Blockchain technology is being touted as the Next Big Thing, seemingly capable of great feats of strength and perhaps even curing the common cold. But what exactly is it and how could it contribute to a security program? This session will describe how blockchain works, define its value proposition, and identify specific use cases where blockchain makes sense and some where it doesn't. Along the way, we will discuss similar capabilities and technologies that accomplish the objectives.
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
IDC - Blockchain Threat Model
1. Ins & Outs of Blockchain Security
Pete Lindstrom, VP Security Strategies
2. ▪ Blockchain technology is being touted as the
Next Big Thing, seemingly capable of great feats
of strength and perhaps even curing the
common cold. But what exactly is it and how
could it contribute to a security program? This
session will describe how blockchain works,
define its value proposition, and identify specific
use cases where blockchain makes sense and
some where it doesn't. Along the way, we will
discuss similar capabilities and technologies that
accomplish the objectives.
Ins and Outs of Blockchain Security
2
3. • Over 25 years in InfoSec, IT, Finance
• Tech Risk Pro performing reading, writing, ‘rithmetic on
risk and security matters
• Former Marine (Gulf War veteran), ‘Big Six’ IT Auditor
(PwC), Internal Auditor (GMAC Mortgage), Security
Architect & Director (Wyeth)
• BBA Finance, University of Notre Dame; reformed
CISA and CISSP
Pete Lindstrom
Vice President, Security Strategies
IT Executive Program, IDC
3
4. A blockchain is a collection
of event records that are
hashed and signed to link
them together.
What is a blockchain
4
20. • Nodes: listen, validate, work, offer blocks to
blockchain
• Aided by wallet/app and data store
• Protected by public/private keys
• Transactions: core records of assets to transfer
• Blocks: groups of transactions
• Blockchain: distributed ledger maintained by the
nodes
Key Blockchain Terms
20
21. 1. Event/transaction occurrence (incl. physical)
2. Event write to data store (data record)
3. Event report to blockchain nodes (tx creation)
4. Event broadcast to nodes
5. Block creation on nodes (tx aggregation)
6. Consensus protocol agreement (block validation)
7. Block propagation to blockchain nodes (block
distribution)
8. Event trigger (smart contracts)
9. Script execution and outcome
Blockchain Process
21
22. • Decentralized processing (sometimes
democratic)
• Transparency (at least within the environment)
• Immutability (can’t be changed – integrity)
• Resilience (hard to disrupt)
Common Blockchain Benefits
22
24. ▪ Soft forks are
changes that are
forward compatible so
old software (nodes)
can validate new
transactions.
▪ Hard forks are
changes that are not
forward compatible so
old software (nodes)
can not validate new
transactions.
Enter Soft and Hard Forks
OLD NEW
NEW OLD
https://bitcoin.stackexchange.com/questions/30817/what-is-a-soft-fork
24
26. • Proof of work - CPU
• Proof of stake - assets
• Proof of activity - transactions
• Proof of burn - sacrifice
• Proof of capacity – resource allocation
• Proof of elapsed time – traffic cop
• https://www.coindesk.com/short-guide-
blockchain-consensus-protocols/
Consensus Protocols
26
27. ▪ Public blockchains,
such as bitcoin and
many other crypto-
currencies, are
accessible by anyone
with the appropriate
technical resources.
• Private permissioned
blockchains have
access restrictions that
must be addressed
prior to gaining access
to the blockchain /
network.
Public vs. Private (Permissioned)
27
28. • Public / private key pair
• Wallet / data store / client-side program
• Nodes
• Transactions
• Blocks
• Hashes
• Distributed ledger (blockchain)
• Scripts [Executable code]
Blockchain APP Components
28
29. Blockchain is like a check register;
you still need to reconcile the bank
account.
Blockchain is like a system log; you
still need a registry / file system.
