting your system; what types of skill they have; and what types of resources they have.
⦁ Ensure your organization has the requisite security talent. You need the right specialists to help you pursue your security mission.
⦁ Partner with an independent, third-party security expert. Whether instead of, or in addition to your own in-house talent, you need experts on your side who have an independent perspective, free from any political bias that may exist in the organization, and who spend all of their time studying how to defend against the adversary.
Where to start
Effective security leadership may be difficult, but it is achievable. As a leader, if you can break down the security challenge into its core components, you can then build out an action plan to address the root issues. Blockchain technologies are revolutionary in many ways, but the simple fact that blockchain is different need not require a wholly new security paradigm.
Instead, if you can understand the small subset of what is different, and remain vigilant about continuing to effectively address the core fundamentals, you can lead your organization to a bright future: one where you can take advantage of the many benefits that these technologies enable, without unnecessarily exposing your organization to undue risk.
This article has been written by Ted Harrington, Executive Partner, Independent Security Evaluators.