{"id":35713,"date":"2020-06-01T05:28:08","date_gmt":"2020-06-01T09:28:08","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=35713"},"modified":"2022-10-13T09:57:48","modified_gmt":"2022-10-13T13:57:48","slug":"blockchain-business-vulnerabilities","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/blockchain-business-vulnerabilities\/35713\/","title":{"rendered":"Blockchain security isn’t bullet-proof. Here’s how to not get hacked."},"content":{"rendered":"

According to a PwC surve<\/a>y (of 600 business executives in 15 countries,) 84 percent of respondents are actively involved with blockchain<\/a>. Blockchain is just one example of a distributed ledger technology (DLT),<\/a> a digital system for recording the transaction of assets (money or data) without a central data store or admin functionality.<\/p>\n

More companies are turning to DLTs like blockchain to help streamline their business, improve data transparency and reduce operational costs. From smart contracts<\/a> that automate secure payments to managing customer interactions, blockchain can improve how we do business<\/a>.<\/p>\n

But, like any emerging technology, new risks and vulnerabilities can cause damage. We\u2019ll get into that, but first, an important distinction.<\/p>\n

Public vs. private distributed ledgers<\/h2>\n

Public ledgers mean an open network which anyone can join and contribute to. They work best for cryptocurrencies<\/a>, due to anonymity features and allowing transactions across borders. Then there are private or enterprise DLTs. These identify and authorize users and determine their roles. Data is encrypted and only authorized users can operate it. Read more about both here<\/a>.<\/p>\n

Let\u2019s explore private DLTs, which more companies are using for their benefits, from accelerated workflows to authenticating data.<\/p>\n

DLTs usher in a new security paradigm. But for business process automation, there are risks to quash.<\/p>\n<\/blockquote>\n

Joint ventures on blockchain<\/h2>\n

DLTs are great for joint ventures \u2013 notably because they act as both a registry and a financial database for payments and transactions between partners, which are logged and approved by all participants on the blockchain. It\u2019s a trusted, transparent system \u2013 everyone authorized has access to data and knows how it\u2019s logged. Essential features are decentralization (for data transparency and trust), scalability (which enables adding new participants to the network) and the use of smart contracts.
\n\"blockchain
\nBut centralization can create a security risk. Blockchain data is trusted when it\u2019s distributed, so the more nodes (those who have access to the blockchain system, either computer programs or authorized users) that can approve transactions, the more you can trust the data. That\u2019s why deploying blockchain within a single company or organization to secure data doesn\u2019t make much sense as \u201cconsensus\u201d comes from a sole authority.<\/p>\n

Why one of the most successful enterprise blockchain platforms isn\u2019t as secure as you think<\/h2>\n

One of the best known enterprise-grade platforms, Hyperledger Fabric<\/a>, creates consensus using a permission voting algorithm. But how secure is it?<\/p>\n

Once the majority of nodes in the blockchain validate the transaction, we reach consensus and finality (a new block or sequence is added to the ledger.) Hyperledger Fabric provides channels \u2013 isolated \u201csubnets\u201d of data exchange between specific network members. It\u2019s useful for industrial and manufacturing scenarios where a blockchain may include potential competitors. The separate channels in Hyperledger Fabric can prevent data from being accessible to participants from outside of a designated channel.<\/p>\n

But the consensus mechanism could be misconfigured \u2013 this might happen at design and deployment stages, often revealed too late to fix easily because, for users, everything seems to be working fine. Then it can\u2019t validate nodes, even for transactions involving many participants across several channels. As a result, the consensus is limited to validators of a single channel who confirm adding the transaction to the blockchain.<\/p>\n

Beware of blockchain after a cyberattack<\/h2>\n

Beware hacked user accounts. During a cyberattack, data could be tampered with and then submitted to the blockchain. For example, let\u2019s say a user is attacked while approving commercial purchase agreements in a joint venture, further executed by a smart contract. If the attacker gets access to the contract, they can tamper with the supplier\u2019s bank account and amount in the contract. The \u201ccorrect\u201d agreement will then trigger execution of a smart contract, meaning some or all of the money goes to the attacker.<\/p>\n

Due to blockchain\u2019s inherent immutability (i.e. it can\u2019t be changed), it\u2019s going to be very difficult (and expensive) to fix the incorrect data. What\u2019s more, if this data gets into smart contracts, the issue will snowball and subsequently cause big problems. In this purchase agreement example, to fix the incorrect transaction, payment needs to be reconciled. But that\u2019s not simple.<\/p>\n

