Recent blockchain incidents highlight the need for a new risk management framework, reports IT Advisory Manager Daniel Kniveton from KPMG Isle of Man
Anyone who has been following the progress of blockchain will be aware of the excitement the technology has aroused in some sectors as its potential to disrupt and transform business models has become clearer.
To date most organisations have focused on “how” the technology can be adapted for their business and fewer have actually questioned “Can I make it secure enough for my business?”
Although blockchain is often viewed as inherently secure due to its cryptographic properties, two recent high profile incidents have illustrated how security weaknesses around the implementation of the technology can be exploited
The first case involves The Decentralized Autonomous Organisation (DAO) where in June 2016, approximately US$50 million in assets was drained from a newly-formed digital venture capital fund due to an unintentional flaw in the codes. Ethereum, the blockchain technology that The DAO was built upon, was not compromised in any way. The vulnerability published showed that while the split function worked correctly, it allowed participants to call another split before the first split was finished. The attacker simply took advantage of the design and the knowledge that the blockchain technology itself actually works.
The second incident took place in August 2016 when the Hong Kong-based Bitfinex crypto currencies exchange suffered a breach in which almost 120,000 bitcoins were removed from customer accounts. Similar to the DAO example, the attack exploited security weaknesses within individual organizations and service providers, and it’s believed to relate to the multi-signature key management system the business had put in place to protect unauthorised transactions.
In both these examples the underlying foundation and architecture of the blockchain functioned as expected - it was vulnerability in the security around the blockchain that allowed the attackers to exploit it for their own gain.
Analysis of these incidents demonstrates the need for a disciplined approach to identify, assess and mitigate risks during design and testing. As a result of its work in this area, KPMG has constructed a new security and risk management framework which helps provide an end-to-end approach to identify and respond to security threats and technology risks for a blockchain implementation.
While some elements of this framework such as data management and segregation may be familiar, others such as consensus mechanism, chain permissions management, and cryptography, key management and tokenization, are new and require detailed assessment.
With US$1bn investment in the technology last year alone, and increasingly diverse applications, it’s clear blockchain has game-changing potential. It’s also clear that businesses that use it need to ensure it is secure and free from vulnerability.
For more information on KPMG’s report Securing the Chain go to kpmg.com/blockchain360.
© 2017 KPMG Limited, a Gibraltar Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.