Key Analogies
29
30. Blockchain is an enabling
component of a distributed
application architecture
Key Takeaway
30
31. • 51% Attack – the Byzantine General’s Problem
• Double Spend Attack
• Finney Attack
• Sybil Attack
• Ponzi Attacks
• Known attacks
• Mt. Gox
• The DAO – Ethereum
• …and so on
Attacks against blockchain
31
36. ▪ Can an attacker interrogate a component of the Blockchain app and collect
data or content? (confidentiality)
▪ Can an attacker intercept the traffic between or among components of the
blockchain app? (confidentiality)
▪ Can an attacker modify the data or binary files of a component? (integrity)
▪ Can an attacker modify communications between or among two
components? (integrity)
▪ Can an attacker insert or inject inappropriate packets into a transmission
either directly or by impersonating the transmitting component of the
architecture? (integrity)
▪ Can an attacker corrupt a component or one of its key parts to render it
unusable? (availability, productivity)
▪ Can an attacker disrupt communications to render the system unusable?
(productivity)
▪ Can the components of the system be abused for other purposes?
(propriety)
Key Threat Model
36
37. ▪ Ensure control objectives for the components:
• Public / private key pair
• Wallet / data store / client-side program
• Nodes
• Transactions
• Blocks
• Hashes
• Distributed ledger (blockchain)
• Scripts [Executable code]
Reviewing the Components
37
38. 1. Event/transaction occurrence (incl. physical)
2. Event write to data store (data record)
3. Event report to blockchain nodes (tx creation)
4. Event broadcast to nodes
5. Block creation on nodes (tx aggregation)
6. Consensus protocol agreement (block validation)
7. Block propagation to blockchain nodes (block
distribution)
8. Event trigger (smart contracts)
9. Script execution and outcome
Review the Process
38
39. • How will you identify, validate, manage individual
nodes? (node lifecycle, incl. wallet apps, certs)
• How will you assess/update the current protection
level of individual nodes? (node security posture)
• Patch (ugh)
• App Control / Whitelisting
• Encryption (hash, sig, comm)
• How will you manage node roles/permissions
relative to the blockchain application? (node access
mgt)
• Creating transactions / types
• Validating other transactions
Key Control Questions
39
40. • Integrity of the data that ultimately ends up in
the blockchain
• Resilience of the blockchain (multiple nodes
with consensus creation and reconciliation
process)
• No single point of failure for the chain itself
• We get a lot of the “I” integrity, a bit of the “A”
availability and the “C” is likely to be moot in the
chain but crucial elsewhere
Blockchain Really DOES Help
40
41. • Verify the entire system
• Many traditional attacks and vulns still exist
• Validate the link between the asset and its
digital identity
• Build in an exception management process
• It’s a messy, complex, human world…
• This stuff is new…
• Blockchains are (sort of) immutable… mostly…
probably
Recommendations
41
42. • gathering the pertinent parties (“herding the cats”)
is challenging (e.g. due to geography, time, etc.)
• consensus is generally straightforward (disputes
are rare)
• there is consistent, simple logic
• The digital representation (hash) can be directly
tied to asset (preferably digital assets)
• The transactions are low frequency, high value
• The transactions are discrete - difficult to split or
join
Most likely to succeed, when…
42
44. 44
IDC is the premier global provider of market intelligence, advisory services, and events
for the information technology, telecommunications, and consumer technology
markets. IDC helps IT professionals, business executives, and the investment
community make fact-based decisions on technology purchases and business
strategy. More than 1,100 IDC analysts provide global, regional, and local expertise on
technology and industry opportunities and trends in over 110 countries worldwide. For
more than 50 years, IDC has provided strategic insights to help our clients achieve
their key business objectives. IDC is a subsidiary of IDG, the world's leading
technology media, research, and events company.
Terms of Use: Except as otherwise noted, the information enclosed is the intellectual
property of IDC, copyright 2016. Reproduction is forbidden unless authorized; contact
permissions@idc.com for information. All rights reserved.