They can try to stop and revert a bank transaction, but blockchain can\u2019t undo its immutable records. It will store information that a certain company (blockchain participant) has paid, whereas the supplier has not received the funds. It\u2019s a double loss: companies spent a fortune on the blockchain solution, then get their money stolen.<\/p>\n

Blockchain risks for large enterprises and corporate groups<\/h2>\n

Similar blockchain technologies are used for transactions between banks or groups of banks. As the technologies are the same, they have the same vulnerabilities. This opens wide opportunities for an attacker: having performed a successful attack on one bank, they\u2019re more likely to be more successful and quicker with the same attack on another member of the group.<\/p>\n

If just one vulnerability of a single participant is exploited on the blockchain, there\u2019s a huge cybersecurity risk for other participants on the same system, running the risk of a mass leak of sensitive financial or private data across a group.<\/p>\n

Blockchain can cause a bottleneck<\/h2>\n

Blockchain is designed for transactions, so it works well for trading and integrates with financial systems to support the supply of goods, automated pricing and using smart contracts to execute financial transactions.<\/p>\n

Smooth running in good times. But blockchain could also be a bottleneck. Lots of transactions are processed simultaneously, which a good platform should process rapidly. But if the system can\u2019t handle the load, it can fail.<\/p>\n

Getting blockchain right for your business<\/h2>\n

There\u2019s no \u201cone size fits all\u201d with blockchain. Right now, given DLTs nascent maturity, it\u2019s difficult to know how well any individual solution will perform. It\u2019s unlikely we\u2019ll soon see a solution that works perfectly straight out of the box. You\u2019ll need to invest in customization to create the right process for your business needs.<\/p>\n

These steps can help plan your best-fit blockchain strategy.<\/p>\n

The right tools for the job<\/h2>\n

Consider the process you want blockchain to automate. It should be iterative, involve many parties, and it shouldn\u2019t include data that needs to be modified or deleted. If it doesn\u2019t fit these criteria, blockchain and DLT isn\u2019t the right tech.<\/p>\n

Start the journey with small steps<\/h2>\n

So you decide to launch on blockchain. Like other big IT projects, plan the rollout in stages to test and fine-tune. Keep in mind that DLT is most powerful at handling large-scale processes. You may not get immediate cost savings from a solution for one department, even if it works smoothly, but you can start small to test how it works. Then take the next step \u2013 scale to counterparties working with that department. Then get bigger by adding external suppliers.<\/p>\n

Even with blockchain, you still need to pay attention to cybersecurity<\/h2>\n

Blockchain is more secure than many other enterprise data solutions, but it\u2019s not bullet-proof to cyberattacks. You\u2019ll need an endpoint cybersecurity solution on all corporate devices accessing the blockchain, which should be assessed with a third-party cybersecurity provider.<\/p>\n

Audit your smart contracts<\/a>. A vulnerable or inconsistent contract may lead to an expensive problem to fix down the line.<\/p>\n

By deploying blockchain, you\u2019re establishing a new IT infrastructure in your organization. A vulnerability could lead to an attack and penetration of your corporate network. So new software and servers need protecting. Always use firewalls and install server cybersecurity tools to run scans, encrypt data and renew licenses. Finally, run a penetration test to reveal weak spots.<\/p>\n

All parties in your blockchain must apply the same level of security. Agree on common security policies with participants; it may be tricky due to different security practices but otherwise, your data and systems are at risk.<\/p>\n

There\u2019s no doubt; blockchain will revolutionize how companies collaborate for the better. But as with most new techs, pay attention to how you can best protect your data.<\/p>\n","protected":false},"excerpt":{"rendered":"

Blockchain offers a safer, more transparent way to handle your business data. But what security challenges do you need to overcome?<\/p>\n","protected":false},"author":2601,"featured_media":35714,"template":"","coauthors":[3821],"class_list":{"0":"post-35713","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-blockchain","7":"emagazine-category-internet-of-things","8":"emagazine-tag-blockchain","9":"emagazine-tag-cyber-threats","10":"emagazine-tag-dlt"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/blockchain-business-vulnerabilities\/35713\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/35713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2601"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/35714"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=35713"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=35713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}