Scott Carlson discusses the uniqueness of blockchain security compared to traditional systems, emphasizing the elimination of third-party trust and the potential for anonymity. He outlines various motivations for using cryptocurrencies and the importance of robust security measures in blockchain projects due to associated risks. Carlson also suggests proactive strategies for ensuring blockchain security, including rigorous training, vulnerability scanning, and incident response preparations.

1. SESSION ID:
#RSAC
SCOTT CARLSON
BLOCKCHAIN SECURITY – IS IT REALLY
DIFFERENT THAN ANYTHING ELSE ?
CHIEF INFORMATION SECURITY OFFICER
SWEETBRIDGE, INC.
@SCOTTOPHILE

2. #RSAC
2
https://marketoonist.com/2018/01/blockchain.html

3. #RSAC
3
Used with
Permission:
http://usblogs.pwc
.com/emerging-
technology/wp-
content/uploads/2
017/09/PwC_Next-
in-
Tech_Infographic_
Blockchain-
2016.pdf

4. #RSAC
4
Used with
Permission:
http://usblogs.pwc
.com/emerging-
technology/wp-
content/uploads/2
017/09/PwC_Next-
in-
Tech_Infographic_
Blockchain-
2016.pdf

5. #RSAC
5
Used with Permission:
https://www.economist.com/special-
report/2015/05/09/the-next-big-thing

6. #RSAC
Bitcoin
Simple Operations to transact
Ethereum = “Turing Complete”
Can solve ANY problem given enough
time and resources
Bitcoin vs Ethereum (Turing Completeness)
Used with Permission: https://xkcd.com/505/

7. #RSAC
Why do people use/want crypto currencies?
7
Eliminate the need for a central bank, third party
Want to be anonymous / pseudo-anonymous
Trade it like it is a stock using exchanges like a stock market
Away to transfer wealth / grow wealth / speculation
Raise funds for a project – ICO
Faster global payment mechanism with no currency conversion

8. #RSAC
Reasons why people want to use Blockchain
8
Removes the need to trust a third party
Removes the need to WAIT for a third party
Peer Pressure
Safe from single source attacks, safe from data modification
Strongly encrypted, mathematically sound
Scientifically immutable
(Proof of Work, Proof of Stake)

9. #RSAC
9
Used with Permission:
https://twitter.com/Disruptepreneur
Do you really need a blockchain?

10. #RSAC
Why talk about this at a security conference
10
This is “real money” and needs to be protected as such
Many projects put speed to market ahead of security & testing
Limited controls that “are well known to banks”
Suffer from first adopter problems
Rarely talk to the security experts

11. #RSAC
You don’t attack the Blockchain
When the most common attacks are easy

12. #RSAC
Blockchain [ Ethereum, NEO, Cardano ]
Smart Contracts / Keys / API Logic
End User Facing ”Interface”
Blockchain
”layers”
Blockchain projects almost always have a
public/private chain, contracts/logic, and
applications facing API/Users

13. #RSAC
The Chain
● Chain Code
● Math Libraries
● Node Workers
- Usually -
Safe from single source attacks (but … 51% attack)
Safe from data modification
Strongly encrypted
Mathematically sound (Quantum safe?)
Scientifically immutable
(Proof of Work, Proof of Stake)

14. #RSAC
Contracts & Logic
• Multi-spend attacks
• Wallet/Address attacks
• Logic Flaws
• Insecure Calls
• Key Management

15. #RSAC
The Applications
• Written by Humans
• Have API’s
• Likely “new” languages
• Are used by Humans
(input validation, timeouts)
• May be on the internet

16. #RSAC
Human Beings
● Computers
● Phones
● Key Management
● Wallets
● Phishing/passwords
● Viruses

17. #RSAC
The “Blockchain Security” 20
17
Identify the entire scope of your Hardware/Cloud Create affective boundary defenses
Identify the entire scope of your Software footprint Create a data recovery plan & transaction control
Configure everything with security in mind Conduct security training
Scan for vulnerabilities & fix them Log, Log, Monitor, Analyze, Study
Application Security, especially smart contracts Practice “Least Privilege” Access
Malware Protection Control and monitor all accounts, no sharing!
Create a secure network configuration Be ready to respond to incidents
Control administrative privileges Control your data (encryption, protection)
Pen Test & Red Team, especially smart contracts Code Securely and learn from the world
Lock down your mobile app Advise end users how to safely interact with you

18. #RSAC
What Now ?
18
Pull this information together with the rest of the day to fill in your
knowledge gaps
YouTube videos, online education through Udemy, and others are
great training mechanisms to get good at the basics
Look up the recent attacks and do your own research into the areas
of crypto / blockchain / currencies you are most concerned about

19. #RSAC
THANK YOU!
@Scottophile
Scott.Carlson@sweetbridge.com