Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

A Security Risk Assessment Method for Distributed Ledger Technology (DLT) based Applications: Three Industry Case Studies (2401.12358v2)

Published 22 Jan 2024 in cs.CR and cs.SE

Abstract: Distributed ledger technologies have gained significant attention and adoption in recent years. Despite various security features distributed ledger technology provides, they are vulnerable to different and new malicious attacks, such as selfish mining and Sybil attacks. While such vulnerabilities have been investigated, detecting and discovering appropriate countermeasures still need to be reported. Cybersecurity knowledge is limited and fragmented in this domain, while distributed ledger technology usage grows daily. Thus, research focusing on overcoming potential attacks on distributed ledgers is required. This study aims to raise awareness of the cybersecurity of distributed ledger technology by designing a security risk assessment method for distributed ledger technology applications. We have developed a database with possible security threats and known attacks on distributed ledger technologies to accompany the method, including sets of countermeasures. We employed a semi-systematic literature review combined with method engineering to develop a method that organizations can use to assess their cybersecurity risk for distributed ledger applications. The method has subsequently been evaluated in three case studies, which show that the method helps to effectively conduct security risk assessments for distributed ledger applications in these organizations.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (89)
  1. Siamak Farshidi. Multi-criteria decision-making in software production. PhD thesis, Utrecht University, 2020.
  2. Satoshi Nakamoto and A Bitcoin. A peer-to-peer electronic cash system. Bitcoin.–URL: https://bitcoin. org/bitcoin. pdf, 4, 2008.
  3. Smart contract security: a practitioners’ perspective. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 1410–1422. IEEE, 2021.
  4. Security of distributed ledger solutions based on blockchain technologies. In 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), pages 1089–1095. IEEE, 2018.
  5. Hans Schaffers. The relevance of blockchain for collaborative networked organizations. In Working Conference on Virtual Enterprises, pages 3–17. Springer, 2018.
  6. Eventually consistent distributed ledger despite degraded atomic broadcast. Concurrency and Computation: Practice and Experience, page e6199, 2021.
  7. Distributed ledger technology and blockchain. 2017.
  8. Rethinking blockchain security: Position paper. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pages 1273–1280. IEEE, 2018.
  9. Internet of blockchains: Techniques and challenges ahead. In 2018 IEEE international conference on internet of things (iThings) and IEEE green computing and communications (GreenCom) and IEEE cyber, physical and social computing (CPSCom) and IEEE smart data (SmartData), pages 1574–1581. IEEE, 2018.
  10. Trustseco: A distributed infrastructure for providing trust in the software ecosystem. In International Conference on Advanced Information Systems Engineering, pages 121–133. Springer, 2021.
  11. Security in distributed ledger technology: An analysis of vulnerabilities and attack vectors. In Intelligent Computing, pages 722–742. Springer, 2021.
  12. Distributed ledger technology: Applications and implications. Strategic Change, 26(5):481–489, 2017.
  13. Defining blockchain governance: A framework for analysis and comparison. Information Systems Management, 38(1):21–41, 2021.
  14. Robert Campbell. The need for cyber resilient enterprise distributed ledger risk management framework. The Journal of The British Blockchain Association, page 12257, 2020.
  15. Blockchain technology overview. arXiv preprint arXiv:1906.11078, 2019.
  16. On scaling decentralized blockchains. In International conference on financial cryptography and data security, pages 106–125. Springer, 2016.
  17. International Telecommunication Union. a • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions Security aspects of distributed ledger technologies. Technical report.
  18. Standardization of the distributed ledger technology cybersecurity stack for power and energy applications. Sustainable Energy, Grids and Networks, 28:100553, 2021.
  19. The security reference architecture for blockchains: Toward a standardized model for studying vulnerabilities, threats, and defenses. IEEE Communications Surveys & Tutorials, 23(1):341–390, 2020.
  20. Distributed ledger technology systems: A conceptual framework. Available at SSRN 3230013, 2018.
  21. A security reference architecture for blockchains. In 2019 IEEE International Conference on Blockchain (Blockchain), pages 390–397. IEEE, 2019.
  22. Detecting blockchain security threats. In 2020 IEEE International Conference on Blockchain (Blockchain), pages 313–320. IEEE, 2020.
  23. How to secure blockchains from attacks: A security reference architecture for distributed ledger technologies — by eray altili — medium. https://ealtili.medium.com/how-to-secure-blockchains-from-attacks-a-security-reference-architecture-for-distributed-ledger-3c988e045538.
  24. Security analysis of distributed ledgers and blockchains through agent-based simulation. Simulation Modelling Practice and Theory, 114:102413, 2022.
