Slides from Tony Martin-Vegue's presentation at PRMIA 2018 Risk Management and Regulatory Compliance Round Table in San Francisco, CA | April 11, 2018
"Cybersecurity Aspects of Blockchain and Cryptocurrency"
Abstract:
Many companies are considering blockchain technologies to make transactions faster, more secure and cost effective. If you are performing risk analysis on these emerging technologies, you ask be asking yourself: how do I even start to analyze risk when there are so many unknowns? A successful analysis requires a paradigm shift in thinking into two areas: casting aside the defense-in-depth metaphor to describe security controls; and, how we assess and analyze risk of new and emerging technologies that have a high degree of uncertainty.
This talk will cover how to reframe your assessments for emerging technologies, such as blockchain, and how risk quantification methodologies such as Factor Analysis of Information Risk (FAIR) can help answer some of these questions and produce a credible risk assessment.
12. Traditional Defense-In-Depth Beyond the Hard Perimeter
• Clear perimeter
• Policy enforcement points
• Company-controlled
hardware, software, data
• Access-control based trust
models
• Compliance: easy to
define
• Fuzzy or no perimeter
• Enforcement points: not
applicable
• “Ownership” is
decentralized
• Zero-trust
• Still figuring compliance
out
My portion of the panel
Cybersecurity aspects of blockchain and cryptocurrency
Quick note about me
Been in technology for over 20 years, info sec RISK for the last 10.
7 years in FAIR – quant risk framework– the first couple spent unlearning bad risk habits and absorbing as much as I can
Currently work for lending club – a Fin Tech up the street. We are a peer-to-peer loan company
Many have called up the first and the largest Fin Tech – Paypal would have an issue with that claim
Late Feb, book on fin tech was released. I wrote a book chapter called –
Welcome to come leaf through it
Purpose of the talk, two things:
Talk about the paradigm shift in thinking about cyber security that blockchain and crypto currency represents. we’re all in the middle of right now
#2, Talk about emerging risks and give a couple of tips for risk managers to get started on assessing risk
https://www.youtube.com/watch?v=UlJku_CSyNg
Requires a paradigm shift in thinking, fintech, blockchain, cryptocurrency
Few points:
Funny now
But back then they couldn’t wrap their heads around this concept of the internet
Their bewilderment captures what many of us felt at the time
Good parallel to blochchain today – blockchaain and crypto currency may be so ubiquitious that we in 20 years from now we’ll be thinking back and laughing
Some people knew but most did not know that they were on the cusp on a major cultural and technological change that would irreversibly alter our society
with that in mind --want to talk about paradign shifts.
force to See things in a different way - cyber security controls or information security, risk assessment
You are going to have to grapple with this as risk managers - Common mis-conceptions
Block chain is bitcoin or cryptocurrency
Public versus private ledger
But one of the biggest paradigm shifts we will have to get used to is….
…the metaphors we use to describe how we deploy security controls around our technology. The idea here is defense in depth. There’s a single asset – the crown jewels – and attackers have to overcome successive controls. Early lookout posts, Moat, artificial hills, archer towers, 3 rings of walls
…and this is how we design our defenses and control frameworks. Attackers on the right – nation state, hackers, organized cyber crime
Company assets on the left – users, databases, systems. All protected in the middle with layers of security, control, backup control, etc. all designed around a hard, defined perimeter
this paradigm shift started about 10 years ago woth cloud, byod, and continues today with blockchain
Today
New normal
If this give you a headache, that’s my point
I call this the “The incredible shrinking perimeter”
The concept of the perimeter changed -- users, resources, straddling inside and outside the permiter defenses – the resources are outside the layerd security metaphor - instead of one layer, you had mulptile layers, mulptile controls for each group
Thank about how a public blockchain deployment would work, for example – a Payments application like Paypal. The databses are distributed, outside of the company’s perimeter – relying on new/different controls than we would see on a traditional demployment
More targets, more surface
Old adage
Forgeting the fundamentals
Mt. Gox Bitcoin heist in 2014
first and largest Bitcoin exchanges at the time
850,000 Bitcoin
450 million USD. today, the value of 850,000 Bitcoin is $5.8 trillion USD.
How did this happen?
ex-CEO of Mt. Gox blamed hackers for the loss,
others blamed the CEO, Mark Karpeles; the CEO even did time in a Japanese jail for embezzlement
There were other issues
according to a 2014 story in Wired Magazine, ex-employees described a company in which there was
no code control,
no test code environment and
only one person that could deploy code to the production site: the CEO himself, Mark Karpeles
took weeks to deploy security fixes
Fintech’s primary competitive advantage is that they have less friction than traditional financial services
able to innovate and push products to market very quickly.
The downside the Mt. Gox case proves is when moving quickly, one cannot forget the fundamentals. Fundamentals, such as code change/version control, segregation of duties and prioritizing security patches should not be set aside in favour of moving quickly.
Risk managers need to be aware of and apply these fundaments to any risk analysis.
Quote from Doug Hubbard
Reference to
As mentioned many times previously, technology is rapidly evolving and so is the threat landscape. Practices, such as an ambiguous network perimeter and distributed public databases were once unthinkable security practices. They are now considered sound and, in many cases, superior methods to protect the confidentiality, integrity and availability of assets. Risk managers must adapt to these new paradigms and use better tools and techniques of assessing and reporting risk. If we fail to do so, our companies will not be able to make informed strategic decisions. One of these methods is risk quantification.
Why we’re hearing more and more about fair – risk quant – OCC has started referencing it as a framework, many others