Over the last decade, blockchain security and how it affects cybersecurity has become a hot topic among the information technology and financial circuits. But as with all technology, one must ask how safe it is to use. The most common form of blockchain implementation is known as Bitcoin. Bitcoin has since become one of many cryptocurrencies to utilize blockchain as a method to securely exchange funds. This post will explore what blockchain is, why blockchain is secure, blockchain risks and security issues, and the importance of auditing for bitcoin and other cryptocurrency platforms.
What is Blockchain?
Blockchain is a permanent system of record that is constantly growing as transactions take place. As these transactions occur, they are maintained in a way that is secure, systematic, and unalterable.
So what exactly does that mean? This means that each transaction utilizing blockchain, such as a Bitcoin transaction, goes onto a running ledger or list. This list is maintained in such a way that is secured through encryption, systematically (which means the transactions are stored chronologically), and finally in a manner that cannot be manipulated so that the information captured through blockchain is reliable.
Currently, the most well-known implementation of blockchain is cryptocurrency, specifically Bitcoin. Bitcoin currently holds about 50% of the market cap. The next closest currency is Ethereum and a number of additional cryptocurrencies follow. While other types of blockchain implementations exist, Bitcoin and Ethereum by far are the most well-known forms.
How Secure is Blockchain? Is it Safe?
The simple answer is yes — blockchain is a secure method of creating a database of transactions such as the distribution of funds. The three main reasons are detailed below.
- Cryptography – The implementation of blockchain utilizes a type of encryption known as Elliptic Curve Digital Signature Algorithm (ECDSA). This type of cryptographic algorithm uses encryption to confirm that the transactions being processed are validated. For example, if the transaction is the distribution of funds, ECDSA creates a unique number, known as a private key, that must be verified by the corresponding public key. In ECDSA, the public key can be derived from the private key but not vice versa, making it extremely hard to hack. Private keys are meant to be secret so that transactions can be validated. Below is a diagram showing the ECDSA process. For a more technical explanation of ECDSA, readers can find more information on the NIST website.
Photo credit: https://www.1kosmos.com/blog/the-elliptic-curve-digital-signature-algorithm - Blockchain is decentralized – A set number of transactions make up a block within the chain. Transactions are spread among different blocks to enhance security.
- Consensus Model – A consensus model is a process where multiple participants work together to achieve the reliability of a network. To achieve a reliable network, at least 51% of the participants represented by an untrusted node (aka computer) must be honest to maintain a reliable network. Bitcoin follows a consensus model known as the Nakamoto Consensus. This consensus model differentiates itself from other models by implementing the use of what they call block selection. Block selection is the incentive to mine blocks as a successfully mined block rewards the miners with a set number of Bitcoin. This incentivizes users of the network to be reliable.
What are Blockchain Risks & Security Issues?
As noted above, blockchain is a secure method of creating a database of transactions, but that does not mean it does not come with risks.
The No. 1 risk and/or security issue to blockchain security is that the access to an individual’s private key is compromised. If someone’s private key is accessed by an untrusted individual, their transactions are no longer considered reliable as the encryption can be broken. To prevent this, controls should be in place to safeguard the private key used to protect an individual’s transaction. It’s important to remember that like most security measures, they are only as successful as their consistency and implementation. See the auditing section below for more information.
Risk No. 2 is knowing with 100% certainty that the transaction between two individuals who are represented by a private and public key are in fact who they represent as, and are not a fraudulent individual. Because of how blockchain is set up, through total anonymity, it is hard to say that the risk does not exist that the “person” on the other end may not be who you expect it to be. This can be particularly high risk as major funds or real-estate are being transferred using cryptocurrency
Finally, one other main blockchain security risk is the inherent risk that the proof of concept (i.e. Bitcoin) being supported by blockchain itself fails. As mentioned above, blockchain relies on a consensus model to operate. If for some reason the majority of participants were no longer invested in the success of the network, it would no longer be considered reliable. As a result, the integrity of transactions would be lost.
Auditing Blockchain & Bitcoin
There are a number of applications or platforms that provide some type of service related to bitcoin or other cryptocurrencies but, for example, if you are considering using a platform to launch an Initial Coin Offering (ICO), it may be a good idea to search for a company that has engaged a third party to perform a security audit, such as a SOC report. This will provide some assurance that controls are in place to protect their client’s private keys and/or wallets.
As mentioned above, the processes in place are only as secure as the controls that are in place to confirm that outsiders cannot access private keys.
When it comes to security, the key to success is that controls consistently function as intended. For example, if an organization uses an application that hosts your private key and they are supposed to protect their servers through patching every quarter, but for some reason do not, and a known vulnerability is exploited. In this situation, there is a risk that the platform can be accessed by an unauthorized individual and as a result, can hack sensitive information such as the private keys required for valid blockchain transactions.
Security reports for these companies will look at a number of other controls such as continuous monitoring for security vulnerabilities, workstation controls such as patching and antivirus, physical access controls, and the list goes on.
Finally, security reports should look to determine whether the controls identified operated over a defined period of time. This allows its readers to gain a level of assurance that the information being housed is secure.
Summary
Understanding the blockchain security, risks, and how auditing can assist in determining whether platforms that host blockchain implementations are secure, and can assist those individuals or companies who are interested in either investing or utilizing these services.
When it comes to blockchain security, it is important to realize that while it is a secure process, security relies heavily on those controls used to restrict access to the private keys which are the responsibility of the user.
Additionally, blockchain security can be assessed by a third party auditor. This can give those who are looking to use applications and platforms assurance that controls are in place without the need to do as much due diligence on their own.
For more information about auditing blockchain for security, please contact us, and also read our article, What is Cryptojacking and How to Protect Yourself.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.