1 D. Loesche, “The Biggest Crypto Heists”, Statista, 29 January 2018, https://www.statista.com/chart/12707/largest-known-crypto-currency-thefts/

Blockchain has arrived with a fanfare and hype rarely seen in the realm of information technology, most notably in the form of cryptocurrency applications such as Bitcoin. Often described in terms of absolute trust, anonymity and security, it is touted as a game-changer for businesses, governments and criminals alike. But as organisations rush to deploy applications based on blockchain technology, do the potential benefits outweigh the information risks?

BUSINESS TRANSACTIONSConducting business involves transacting with other parties, such as customers or suppliers. For centuries, each party to a transaction maintained a record in a book called a ledger. But a problem with this approach is that any disputes over the contents of the ledger can come down to one party’s word against the other. As a consequence, many transactions rely on intermediaries such as banks, who can help with disputes, but also add to the costs of transacting.

The centuries-old methods of performing transactions and recording them in ledgers have now become computerised using databases. In so doing, any issues from the manual systems have been replicated – and exacerbated – in the digital world. Intermediaries remain and there are more ledgers than ever.

The complex transactions that computers enable have their own issues. For example, criminals may hide fraud and evade justice by employing currency transfers between multiple participants and across international borders.

ENTER BLOCKCHAINBlockchain replaces the recording of transactions in multiple ledgers, by different parties, with a single distributed ‘blockchain’ ledger. Participants reach consensus that the contents of the ledger are valid and trustworthy: creating a single version of the truth.

Once a transaction appears in the blockchain ledger it forms an indelible record of a transacted asset’s ownership and is agreed by parties as a ‘done deal’. This enables blockchain to operate without the need for an intermediary.

BLOCKCHAIN BENEFITSBy removing intermediaries, blockchain can reduce transaction complexity and cost. It also claims to reduce the risk of tampering, cyber attack and centralised IT failures.

The potential benefits of blockchain are promised in areas such as supply chain, logistics, inventory and asset management. But the hype makes it difficult to weigh up blockchain’s advantages against its disadvantages, and assess whether there is sufficient net gain over existing and more mature technologies such as databases.

SECURITY ISSUES AND MITIGATIONWhile the more familiar manifestations of blockchain – such as cryptocurrencies – are based on public (permissionless) blockchains, private (permissioned) or federated blockchains are increasingly of interest to ISF Member organisations.

Understanding the potential security issues, and how they can be addressed, is vital for any organisation planning to use applications based on blockchain technology, especially considering the well-known breaches of blockchain related financial services1 – examples are illustrated in Figure 1.

Figure 1: Well-known blockchain breaches

Mt.Gox$480mlost

Coincheck$500mlost

20172014 2018

Parity Wallet$155mlost

This report helps those involved in blockchain deployment to: ‒ understand the main components of a blockchain network: participants, devices, applications and ledgers

‒ identify security issues associated with developing or using blockchain applications

‒ address security issues in a structured manner by determining security requirements, applying a secure systems development lifecycle (SDLC) and supporting live blockchain applications.

BLOCKCHAIN AND SECURITYSAFETY IN NUMBERS

Information Security Forum8 Blockchain and Security: Safety in numbers

PERFORMING A BLOCKCHAIN TRANSACTIONTransactions are key to blockchain and understanding them will help Members gain an overall picture of a blockchain network, its benefits and disadvantages. An example of the main stages of a blockchain transaction using cryptocurrency (e.g. Bitcoin) is presented in Figure 5. The same principles are applicable to transactions involving other assets.

Figure 5: Example of a blockchain application

Bob uses his blockchain app (wallet) to spend 500 in cryptocurrency for a purchase from Alice. His blockchain application creates a transaction request signed with his private key.

1

Bob’s transaction is broadcast to the blockchain network. The network validates his transaction to ensure he owns the 500. The transaction is packaged with other transactions into a block.

2

The nodes on the blockchain network compete to generate (mine) a digital fingerprint of the block, which is a complex mathematical calculation called a cryptographic hash. The validated block is then appended to the ledger. Each block contains the previous block’s hash, cryptographically chaining the blocks together.

3

The validated block is broadcast amongst participant nodes who confirm its validity and append it to their copy of the blockchain ledger.

4

The blockchain ledger now shows the transaction. Alice is now confirmed the owner of the 500.

5

500

500

Information Security Forum 19Blockchain and Security: Safety in numbers

5 ConclusionBlockchain, an approach to creating a distributed ledger, is potentially revolutionary. Much of the mainstream media attention around blockchain is centred on public (permissionless) implementations, particularly via cryptocurrencies, such as Bitcoin. However, many of the new commercial applications are likely to be private (permissioned) blockchain deployments, which may be limited in benefit as they do not take full advantage of the blockchain philosophy.

Blockchain introduces a relatively new concept based on trust in a distributed network of participants, some of whom may not be known. There is a fog of hype that surrounds this relatively immature technology, which can obscure both the value of blockchain applications and the associated risks.

Blockchain risks are particularly acute considering that its security is built on assumptions that the:

‒ content of the blockchain ledger is both immutable and irrefutable

‒ underlying cryptography is secure enough to last the life of a blockchain application

‒ consensus algorithms are robust.

As blockchain is put to different uses, it is vital to cut through the hype to understand its merits and disadvantages. After all, it may not always be the best solution to a problem; directories, databases and other types of data store still have value.

While there may be a commercial advantage from being at the forefront of adopting blockchain, prudent organisations should be aware that blockchain is immature and unforeseen security issues may emerge. Consequently, ISF Members should place a particularly strong emphasis on evaluating the risks of developing or using blockchain applications before trusting this innovative approach.

WHERE NEXT?The ISF encourages collaboration on its research and tools. ISF Members are invited to join the Technology community on ISF Live to share experiences and discuss practical and innovative approaches for developing and using secure blockchain applications.

REFERENCE: ISF 18 11 01 ©2018 Information Security Forum Limited. All rights reserved.

This is an excerpt from the ISF briefing paper Blockchain and Security: Safety in numbers. To purchase the full paper contact:Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800 steve.durbin@securityforum.org securityforum.org

Blockchain and Security: Safety in numbersNovember 2018

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

WARNINGThis document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct. If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org. Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

CLASSIFICATIONRestricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.