  25. Distributed ledger technologies/blockchain: Challenges, opportunities and the prospects for standards. Overview report The British Standards Institution (BSI), 40:40, 2017.
  26. Claes Wohlin. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In Proceedings of the 18th international conference on evaluation and assessment in software engineering, pages 1–10, 2014.
  27. Sjaak Brinkkemper. Method engineering: engineering of information systems development methods and tools. Information and software technology, 38(4):275–280, 1996.
  28. Inge van de Weerd and Sjaak Brinkkemper. Meta-modeling for situational analysis and design methods. In Handbook of research on modern systems analysis and design technologies and applications, pages 35–54. IGI Global, 2009.
  29. A formal approach to the comparison of object-oriented analysis and design methodologies. In [1993] Proceedings of the Twenty-sixth Hawaii International Conference on System Sciences, volume 4, pages 689–698. IEEE, 1993.
  30. Slinger Jansen. Applied multi-case research in a mixed-method research project: Customer configuration updating improvement. In Information systems research methods, epistemology, and applications, pages 120–139. IGI Global, 2009.
  31. A decision model for programming language ecosystem selection: Seven industry case studies. Information and Software Technology, 139:106640, 2021.
  32. Graham Pervan and M Maimbo. Designing a case study protocol for application in is research. In Proceedings of the Ninth Pacific Asia Conference on Information Systems, pages 1281–1292. PACIS, 2005.
  33. Case study research in software engineering: Guidelines and examples. John Wiley & Sons, 2012.
  34. Slinger Jansen Elena Baninemeh. Dlt risk database of ramda project. https://docs.google.com/spreadsheets/d/16Nyg2lmo5A6qFOJu7O2HqQM6L0x9-jSzUmRE8UKSek0/edit?usp=sharing.
  35. Double-spending fast payments in bitcoin. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 906–917, 2012.
  36. Atul Singh et al. Eclipse attacks on overlay networks: Threats and defenses. In In IEEE INFOCOM. Citeseer, 2006.
  37. Inaudible voice commands: The {{\{{Long-Range}}\}} attack and defense. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18), pages 547–560, 2018.
  38. Barbara Kitchenham. Procedures for performing systematic reviews. Keele, UK, Keele University, 33(2004):1–26, 2004.
  39. Capturing software architecture knowledge for pattern-driven design. Journal of Systems and Software, 169:110714, 2020.
  40. Timothy Meline. Selecting studies for systemic review: Inclusion and exclusion criteria. Contemporary issues in communication science and disorders, 33(Spring):21–27, 2006.
  41. Risk assessment using nist sp 800-30 revision 1 and iso 27005 combination technique in profit-based organization: Case study of zzz information system application in abc agency. Procedia Computer Science, 161:1206–1215, 2019.
  42. Zeki Yazar. A qualitative risk analysis and management tool–cramm. SANS InfoSec Reading Room White Paper, 11:12–32, 2002.
  43. Model-based risk assessment to improve enterprise security. In Proceedings. Sixth International Enterprise Distributed Object Computing, pages 51–62. IEEE, 2002.
  44. A new quantitative approach for information security risk assessment. In 2009 2nd IEEE International Conference on Computer Science and Information Technology, pages 222–227. IEEE, 2009.
  45. Security risk assessment framework for cloud computing environments. Security and Communication Networks, 7(11):2114–2124, 2014.
  46. Isms-coras: A structured method for establishing an iso 27001 compliant information security management system. In Engineering Secure Future Internet Services and Systems, pages 315–344. Springer, 2014.
  47. A cybersecurity risk analysis methodology for medical devices. In 2015 IEEE Symposium on Product Compliance Engineering (ISPCE), pages 1–6. IEEE, 2015.
  48. An expert system for risk assessment of information system security based on iso 27002. In 2016 IEEE International Conference on Knowledge Engineering and Applications (ICKEA), pages 56–61. IEEE, 2016.
  49. A review of cyber security risk assessment methods for scada systems. Computers & security, 56:1–27, 2016.
  50. Risk assessment of blockchain technology. In 2018 Eighth Latin-American Symposium on Dependable Computing (LADC), pages 87–96. IEEE, 2018.
  51. Jaap Vermeij. Creating an it risk maturity model for distributed ledger applications. Master’s thesis, University of Twente, 2018.
  52. A data-driven security risk assessment scheme for personal data protection. IEEE Access, 6:50510–50517, 2018.
  53. Future developments in cyber risk assessment for the internet of things. Computers in industry, 102:14–22, 2018.
  54. Timothy Weil. Risk assessment methods for cloud computing platforms. IT Professional, 22(1):63–66, 2020.
  55. Cyber-security risk assessment framework for blockchains in smart mobility. IEEE Open Journal of Intelligent Transportation Systems, 2:294–311, 2021.
