Blockchain Assessments

While blockchain is very efficient for transactions, there are concerns about the security of blockchain distributed ledger technology-related transactions. Vulnerabilities also exist in Smart Contracts based on blockchain-based technologies. Blockchain-based distributed ledger technologies can be hacked like any other IT platform/protocol. If someone chooses to save their private keys on an Internet-connected device, they can be stolen. Once private keys are stolen, it does not matter how secure the blockchain architecture and encryption features are to hackers. Incidents like this have occurred in the past for e.g. the Ethereum attack in June 2016 in which the US $150 million was lost.

Nodes of blockchain can be infected by malware like any other IT system. This has been proven through POC software demonstrated by Interpol at Black Hat Asia in March 2015. This POC software was morphed into malware that circumvented the blockchain node and introduce data unrelated to transactions into the blockchain. Researchers have also demonstrated that botnets have the ability to send messages utilizing the nodes in the network. Fujacks Trojan, a botnet backdoor, has successfully proven that it can remotely control infected computers that are nodes in a blockchain, collect information, and install other malware or tools into the nodes of a blockchain.

Securing keys. Banks have concerns about transactions’ confidentiality, securing private keys and the strength of cryptographic algorithms used in blockchain-based transactions.

A blockchain-based smart contract is visible to all users of that blockchain. However, this leads to a situation where bugs, including security holes, are visible to all yet may not be quickly fixed. Issues in Ethereum smart contracts, in particular, include ambiguities and easy-but-insecure constructs in its contract language Solidity, compiler bugs, Ethereum Virtual Machine bugs, attacks on the blockchain network, the immutability of bugs and that there is no central source documenting known vulnerabilities, attacks and problematic constructs.

Need

As blockchain technology continues to both positively and negatively disrupt global industries, we must be diligent about the security implications. As we’ve seen, cybercriminals will find creative ways to reach their goals. Although the blockchain has been well researched and answers many questions regarding decentralized trust, it does not address the security of users or the applications that connect to its network. Attackers have used old techniques in new ways with success, such as the dictionary attacks against private keys. Even traditional phishing attacks can work to gain access to wallets or computer resources. To provide assurance for Blockchain distributed ledger implementations we need cybersecurity assessments.

Bottom line:

As industries research and implement their own blockchain distributed ledger, we can expect cybercriminals to deploy a combination of known and yet unknown techniques to compromise them. Without a clear understanding of where the risks are you may place undue trust in your blockchain implementations. As we’ve seen, mistakes are easy to make. Users are even harder to control and can negatively contribute to the risk. We need to learn from recent events to make better decisions for securing our technologies for tomorrow. It is therefore important for us to have an appropriate Governance model for implementing and monitoring the blockchain deployment.

Given the high-profile nature of cyber-attacks on blockchain deployments, both the demand for information related to cybersecurity—and the need to facilitate robust conversations on these topics—have grown exponentially across major stakeholder groups. Board members: Boards of directors need information about the entity’s cybersecurity program and the cyber threats facing the entity to help the boards fulfill their oversight responsibilities. They also want information that will help them evaluate the entity’s effectiveness in managing cybersecurity risks.

Why Accedere for Blockchain Risks

Accedere’s focus is on Cybersecurity related services. Our team includes members certified as CPA, CISSP, CISA, CISM, CRISC, CGEIT, ISO27001LA etc., and have several years of relevant experience to manage such projects.

We conduct our assurance engagement against established standards used by auditors to assess the internal controls of a blockchain distributed ledger deployment. The control objectives and criteria vary based on the scope of the engagement and client operations. The relationship between the organization deploying the blockchain and the purpose it serves must be viewed to help determine the controls that should be included in the engagement. Hence our engagements are usually risk-based. In addition, the impact of the blockchain distributed ledger technology adopted in financial areas for the organization's financial statements will also be the determining factor as to whether required controls whether covered in the scope of the engagement.