A quick dive into Bitcoins/Blockchain, security controls & more ...

It all started with the Peer-to-Peer Electronic Cash System" by Satoshi Nakamoto in 2008, it started with the word Bitcoin in his paper Titled “Bitcoin”.

Do you know most of the blockchain-inspired projects are just distributed ledger systems but not all of them are not blockchains truly by nature?

Like the cloud offering, most of the Blockchain solutions can be categorized into private, public(open r/w access to the database, identity is pseudonymous) ) & hybrid. Usually, public solutions like Bitcoins run permission-less mode, so the public user is free to mine to become a miner.

Two important Security Principles that Blockchain offers as a solution.

• Data Authentication & its verification backed with PKI ( Nonrepudiation, Integrity & Confidentiality )

• Smart Asset Management.

Originally bitcoin crypto-currency used Proof of work as its consensus mechanism.

Some of the most popular Blockchain frameworks are listed below.

• Hyperledger (Burrow, Fabric, Indy, Iroha & Sawtooth)

• Multichain

• Ethereum (custom-built, runs smart contracts)

• Quorum

• Stellar.

A note of caution, do not get too excited about bitcoins or the illegal trading options, read through by clicking on the link below the story of Ulbricht, founder of Silk Roads.

https://www.coindesk.com/company/silk-road

Security Control requirement for Blockchain.

C.1 Primarily to be focussed on Blockchain Permissions.

ü Consensus Mechanism used. Consensus algorithms are the heart of blockchains enabling network participants to agree on the contents of a blockchain in a distributed fashion.

The first consensus algorithm to work was Bitcoin’s Proof of Work (PoW) – SHA256 based.

1. Considerations for proof-of-work based blockchain instances

2. Blockchain Security Program Plan.

3. A responsible resource to Lead, appoint a Senior blockchain security officer.

4. Blockchain security resources & Security workforce - ensures that blockchain security resources are available for expenditure as planned.

5. Continuous Risk assessment Process – Leading to Plan of Action & Remediation process.

6. Master Inventory of Information system.

7. Security Measures to meet Performance values set without compromise on Security – Monitor & report function.

8. Up-to-date Architecture & Critical Infrastructure plan - Availability of key resources.

9. Risk Management strategies in use.

10. Testing, Training & Monitoring.

C.2 Blockchain Access Control

1. Blockchain Access Control Policy and Procedures

2. Blockchain Account Management

3. Blockchain Access Enforcement

4. Identification & Authentication

5. Least privilege enforcement

6. Information Flow Enforcement

7. Remote access policy

8. Access control for mobile devices

9. Use of external information systems

C.3 Awareness & Training

C.4 Audit and Accountability

C.5 Security assessment and authorization

C.6 Contingency planning

C.7 Incident response Plan

C.8 System Maintenance C.9 Physical and environmental protection

C.10 Risk assessment process

https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

C.11 Blockchain Integrity policy & procedure - Flaw remediation, Malicious code protection, Security function verification.

D. Security Controls / Industry standards recommendation for components in

Blockchain ecosystem.

Recommended learning resources:

Vulnerability registry associated with Contracts

https://swcregistry.io/docs/SWC-107

https://swcregistry.io/

Bitcoin Brute Force tool for fun

https://github.com/Isaacdelly/Plutus

Sample devastating vulnerability with” withdraw function”, recursive call of withdraw function lead to a drain of the whole contract.

https://medium.com/coinmonks/protect-your-solidity-smart-contracts-from-reentrancy-attacks-9972c3af7c21

Smart Contract Vulnerabilities – Whitepaper by Daniel Perez

https://www.usenix.org/system/files/sec21summer_perez.pdf

References used in this blog article :

https://nvd.nist.gov/800-53/rev4

https://bitcoin.org/bitcoin.pdf

https://owasp.org/

Thank you