Blockchain Security Vs. Standard Cybersecurity

Blockchain Security vs Standard Cyber Security

 

Both traditional computing environments and the blockchain have security considerations associated with them.  In many cases, the same attack is possible against both paradigms but the details of how to implement it vary. Here, we discuss how a few different attacks can be launched against traditional computing environments and the blockchain. If you are interested in learning more about Blockchain Security you can check out our Live Blockchain Security Class or  On-demand Blockchain Security Training

 

A Denial of Service attack is when an attacker makes it impossible for a system to serve its users as designed.  This can be accomplished by exploiting a flaw in the system but more commonly is accomplished by performing legitimate actions but at a rate higher than the target can handle.  To be effective, Denial of Service attacks typically focus on a system’s weakest link or bottleneck. In traditional environments, Denial of Service attacks target a company's webserver to prevent customers from accessing the company's services.  This can be accomplished by making more connection requests than the server is capable of supporting. In blockchain, a Denial of Service attack involves submitting more transactions to the blockchain than it can handle. Since many blockchains have fixed size blocks created at a fixed rate and are stored in a distributed fashion, they have a maximum capacity that a determined attacker can exceed, rendering the blockchain unusable.

Traditional infrastructure and blockchain environments also differ with regard to endpoint security.  In traditional cyber, endpoints are under the control of the enterprise and have some level of heterogeneity.  In blockchain, endpoints are the nodes and may be completely homogeneous. Heterogeneity can be dangerous because an attacker has more options for finding a vulnerability to exploit while homogeneity means that a flaw in one system in a flaw in all of the systems.

Both traditional and blockchain environments are vulnerable to attacks based on intentional misuse of the system.  In traditional cyber, insider attacks or intentional misuse of the system by clients are possible. In fact, a Denial of Service attack is a specific type of intentional misuse.  In blockchain, systems using Proof of Work incentivize miners to do something a lot but not too much. The main weakness of Proof of Work is that a blockchain becomes insecure if over half of the mining network's processing power is controlled by a single group.  Proof of Work incentivizes miners to control as much processing power as possible to win rewards but doesn't want them to become too successful.

Another way that traditional cyber and blockchain differ is in the level of trust in the code used in a company's applications.  In traditional cyber, the company writes most of the code and vulnerabilities can arise only from code that the company controls.  In blockchain, anyone can write a smart contract and a flaw in the smart contract or underlying platform code can have wide-reaching consequences.  The only hack to date against the Bitcoin network was enabled by an integer overflow vulnerability in the Bitcoin protocol. When exploited, an attacker was able to assign themself more Bitcoin than was ever intended to be created.  If the Bitcoin network didn't “break the rules” by modifying the historical ledger through a hard fork, Bitcoin would have become worthless. Anyone who wants to use Bitcoin has to accept the risks of hacks like this, they can't modify the code before including it in their application.

Finally, traditional infrastructure and the blockchain differ in their goals regarding data protection.  In traditional cyber, data is siloed and access is strictly controlled by the owners, placing responsibility for confidentiality, integrity, and availability in their hands.  In blockchain, data is distributed and the blockchain is relied upon to provide integrity and availability.


Leave a comment

Please note, comments must be approved before they are published