The promise of web3 and decentralized Internet design is driving major advances in networking, consumer tech, and business tech. But what about cybersecurity in this new iteration of global connections? Security pros and C-level leaders are getting serious about risk mitigation for web3 with techniques like these that get down into the details of protecting new decentralized systems.
Web3: The Threat Environment
First, it’s worth looking at why web3 security risk mitigation is so important. Part of this involves the context of how these new systems are emerging. Web2 security is different from what’s going to happen in web3.
The decentralized nature of web3 environments can be an asset, but it also has challenges. Using decentralized technologies can make systems more vulnerable to certain kinds of hacking.
Considering how systems are often compromised, it’s instructive to separate things like rug pulls from hacking exchanges or transaction networks.
Rug pulls are typically situations where someone creates a seemingly legitimate crypto project but then absconds with funds, showing that at least part of the project was built on deception.
Other kinds of hacking are different – outsiders target specific points on exchanges or transaction points, where they can access some blockchain asset. The Mt. Gox case is an classic example.
So what do security professionals do in battening down new web3 systems? Web3 security managers have to counter both types of problems – insider attacks and exploits from outside the gates. They also have to figure out ways to standardize identity authentication on networks, and other optimal configurations for cybersecurity in a complex world.
Given the early adoption of crypto and blockchains in some of its member countries, it is perhaps unsurprising that Europe has been a leader in this goal, establishing the European Self Sovereign ID Framework (ESSIF) to help verify identity in decentralized web3 environments.
Other infrastructure also helps web3 to emerge as a more consistent and universal model. Instead of conventional contracts, innovators use smart contracts built on Ethereum or some other blockchain. Some also suggest using DAOs (decentralized autonomous organizations) to replace traditional centralized banking institutions in the web3 world.
Another challenge is that the security community has had very little time to study the blockchain for vulnerabilities. Although the blockchain is an immutable ledger, all sorts of hacking and mischief can be done in a way that experts would call “blockchain-adjacent” – in the small tributaries or side processes that help facilitate blockchain transactions and verified decentralized activity.
For example, there is the phenomenon of counterfeit cryptocurrency with blockchain assets like Zcash. How could someone create counterfeit cryptocurrency if the blockchain is an immutable ledger?
The trick here is that while all blockchain asset transactions will be inherently verified, someone can still set up fraudulent systems that make a user think that they are buying or holding cryptocurrency, when it’s just a cleverly devised hoax. The asset is not on a blockchain – that’s the deception.
With all of this in mind, let’s talk about some helpful best practices in the industry. Web3 project managers and other stakeholders can build stronger, more protected systems by following these common guidelines.
Paying Special Attention to Alternative Blockchain Structures
Due to congestion on traditional blockchain networks, parallel chains as well as sidechains became popular.
Sidechains host transactions and then join them to a traditional blockchain like Ethereum. That helps promote efficiency in these cryptocurrency markets and different types of improvement for smart contracts,. Still, it’s very important to understand that the sidechain must have its own security. A typical sidechain does not inherit the security structure of the original blockchain.
Optimistic rollups do have the same security and finality of the underlying main chain however, they currently still appear to suffer from centralization. Also, the challenge window, the duration during which fault proofs can be submitted, can be rather long - on Optimism it is currently 7 days. Only after that is a commitment considered final.
Another place to look closely at security is the use of oracles that host data not otherwise found on-chain. As a type of beacon for these web3 systems, the oracles need to be adequately protected and standardized with web3 security risk mitigation to ward off different types of hacking and cyberattacks. Companies also have to look at things like EVM (Ethereum Virtual Machine) compatibility in standardizing secondary technologies like oracles and sidechains.
Embracing Evolving NIST Standards
People who come to a range of security environments, be it web2 or web3, often lament a culture that doesn’t adequately focus on NIST cybersecurity guidelines.
The federal agency’s cybersecurity framework is an excellent starting point for applying the detailed security oversight that decentralized systems will need. Of course, those basic building blocks need to be applied to a new type of infrastructure. Still, the company is starting off at a deficit without the fundamental basis of NIST principles.
Analysis and Audits
Specific types of audits make sense for web three systems. For example, a Hackernoon piece on web3 cybersec recommends things like developing a more granular understanding of network topologies and components, and assessing things like Access Control Lists (ACL). Then, too, there are the detailed types of analyses and audits that target the threats web3 operators are most likely to face: cryptojacking, 51% attacks, and phishing campaigns among them.
KYC and AML
In exchanges and other similar parts of the web3 ecosystem, innovators have already given everyone a great system for vetting user activity and cracking down on things like blockchain crime and money laundering.
Know your customer (KYC) and anti-money laundering (AML) standards are already a part of modern exchanges and many other types of decentralized systems. They are household names in cryptocurrency and web3. They’re becoming standardized and very much acknowledged by regulators as necessary types of web3 security risk mitigation.
That means that in many cases, companies can adopt new KYC/AML rules built on existing policies or operational guides. They don’t have to reinvent the wheel completely, or start from scratch, and there’s a continuity that’s comforting for people who were previously working in more centralized systems. Web3 is new – there’s no way around that – but by building on previously established ideas, security people often find themselves more confident about taking on the threats that their employers are most worried about.
A Database of Attack Vectors
It’s always helpful to have a detailed list of the types of security gaps and threats that a system might face. It also helps companies to brainstorm about how web3 security risk mitigation works in particular. For example, engineers might look at the history of protocols like SSL, and how those have been manipulated or exploited over time. Then they can apply that kind of idea to the new web3 technology and come up with checklists and other resources that help them to circle the wagons in a more effective way.
Penetration Testing and Its Equivalent
Another fundamental way to practice risk mitigation for Web3 is to engage in another traditional practice that coders of web2 systems often called ‘pen testing.’
What this translates to, in common layman’s terms, is ‘trying to break things’ – conducting simulated hacks and attacks to see how strong or weak a system is, and where its vulnerabilities lie.
The same type of testing based on game theory can be very helpful in web3 analysis. Engineers might find that a specific part of the exchange or transaction process is presenting a broad attack surface to outsiders. They might find that a problem with protocol constitutes a “Byzantine generals problem,” where you have a bad actor who has to be managed to keep these transactions and activities genuine and safe. All of that guides the organization to strengthen its systems in the right ways, targeted to the threats it faces.
Assessment Flows and Workflow Models
In general, it’s always helpful to have flowcharts for workflows and frameworks to discuss how people mitigate risk in web3.
Some of these might contemplate data handling structures like JSON and web protocols for moving data through a web3 application. Others might focus on identity management and other elements outlined above. Either way, the security guidelines put in place through these assessment flows are going to be worth their weight in gold when it comes to making sure that everyone has thought through the biggest risks in a web3 project and addressed them thoroughly.
Thinking About Safety
Web3 security risk mitigation is one of the most important things that professionals do to safeguard systems. It’s important for stakeholders to look for the risk, see where it is, and address it. FYEO’s identity, domain intelligence, and blockchain security work exemplifies how this type of risk mitigation and proactive cybersec functions. Protect your systems with the help of a company innovating in how to apply long-standing principles to modern environments.