Blockchains are designed to be secure systems. But with cyberthreats on the increase, even the strongest blockchain may have some weak links.
Precisely because blockchain is designed to be secure, technology teams new to it tend to overlook its potential vulnerabilities.
Security issues on blockchain are the points at which the chain interacts with pre-existing software, ongoing business operations and individuals in charge of blockchain keys and permissions, , chief executive officer of , tells ThirtyK. “It’s the ‘endpoint vulnerability’ that’s the problem,” says Bonneau, whose firm is based in Winter Park, Fla. “Blockchain is being rapidly accepted because it more secure, but when it is extended to legacy systems you have exposure” to threats.
Attackers’ behavior can be anticipated, especially if ever-evolving algorithms reflect ever-evolving patterns of attack.
Bonneau, who specializes in data security for medium-sized companies, is getting more queries from investors in blockchain-centric companies and those companies’ customers. They want to know about security protocols and how security is designed into a blockchain startup’s systems from the ground up. Complacency and a rush to market are the primary reasons why these blockchain companies haven’t designed a secure system, says Bonneau.
Staying Ahead of Hackers
There are ways to stay ahead of the bad guys.
One large digital security company, Carbon Black, says its algorithm acts as a quick-response “safety belt” that can snap to the defense when an attack appears imminent.
The company’s “” identifies the patterns that precede attacks and monitors customers’ systems for those patterns, a security strategist with the Waltham, Mass.–based Carbon Black, tells ThirtyK. The tool can be developed for a variety of applications but is particularly relevant for blockchain because it can zoom in on the most vulnerable security points.
“Blockchain isn’t solving the endpoint security challenge,” he says “Malware still gets at the endpoint.”
Attackers’ behavior can be anticipated, especially if ever-evolving algorithms reflect ever-evolving patterns of attack, says McElroy. “You can generate predictive algorithms … that you are ‘x’ likely to have an attack on an endpoint,” he says. “We operate on the premise that if you can record the right data, you can find the bad guys.”
McElroy explains that blockchain development companies and teams are increasingly aware defensive security is essential because the reputations of their applications are entwined with the crystallizing reputation of blockchain itself.
Still, even the best forecasting tools can’t catch every breach, says Bonneau, though “catching up a minute later is far better than catching up days later.”
Weighing Risks Against Security Costs
Time–pressured startups that don’t have lots of capital sometimes balk at the resources required to lock down system weak spots, Bonneau says. Often they spend the minimum, hoping they will bolster their security as they grow. In the process they often overlook weak spots that become more critical as more customers come on board, she adds.
Bonneau says medium-sized companies and startups tend to listen to their accountants and lawyers – the traditional bearers of risk-analysis messages – about the broad ramifications of under-investing in endpoint security more than they do to security consultants. Accountants and lawyers often provide the wider context that leaders of start-up and fast-growing companies need to understand the ramifications of underestimating security weak points.
“The return on investment is bigger than the cost, but the cost still has to align with your current needs,” she says. “But everything is secure, until it isn’t.”