Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Top Stories

Blockchain Security—Moving Beyond the Hype

Blockchain Private Bank BitUN and Well-Known Exchange Bitrabbit Reached Strategic Cooperation

By Morey Haber, Chief Technology Officer, BeyondTrust

I am simply amazed at all the buzz around Bitcoin, Blockchain, and cryptocurrency. However, the truth is that blockchain has a limited place in business and needs to be secured just like any other application; with some twists.

The Why

Blockchains are not a database replacement, nor will future applications that utilize them.

They are a multi-node distributed ledger system that secures entries based on volume and verification. Natively, blockchain can only process a limited number of transactions per second and cannot store complex records or blobs—only ledger-style information that has a finite start date, like shipping information.

As such, historical records, pictures, complex indexes, and other large datasets are just not good for blockchain technology. This is one of the problems security teams need to understand. Think of a blockchain implementation like an old school peer to peer network technology from Napster or bearshare. Each node contains a database of all records and any new entries need to propagate to all other nodes for validity. While a peer-to-peer network queries its peers for entries, blockchain actually contains a duplicate of all entries compared to its peers. This means tampering with one node does not invalidate the entire blockchain. As a consequence, every entry has to be properly validated to be accepted as a ledger entry and propagated to other nodes.

Morey Haber, CTO, BeyondTrust

Morey Haber, CTO, BeyondTrust

This is where security is so critical. Entries into the blockchain ledger need to be validated for fraudulent activity, and more importantly, the hosts containing blockchain implementations need to be secured against vulnerabilities and privileged attacks that could compromise or tamper with blockchain insertions. There is no concept of blockchain ledger modifications—this is key to protect the integrity of the data. Once an entry is accepted, it is permanent. Therefore, if you can attack the server, application, and ledger processes, you can tamper with the blockchain. This is how some of the recent cryptocurrency attacks have been occurring.

To cite a recent example, on Monday, May 28th 2018, The Hacker News reported on a wicked vulnerability within the EOS Blockchain Platform. While the vulnerability is considered critical, and the method of exploitation fairly basic (a maliciously crafted file), the ramifications are truly astounding. After the vulnerable parser reads the file, it forces an exploit on the node which could then be leveraged against the supernode on the EOS platform. The supernode is responsible for collecting transaction information and packing it into blocks. Once the threat actor owns the supernode, he/she can modify or create malicious blocks that would control the entire EOS network. This includes everything the EOS Blockchain Platform has been implemented to perform—from cryptocurrency, supply chain management, to identity storage. Let this sink in—the uncrackable Blockchain (as it is advertised) can be owned by the fundamental technology designed to protect it; WASM files (smart contracts) and a simple file upload.

The How

So how do we secure blockchain implementations? We first start with cyber security basic hygiene:

  • Asset Inventory – Identifying and managing the lifecycle of all software, code, applications, nodes, and operating system used in the Blockchain.
  • Change Control – Ensuring changes to the operating system, application, and resources are documented and go through a formal change control process.
  • Configuration Management – The hardening and removal of default settings that are a liability for the operating system, application, or network.
  • Vulnerability Management – Ensuring that the operating system, application, web application, and source code are reviewed for vulnerabilities and risks are prioritized accordingly.
  • Log Management – Centrally managing and parsing log files from all resources in the environment including transaction logs.
  • Patch Management – Using a systematic and predictable methodology for deploying maintenance and security patches to all systems in the environment—from firmware to web applications and everything in between.
  • Identity and Access Management – The predicable workflow management of identities, roles, and entitlements for all users that have access to resources of the system.
  • Privileged Access Management – The management of all privileged access into the Blockchain environment—from operating system to web applications including password management, least privilege access, session management, keystroke logging, and application to application key and password management.

And now the twist:

  • New entries into the blockchain should be secured with dynamic privileges and only valid for one-time usage. This can be done with privileged password access solutions and keys or passwords using an API. An insecure insertion path into the blockchain can lead to devastating results.
  • Reads from the blockchain should be secured in a similar fashion to ensure the retrieval is not tampered with (like a man in the middle attack) before processing by the application.

Since modifications and deletions of blockchain records are not permitted, all entries must be 100% valid or the entire model (ledger) could be compromised. Think of blockchains as just another application for data storage. It has limited data storage capabilities, is not very fast, but is designed to be highly distributed and 100% reliable. If your application or host can be tampered with, so can you blockchain. The goal—securing both during their design and implementation so this can never occur.

 

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!

By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post