It’s clear from the Axie Infinity Ronin Network breach of 2020, the hack of the DeFi protocol Poly Network in August 2021, and further back – the KuCoin attack of 2020 and the Binance Security breach in 2019 that blockchain isn’t inherently secure.
This blog post shows how the blockchain and distributed ledger technology at large is not immune to two of the most basic areas of cybersecurity as well as how enterprises using blockchain technology should address them.
The hacks show us that simply by moving the world to blockchain, it will not remove the risks associated with two areas of cybersecurity: first, end user behavior; and second, cybersecurity hygiene. As a 20-year practitioner, it’s frustrating to me that we continue to make the same mistakes as 20-years ago, just in a different programming language.
Contents
Blockchain Risk Area 1: End Users
First, systems are only as strong as their users. No matter how good the system is, any loss of information, compromise, virus, misunderstanding, or exploit of an end user or their ‘key’ to your system WILL result in a compromise to their account.
No matter how good the system is, an exploit of an end user or their key will result in a compromise of their account.
Sometimes a backend risk system will catch a transaction that is unexpected and is out of sorts for the user, but often entities simply use ‘insurance’ just to pay back the user rather than block their experience. Most financial institutions still will not accuse their users of being stupid or provide help to make an end-user computer system better. It’s better PR to just make them whole if they make a mistake or have a transaction go through that resulted from theft of their password. Good on Binance … they just made the users whole.
From a prevention standpoint though, until there are more measures directly aimed at proving the intent and identity of the user with backend detection, AI, behavior, signal detection, and instrumentation, incidents will continue to happen within blockchain infrastructures just as in any traditional system.
Blockchain Risk Area 2: Lack of Basic Cybersecurity Hygiene
Second, companies must stop skipping basic cybersecurity hygiene! I’m very happy to read that Binance had backend systems that noticed something, but I’m guessing that they do not have a comprehensive managed security provider aggregating their custom application and blockchain logs into a SIEM, behavior tool, systems instrumentation, etc.
I have not talked to Binance specifically, but I have tried reaching out to exchanges to ask about their cybersecurity abilities. Without fail I hear “We take care of all of that internally.” Unless these exchanges have all built a fully operational staff of cyber experts (hah!) these breaches will continue to happen.
Unless you have a fully operational staff of cyber experts, crypto exchange breaches will continue to happen.
Please do not believe that your expert developers understand cybersecurity like the actual cyber experts. 90% of a blockchain system has the same application risks as a traditional data center system. Don’t forget what we have learned from NIST, PCI, HIPAA, etc.
What we have learned over the years is that unless you have an effective build process, implementation process, operational process, and response process – you are very likely not fully prepared for the “one-way” nature of blockchain and its financial transactions. When things go wrong, they can go wrong catastrophically.
Get in Touch
If you run a crypto project or an exchange, I would love the opportunity to have my team run a short cybersecurity assessment on your environment and start to make some headway in improving architecture, monitoring, or response so that we can get your detection and response time to near zero. Get in touch with our team here.