At RSA 2019, Charles Henderson of IBM X-Force Red explained the cybersecurity challenges involved in bringing blockchain to the enterprise.
At RSA 2019, TechRepublic Senior Editor Alison DeNisco Rayome spoke with IBM X-Force Red's Charles Henderson about the cybersecurity challenges involved in bringing blockchain to the enterprise. The following is an edited transcript.
Alison DeNisco Rayome: We know that blockchain has been a major buzzword for enterprises over the last couple of years, and now we're finally starting to see businesses move from just talking about it to some actual implementations, but I know that you guys found that only 30% of blockchain implementation is actually involving blockchain technology. Can you tell me a little bit more about that, and what you found?
Charles Henderson: Sure. Anytime consumers start to... or companies start to implement certain technology, they always think of the technology as a magic bullet. You see it a lot, they look at maybe blockchain, and they say, "Hey, the underlying crypto? I know that crypto. That crypto is good. Blockchain is great. I don't have to worry about security."
Well, it turns out there's a lot more to blockchain than the crypto. There's the implementation, the organizational details, the people behind it. What it comes down to is all of those things are fallible. Even if the crypto is good, the infrastructure can undermine everything.
In order to subvert the blockchain, I don't necessarily need to subvert the crypto. That's a really important statement. What we're seeing is companies who have implemented blockchain somewhere, in some process, realize that they need to start testing it, because maybe that 70% matters.
Alison DeNisco Rayome: What are some ways that organizations can make sure that they are adequately securing the blockchain?
Charles Henderson: Well, first and foremost, they need to look at people that have been successful in the practice. Fixing a problem when it's discovered in testing is always more expensive than getting it right the first time.
That said, they need to conduct testing. Not just looking at the solution itself, but looking at the solution as they implemented it. In other words, looking at the infrastructure. Looking at the people. Doing penetration testing.
The kinds of things that you would do in any other technology space. Realizing that blockchain is not a delicate snowflake, and it's not impenetrable. Merely because people make mistakes.
If you think about it, all of the stupid mistakes you make in a given week, all of the mistakes that I'll make in a given week... The problem is, there's no firewall for stupid.
Alison DeNiscoRayome: What are some ways that securing the blockchain could actually enhance the security of the overall enterprise?
Charles Henderson: Well, if you think about it, criminals don't attack an enterprise for fun. They attack for profit. They really don't care what they compromise, or even how they compromise it. They care about the return on investment. It's about maximizing that profit.
You look at criminal activities and how they've evolved... You're seeing criminals move from point-in-time monetization... Things like, remember ransomware? It's declining. Well, why is it declining? Because it's a one-and-done.
They want subscription revenue. They want an ongoing revenue stream. You see things like cryptojacking coming up. Well, attacking the enterprise is much the same. They want an ongoing revenue stream. The same thing that all the Wall Street investment firms look for, in terms of numbers. What they're looking is to evolve their business, not just the technology of their attacks.
SEE: Security awareness and training policy (Tech Pro Research)
Alison DeNisco Rayome: I know you've also done, switching gears a bit, some research on kiosks. Can you tell me a little bit about that?
Charles Henderson: You remember the person with the clipboard that sat in the first floor of your offices?
They used to take names, and you'd sign in. You'd maybe give them your name, e-mail address, sometimes you'd even give them your Social Security number. It was basically... the big risk was that somebody was going to steal the clipboard, right?
Well now, they've replaced that person with the clipboard with a kiosk. It's a visitor management system. The idea of that visitor management system is to add convenience, to add capability.
The problem is, that if that visitor management system is compromised, you're not looking at six hours of visitor check-in. You're looking at six weeks, six months, maybe even six years. That data is very attractive to attackers.
You start thinking about where visitor management systems are used. They could be doctors' offices. They could be financial firms. They could be legal offices.
In fact, you can actually parlay a lot of the visitor management records to figure out what mergers and acquisitions may be going on. Or what someone's health history is. You can find out a lot about a person, and that's exactly the kind of information that helps in that subscription revenue model that we talked about criminals going to.
Alison DeNisco Rayome: What are some ways that organizations can make sure they are securing those management systems?
Charles Henderson: Well, it's actually a great component to this story. The vulnerability research we did, we found 19 vulnerabilities over five visitor management systems. It was actually something we tasked our interns with. Our interns were doing this vulnerability research.
SEE: Network security policy template (Tech Pro Research)
You think about degree of difficulty, and these were solid vulnerabilities, but some of them were fairly low-bar. It was clear that these hadn't undergone rigorous testing. That's because, for instance, one of the vulnerabilities involved the escape key. They escape key should not be what separates you from a compromise.
You start thinking about the level of testing that should be required for these kind of systems, with critical information about... Forget the PII for a second... critical information about the lives of the individuals at play.
I think it's important that companies commit themselves to testing, both the vendors who created the visitor management systems, but as well the companies that adopted them. You can't just stick a product in your lobby and think of it as a magic box that doesn't require testing. Just because it's not a web application does not mean you can forego testing.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)