  56. A systematic risk assessment framework of automotive cybersecurity. Automotive Innovation, 4:253–261, 2021.
  57. Cybersecurity risk assessment method of ics based on attack-defense tree model. Journal of Intelligent & Fuzzy Systems, 40(6):10475–10488, 2021.
  58. Rafał Leszczyna. Review of cybersecurity assessment methods: Applicability perspective. Computers & Security, 108:102376, 2021.
  59. Sok: auditability and accountability in distributed payment systems. In Applied Cryptography and Network Security: 19th International Conference, ACNS 2021, Kamakura, Japan, June 21–24, 2021, Proceedings, Part II, pages 311–337. Springer, 2021.
  60. Coras for research of considering the integration risk management with iso/iec 27005.
  61. Carlos Bendicho. Cyber security in cloud: Risk assessment models. In Intelligent Computing: Proceedings of the 2021 Computing Conference, Volume 1, pages 471–482. Springer, 2022.
  62. A methodology to support automatic cyber risk assessment review. arXiv preprint arXiv:2207.03269, 2022.
  63. Security risk management methodology for distributed ledger systems. In Biologically Inspired Cognitive Architectures 2021: Proceedings of the 12th Annual Meeting of the BICA Society, pages 96–112. Springer, 2022.
  64. Sustainability risk assessment of blockchain adoption in sustainable supply chain: An integrated method. Computers & Industrial Engineering, 171:108378, 2022.
  65. Cyber security risk assessment method for scada system. Information Security Journal: A Global Perspective, 31(5):499–510, 2022.
  66. Ali Al-Zahrani. Assessing and proposing countermeasures for cyber-security attacks. International Journal of Advanced Computer Science and Applications, 13(1), 2022.
  67. A survey of solutions to the sybil attack. University of Massachusetts Amherst, Amherst, MA, 7:224, 2006.
  68. Eclipse attacks on bitcoin’s peer-to-peer network. In 24th USENIX Security Symposium (USENIX Security 15), pages 129–144, 2015.
  69. A security and performance analysis of proof-based consensus protocols. Annals of Telecommunications, pages 1–21, 2021.
  70. Craig S Wright. Bitcoin: a peer-to-peer electronic cash system. Available at SSRN 3440802, 2008.
  71. Blockchain-based application security risks: a systematic literature review. In International Conference on Advanced Information Systems Engineering, pages 176–188. Springer, 2019.
  72. Blockchain based approach to enhance big data authentication in distributed environment. In 2017 Ninth international conference on ubiquitous and future networks (ICUFN), pages 887–892. IEEE, 2017.
  73. John R Douceur. The sybil attack. In International workshop on peer-to-peer systems, pages 251–260. Springer, 2002.
  74. Protecting accounts from credential stuffing with password breach alerting. In 28th USENIX Security Symposium (USENIX Security 19), pages 1556–1571, 2019.
  75. Bitcoin transaction malleability and mtgox. In European Symposium on Research in Computer Security, pages 313–326. Springer, 2014.
  76. Attacks and countermeasures on blockchains: A survey from layering perspective. Computer Networks, 191:107978, 2021.
  77. Security threats on blockchain and its countermeasures. Int. Res. J. Eng. Technol, 5(11):1636–1642, 2018.
  78. How does blockchain technology tackle the credentials stuffing cyberattack in gaming? https://www.gamesd.app/how-blockchain-technology-tackle-credentials-stuffing-cyberattack-in-gaming.
  79. Hilary Tuttle. Cryptojacking. Risk Management, 65(7):22–27, 2018.
  80. Security audit of a blockchain-based industrial application platform. Algorithms, 14(4):121, 2021.
  81. Governance and control in distributed ledgers: Understanding the challenges facing blockchain technology in financial services. Information and Organization, 29(2):105–117, 2019.
  82. Blockchain/distributed ledger technology (dlt): What impact on the financial sector? Digiworld Economic Journal, -(103), 2016.
  83. N Anita and M Vijayalakshmi. Blockchain security attack: a brief survey. In 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT), pages 1–6. IEEE, 2019.
  84. Opportunities and risks of blockchain technologies–a research agenda. -, 2017.
  85. A survey on security and privacy issues of bitcoin. IEEE Communications Surveys & Tutorials, 20(4):3416–3452, 2018.
  86. Why measuring security is hard. IEEE Security & Privacy, 8(4):46–54, 2010.
  87. Robert K Yin. Case study research: Design and methods. sage, 2009.
  88. C. Robson. Real world research, 2nd edition., 2002.
  89. Quantifying blockchain extractable value: How dark is the forest? In 2022 IEEE Symposium on Security and Privacy (SP), pages 198–214. IEEE, 2022.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets