Written by: Thomas M. O'Neill, CCSFP, CBSP
Blockchain has the potential to establish a secure pathway to streamline and support business functions, enticing banks to engage tools such as digital assets and distributed ledger technology to enhance their processes. This technology is still relatively new and evolving, and auditors and accountants should take advantage of guidance posed by industry leaders (such as the American Institute of Certified Public Accountants [AICPA] or Information Systems Audit and Control Association [ISACA]) to familiarize themselves with the nuances of the tech. Many organizations like the AICPA and ISACA offer audit-related certifications surrounding blockchain to enhance the knowledge of auditors and give them the necessary tools to effectively audit blockchain initiatives.
We identified a company called the Blockchain Training Alliance who offers blockchain courses and certifications. The Certified Blockchain Security Professional (CBSP) certification covers the fundamentals of blockchain technology, known attack vectors, blockchain security mechanisms, and more. We recently obtained this certification to enrich our existing blockchain knowledge and give our clients the confidence that we have the necessary expertise to handle blockchain challenges.
The Blockchain Training Alliance offers a study guide for the CBSP exam that covers 12 chapters of content, and includes 12 short quizzes to test your knowledge prior to the exam. The exam itself has 70 questions to be answered in 90 minutes. The comprehensive study guide is the best tool to ensure a passing grade (70% or higher). If you pass the exam, your certificate will be written to the Ethereum blockchain.
The exam is broken down into several sections:
- Blockchain Fundamentals
- Smart Contract Security
- Vulnerabilities and Common Attack Vectors
- Existing blockchain architectures (Hyperledger, Corda, and Ethereum)
It’s important that all blockchain professionals understand the underlying fundamentals of blockchain technology, such as Proof of Work and Proof of Stake. These algorithms are the methods for calculating consensus in a blockchain. You can think of them as the audit functions of the blockchain. Traditional audit functions, such as internal and external audit, are responsible for measuring and mitigating risks in an organization. In blockchains, consensus algorithms such as Proof of Work and Proof of Stake are used to measure and mitigate risks. These algorithms ensure blockchains are appropriately decentralized so no entity has the ability to edit the blockchain without first achieving consensus. Without an audit function, blockchain (and financial institutions) would have less transparency and no way of measuring risk.
Smart Contract Security
Smart contracts are a specific implementation of the broader topic of blockchains and distributed ledgers, and are code written in a language such as C or Java that’s written to the blockchain. The code is set up with certain conditions, and it will only execute if those conditions are met. One of the main risks of writing code to a blockchain is that it can’t be changed. This is known as immutability, and preventive controls such as code reviews during the system development lifecycle should be an important consideration.
Vulnerabilities and Common Attack Vectors
As with all computer-based systems, blockchain isn’t immune to attacks. Common attacks such as a denial of service (DoS) are still applicable to blockchains, and the most commonly known blockchain-specific threat is a 51% attack, where one entity controls 51% of the nodes on a single blockchain. The intrinsic nature of the distributed ledger is the main defense against a 51% attack. Having more users participate in a blockchain will lower the risk of one person, or group of people, having control over the majority of the network nodes.
Existing Blockchain Architectures
Hyperledger is a private blockchain designed by IBM to be used within a business. This architecture allows multiple blockchain networks to run on the same network of nodes.
Corda was designed using Java as a permissioned blockchain for businesses. Corda’s distributed ledger differs from most blockchains in that no one in the blockchain network has full visibility of the ledger. Access to data is on a need-to-know basis, where only parties involved in a transaction have the ability to view it.
Ethereum is a public blockchain that’s used to implement smart contracts. Anyone can develop and write smart contracts to this public ledger, but all contracts are visible on the network.
Blockchains require increased oversight and can be audited and measured using existing audit techniques. This technology has been operational for nearly 12 years, and many organizations have started to experiment with implementing blockchains into their environment. Blockchains aren’t immune to threats and vulnerabilities, and should be subject to audits and risk assessments. Participating in blockchain certification programs such as those from the Blockchain Training Alliance will heighten knowledge around this ever-evolving technology, giving you the necessary tools and resources to help organizations prevent and mitigate blockchain risk.