Securing the Chain, a new report from KPMG, looks at the issues raised by two recent incidents involving blockchain and the need for businesses to implement a robust security and risk framework - and a critical line of questioning – when using the technology.
It’s no secret that blockchain is a potential game changer in financial services and other industries. This is evident by the US$1bn investment in the technology last year alone and the increasingly diverse applications of it, from managing foreign exchange to the pork supply chain.
To date most organisations have focused squarely on “how” they can use blockchain for business. But as more blockchain solutions are implemented and cyber threats rapidly grow in number and sophistication, security and risk management can no longer take a backseat. In addition to “how”, the question then becomes: “Is blockchain secure for my business?”
There is a common misconception that blockchain is inherently secure because its principles are founded on cryptography and immutability (i.e. information can be permanently stored on a public ledger without being tampered with). But despite its strengths and promise, blockchain is not inherently secure, and even a small oversight can have a significant impact.
This has been illustrated in two recent high profile incidents where attackers have exploited security weaknesses within individual organizations while simultaneously using the fundamental strengths of blockchain technology.
The first involves The Decentralized Autonomous Organisation (DAO) where in June 2016, approximately US$50 million in assets was drained from a newly-formed digital venture capital fund due to an unintentional flaw in the codes. Ethereum, the blockchain technology that The DAO was built upon, was not compromised in any way. The vulnerability published showed that while the split function worked correctly, it allowed participants to call another split before the first split was finished. The attacker simply took advantage of the design and the knowledge that the blockchain technology itself actually works.
The second incident took place in August 2016 when the Hong Kong-based Bitfinex crypto currencies exchange suffered a breach in which almost 120,000 bitcoins were removed from customer accounts. Similar to the DAO example, the attack exploited security weaknesses within individual organizations and service providers, and while Bitfinex has not yet confirmed the cause, it is believed to relate to the multi-signature key management system the business had put in place to protect unauthorised transactions.
In both these examples it should be noted that the underlying foundation and architecture of the blockchain functioned as expected – it was vulnerability that was unintentionally built in to the processes around it that was exploited.
So how could these incidents have been avoided? Both underscore the need for a comprehensive view of risk. In each instance, many of the vulnerabilities and design flaws could have been addressed earlier, if there was discipline applied to identify, assess and mitigate risks during design or testing. There are lessons to be learned from these and other incidents, but also just as importantly are lessons learned from decades of security and risk management experience with other traditional and emerging technologies.
Potential issues include:
• Cryptographic key theft — an attacker with access to a private key can make fraudulent transactions, including fraudulent withdrawals.
• Consensus mechanism override — a group of attackers can achieve consensus on a transaction that is beneficial only to themselves.
• Anonymity — members of a public blockchain can hide their identity, making it difficult to find attackers, as in the case of the DAO hack.
• Poor implementation — inadequate testing creates vulnerabilities in the software code.
• Unauthorized access — inappropriate access to private keys or blockchain related software could be used to steal funds or information.
• Identity management — personally identifiable information may be stolen or a node impersonated to obtain access to a blockchain.
As a result of its work in this area and analysis of the case studies above, KPMG has constructed a security and risk management framework which helps provide an end-to-end approach to identify and respond to security threats and technology risks for a blockchain implementation. This framework was developed through the identification of leading practices across ten key dimensions that are applicable across a typical blockchain implementation lifecycle — from strategy and business case to operate and maintain.
While some dimensions within this framework such as data management and segregation are typically part of existing capabilities for Security and Risk departments, others such as consensus mechanism, chain permissions management, and cryptography, key management and tokenization, may be entirely new and will need to be considered for inclusion within existing frameworks and standards.
The power of blockchain to significantly disrupt and transform business models in financial services, healthcare and beyond is anticipated by many. Yet the excitement over this innovative technology and its promising potential should not be allowed to obscure the examination of possible threats and risks. As blockchain continues to build significant momentum and reality sets in, it is now time to apply a risk management lens.
For more information on KPMG’s report Securing the Chain go to kpmg.com/blockchain360 or contact KPMG Isle of Man at 01624681000
© 2019 KPMG LLC, an Isle of Man Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.