Cybersecurity Aspects of Blockchain and Cryptocurrency
•
1 like•564 views
Slides from Tony Martin-Vegue's presentation at PRMIA 2018 Risk Management and Regulatory Compliance Round Table in San Francisco, CA | April 11, 2018 "Cybersecurity Aspects of Blockchain and Cryptocurrency" Abstract: Many companies are considering blockchain technologies to make transactions faster, more secure and cost effective. If you are performing risk analysis on these emerging technologies, you ask be asking yourself: how do I even start to analyze risk when there are so many unknowns? A successful analysis requires a paradigm shift in thinking into two areas: casting aside the defense-in-depth metaphor to describe security controls; and, how we assess and analyze risk of new and emerging technologies that have a high degree of uncertainty. This talk will cover how to reframe your assessments for emerging technologies, such as blockchain, and how risk quantification methodologies such as Factor Analysis of Information Risk (FAIR) can help answer some of these questions and produce a credible risk assessment.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cybersecurity Aspects of Blockchain and Cryptocurrency
Similar to Cybersecurity Aspects of Blockchain and Cryptocurrency (20)
More from Tony Martin-Vegue
More from Tony Martin-Vegue (10)
Recently uploaded
Recently uploaded (20)
Cybersecurity Aspects of Blockchain and Cryptocurrency
- 1. Cybersecurity Aspects of Blockchain and Cryptocurrency
- 2. About Me Tony Martin-Vegue @tdmv • 20 years in Technology; last 10 in Cyber Risk • FAIR practitioner for about 7 years now • Reside in the Bay Area
- 3. Book chapter… “Cyber Risk Quantification of Financial Technology”
- 5. From the “Today Show,” 1994 “What is Internet, Anyway?”
- 10. There is no cloud. Just someone else’s computer
- 11. …blockchain is just someone else’s database.
- 12. Traditional Defense-In-Depth Beyond the Hard Perimeter • Clear perimeter • Policy enforcement points • Company-controlled hardware, software, data • Access-control based trust models • Compliance: easy to define • Fuzzy or no perimeter • Enforcement points: not applicable • “Ownership” is decentralized • Zero-trust • Still figuring compliance out
- 13. Emerging Risks
- 14. The Strange Case of Mt. Gox (or, how forgetting the fundamentals can really hurt)
- 15. “The One Patch Most Needed in Cybersecurity”
Editor's Notes
- My portion of the panel Cybersecurity aspects of blockchain and cryptocurrency
- Quick note about me Been in technology for over 20 years, info sec RISK for the last 10. 7 years in FAIR – quant risk framework– the first couple spent unlearning bad risk habits and absorbing as much as I can Currently work for lending club – a Fin Tech up the street. We are a peer-to-peer loan company Many have called up the first and the largest Fin Tech – Paypal would have an issue with that claim
- Late Feb, book on fin tech was released. I wrote a book chapter called – Welcome to come leaf through it
- Purpose of the talk, two things: Talk about the paradigm shift in thinking about cyber security that blockchain and crypto currency represents. we’re all in the middle of right now #2, Talk about emerging risks and give a couple of tips for risk managers to get started on assessing risk
- https://www.youtube.com/watch?v=UlJku_CSyNg Requires a paradigm shift in thinking, fintech, blockchain, cryptocurrency Few points: Funny now But back then they couldn’t wrap their heads around this concept of the internet Their bewilderment captures what many of us felt at the time Good parallel to blochchain today – blockchaain and crypto currency may be so ubiquitious that we in 20 years from now we’ll be thinking back and laughing Some people knew but most did not know that they were on the cusp on a major cultural and technological change that would irreversibly alter our society
- with that in mind --want to talk about paradign shifts. force to See things in a different way - cyber security controls or information security, risk assessment You are going to have to grapple with this as risk managers - Common mis-conceptions Block chain is bitcoin or cryptocurrency Public versus private ledger But one of the biggest paradigm shifts we will have to get used to is….
- …the metaphors we use to describe how we deploy security controls around our technology. The idea here is defense in depth. There’s a single asset – the crown jewels – and attackers have to overcome successive controls. Early lookout posts, Moat, artificial hills, archer towers, 3 rings of walls
- …and this is how we design our defenses and control frameworks. Attackers on the right – nation state, hackers, organized cyber crime Company assets on the left – users, databases, systems. All protected in the middle with layers of security, control, backup control, etc. all designed around a hard, defined perimeter this paradigm shift started about 10 years ago woth cloud, byod, and continues today with blockchain
- Today New normal If this give you a headache, that’s my point I call this the “The incredible shrinking perimeter” The concept of the perimeter changed -- users, resources, straddling inside and outside the permiter defenses – the resources are outside the layerd security metaphor - instead of one layer, you had mulptile layers, mulptile controls for each group Thank about how a public blockchain deployment would work, for example – a Payments application like Paypal. The databses are distributed, outside of the company’s perimeter – relying on new/different controls than we would see on a traditional demployment More targets, more surface
- Old adage
- Forgeting the fundamentals Mt. Gox Bitcoin heist in 2014 first and largest Bitcoin exchanges at the time 850,000 Bitcoin 450 million USD. today, the value of 850,000 Bitcoin is $5.8 trillion USD. How did this happen? ex-CEO of Mt. Gox blamed hackers for the loss, others blamed the CEO, Mark Karpeles; the CEO even did time in a Japanese jail for embezzlement There were other issues according to a 2014 story in Wired Magazine, ex-employees described a company in which there was no code control, no test code environment and only one person that could deploy code to the production site: the CEO himself, Mark Karpeles took weeks to deploy security fixes Fintech’s primary competitive advantage is that they have less friction than traditional financial services able to innovate and push products to market very quickly. The downside the Mt. Gox case proves is when moving quickly, one cannot forget the fundamentals. Fundamentals, such as code change/version control, segregation of duties and prioritizing security patches should not be set aside in favour of moving quickly. Risk managers need to be aware of and apply these fundaments to any risk analysis.
- Quote from Doug Hubbard Reference to As mentioned many times previously, technology is rapidly evolving and so is the threat landscape. Practices, such as an ambiguous network perimeter and distributed public databases were once unthinkable security practices. They are now considered sound and, in many cases, superior methods to protect the confidentiality, integrity and availability of assets. Risk managers must adapt to these new paradigms and use better tools and techniques of assessing and reporting risk. If we fail to do so, our companies will not be able to make informed strategic decisions. One of these methods is risk quantification. Why we’re hearing more and more about fair – risk quant – OCC has started referencing it as a framework, many others