The enterprise-related blockchain security landscape has two layers of meanings: enterprise blockchain security situation and blockchain-related enterprise security situation. The former refers to the security posture of enterprises that have deployed blockchain applications. In the latter case, although an enterprise does not deploy any blockchain applications, security threats facing it point to blockchains.
In terms of the enterprise blockchain security situation, historically, blockchains were mainly public ones at the initial stage. Therefore, most vulnerabilities disclosed and security events detected are related to public blockchains. Consortium blockchains are still infants, so research on their security is conducted tentatively, explaining why there are so few vulnerabilities and security events related to them.
Technically, private, consortium, and public blockchains are basically the same in their architecture and technologies used. In this sense, for secure implementation of consortium blockchains, it is advisable to analyze known vulnerabilities in common blockchains, which will inform security controls for consortium blockchains. In addition, even if an enterprise does not deploy any blockchain applications, it should pay due attention to blockchain-related cybersecurity events.
This chapter first provides statistics about blockchain-related vulnerabilities, then discusses known enterprise security events, and ends with an analysis of the enterprise blockchain security situation.
As described previously, vulnerabilities in enterprise blockchain applications are not very many. To be specific, the number of blockchain-related vulnerabilities with a Common Vulnerabilities and Exposures
(CVE) ID in the National Vulnerability Database (NVD) is 408, most of which (401) were discovered by a security laboratory in 2018. Among these 401 vulnerabilities, the vast majority are high-severity integer overflow vulnerabilities concerning smart contracts. In the NVD, there is one vulnerability related to Hyperledger, namely transaction and block signature verification bypass (CVE-2018-3756) in Hyperledger Iroha. The NVD has no vulnerability associated with Quorum and R3 Corda.
It should be noted that, although no vulnerability has been found in Hyperledger Fabric, Quorum, or R3 Corda, their runtime environments are never immune to vulnerabilities. For example, Hyperledger Fabric uses Go and Java as runtime environments of smart contracts. Vulnerabilities related to the two languages, such as CVE-2016-3958 and CVE-2017-1038810, may be exploited by attackers. Besides, Hyperledger Fabric uses Docker as the engine for isolated execution of smart contracts. Vulnerabilities in the Linux kernel and Docker, such as Dirty COW (CVE-2016-5195), could allow attackers to escape Docker containers.
Security Events and Research Related to Enterprise Blockchains
In 2018, Gartner predicted that, by 2020, at least one disastrous vulnerability discovered would take down a major blockchain platform, incurring huge financial losses11. At present, blockchain-related security events are mainly attacks on cryptocurrency exchanges for theft of cryptocurrency. Up to now, no security event has been reported to target enterprise blockchains. However, with more and more enterprises choosing to apply consortium blockchains or other blockchain technologies in various scenarios, we believe that more security events pointing to enterprise blockchains will appear in years to come.
For in-house security teams, such security events as attackers maliciously targeting blockchains to compromise the integrity and availability of information systems (or more specifically, making money directly from cryptocurrency) deserve more attention.
An organization, once attacked, usually needs to pay a great amount of ransom via cryptocurrency or anonymous currency.
In a cryptojacking event, a hacker, by planting malicious code in a website, makes website viewers unknowingly contribute their computing power to cryptomining activities, thus indirectly earning profits for the attacker. This will not only compromise the integrity of web services but also consume excessive amounts of electric power and computing resources, resulting in users’ computers working improperly.
According to The Cyber Threat to UK Business for 2018, nearly half of enterprises around the world had suffered cryptojacking attacks and nearly 50,000 websites had been infected with cryptojacking scripts. Compared with ransomware and other types of malware, cryptojacking is easier to conduct and has a higher return on investment (ROI) as it does not require compromise of the target system to establish command and control (C&C), but only consumes victims’ CPU cycles and electric power for computation of hash functions to mine cryptocurrency. Thanks to its covertness and convenient profitability, cryptojacking has become the most popular cyberattack method these years.
Enterprise Blockchain Security Situation
The application of the enterprise blockchain is still at an early stage. With the wider adoption in future, there will be more vulnerabilities and related security events reported. It can be expected that most vulnerabilities, especially such common security issues as insecure functions and out-of-bounds access, will be linked to smart contracts. There will also be vulnerabilities that may disrupt services or enable attackers to earn profits.
In blockchain-related security events targeting enterprises, ransomware and cryptojacking are major threats that have long harassed enterprises. The anonymity of cryptocurrency and the convenience of cashing in on cryptocurrency mean that these types of attacks will exist for a long time. Then, understandably, the rise and fall of cryptocurrency prices can somewhat lead to the rise and fall of such attacks.
In a medium-to-long-term prediction, Gartner says that the poor scalability and interoperability of blockchains will be overcome by 2023 and envisages that the technology will unlock value in 2023.
With a predictable increase in enterprises’ adoption of blockchain applications, security events targeting enterprise blockchains will probably become a new normal after 2023. For enterprises ready to deploy or having deployed blockchain applications, how to build up the situation awareness capability towards blockchain systems is an imperative problem that they should address.
To be continued.