Web 3.0 offers an opportunity to shake off the cybersecurity mistakes of the past – one that open-minded information security professionals, aware of the technology’s potential, have invested in.
With the rapid development of Web3.0, as an information security practitioner, I can’t help but pay more and more attention. Many in the tech industry still believe that blockchains, cryptocurrencies and NFTs are scams that are destroying the economy and are doomed. But the rapid adoption of these technologies, their adoption by many multinational corporations, not to mention President Biden’s recent executive order on digital assets—all suggest that Web 3.0 is more than just a buzzword.
We in the information security community should not act like Web 3.0 activists and should help those in the Web 3.0 community who don’t have the resources to protect themselves. Leaving aside the hype cycle of the crypto market, we have a real opportunity to influence the direction and evolution of Web 3.0 technologies, and now is the time to look back at the security “failures” of Web 2.0 and use these lessons to create a more durable Web 3 .0 to help ordinary people stay safe. No one deserves to be deceived.
Share from MP3 to Blockchain
The first time I saw a decentralized innovation on this scale was Napster, a peer-to-peer audio streaming service founded in 1999.
Recently, “cloud” has become a buzzword similar to blockchain. Ten years ago, my colleagues and I joked that the word was meaningless: “There’s no cloud, just someone else’s computer.”
Today, cloud computing has become much bigger than we predicted. In fact, it’s hard to understand the nuances involved in securing cloud technology without looking specifically at a particular vendor’s platform. I expect the same evolution in Web 3.0 – from buzzwords to basic Internet technologies.
The good news is that blockchain is the foundation of Web 3.0, providing a unified infrastructure that can help address common security concerns such as governance, access, integrity, and observability. Blockchain technology allows the creation of a “trustless” and “permissionless” environment where users can securely transact with each other as they rely on cryptography and highly available, scalable and battle-tested code.
Information security is stagnant
While many companies are now spending more than ever on cybersecurity, we hear about new, blockbuster data breaches almost every week. At the same time, innovation in information security has languished compared to other technological fields such as cloud computing.
There is a general lack of attention to the human factor in the field of information security, and users fall prey to scams, such as clicking on the wrong link, or not knowing how to keep themselves safe online. Take the recent controversy over Coinbase’s Super Bowl ad, which featured a QR code redirecting the website. Should people worry about scanning QR codes?
At the same time, the information security community tends to continue to rely on ineffective defenses, and we have previously described defense networks as M&M networks: a hard, crisp perimeter with a soft, melted, vulnerable interior. On the other hand, centralization of sensitive log data, a core capability of every functional security operations center, creates monitoring-related data governance, compliance, and ethics issues that will only get worse at scale .
Can we achieve secure transactions between fulfillment centers without conflicting privacy and security?
Ultimately, relying on the underlying defenses of a distributed ecosystem (such as a blockchain) is more effective than trying to use private centralized monitoring on a vulnerable network.
A more efficient blockchain that does not use PoW can alleviate concerns about the energy consumption of systems such as Bitcoin. Many people, myself included, are tired of waiting for Ethereum’s long-term plan to upgrade to a consensus mechanism that doesn’t require a lot of energy, making using Ethereum currently an overall bad option for our planet. Despite Ethereum’s first-mover advantage, other blockchains have emerged with greener properties than Ethereum or Bitcoin’s proof-of-work mechanisms. For example, Solana is a carbon-neutral blockchain that enables developers to build in security from the ground up through smart contracts implemented using the Rust programming language. Using Rust eliminates all classes of security risks and is probably one of the best tools we have for preventing bugs in our code.
There is probably no better way to catch bugs than by exposing an interface to the user. When attackers and defenders have access to the same information, it levels the playing field in a more prevention-focused way. This will allow the information security industry to address systemic weaknesses over time.
However, no blockchain is completely decentralized today. True decentralization remains a lofty goal for many Web 3.0 enthusiasts – few have attempted to explain what such a system would look like in practice. However, trustlessness and permissionlessness remain key principles that actively guide the design of systems in the Web 3.0 ecosystem. Ideally, the blockchain itself and the smart contracts deployed to it mediate transactions between users — not opaque code on a server that can only be seen by administrators.
Blockchain allows us to confirm certain basic facts through the use of cryptography, and when we need to know something, we look on the blockchain. Decentralized application (dApp) developers are incentivized to store data on-chain, avoid performing critical computations off-chain, and not develop access mechanisms other than personal wallets. This translates into higher data integrity and more complete observability of inputs, computations and outputs.
Users need greater sovereignty over their data, while developers are interested in minimizing data collection to protect privacy. Web 3.0 can help achieve these goals by transferring custody of keys to users, giving people more control over their data. Individuals keep personal keys, providing users with the ultimate opportunity to maintain ownership of their identities on the blockchain. While this is different from how we have managed enterprise-grade networks before, we should welcome these new architectures as a way to empower users while reducing organizational risk associated with data collection and access management.
But first, we more information security practitioners need to overcome the initial reluctance to explore Web 3.0 technologies and realize that Web 3.0 users deserve security, not fraud.
The world of information security in the Web 3.0 era seems to be changing, as evidenced by the growing number of information security efforts and the huge losses caused by the successful exploitation of blockchain and smart contract vulnerabilities.
Companies in Web 2.0 can often dismiss breaches due to mitigating factors such as standardized cyber insurance and no long-term impact on the company, but Web 3.0 organizations cannot ignore security concerns, where a single mistake can cost millions of dollars, Even the entire organization was disbanded due to the total loss of funds.
Against this backdrop, bug bounty rewards in Web 3.0 have reached staggering numbers. In a guide for Immunefi, the largest Web 3.0 bug bounty platform, the company said: “Before joining Web 3.0, some information security people, white hat hackers, were treated badly and underpaid in Web 2.0, They brought that attitude to Immunefi – they now have more power and respect than before.”
As noted hacker Jay Freeman recently said after being awarded a $2 million bounty for finding a security flaw: “However, we’re seeing one encryption project after another trying to outsource the cost of reviewing their core designs to information security personnel instead of building A team of mathematicians, economists, and security experts.” While policy and regulation are underway, and compliance requirements may match those in traditional finance—the Web 3.0 industry will also emerge with traditional finance Domain-specific information security vulnerabilities, which must ultimately be addressed by highly technical security experts, long-term strategists, rather than current external auditors and bounty systems.
Security firm Hacken described its outlook for the Web 3.0 industry in a recent report, predicting an increasing demand for regular security audits over the next five years.
There is also an emerging niche of “blockchain analysis” or “blockchain investigation” companies with names such as Chainalysis, CipherTrace (recently acquired by Mastercard), Elliptic and TRM Labs (owned by A16z, JPMorgan, PayPal) , Salesforce, etc.). Using specialized software and human analysts to analyze, detect, and track blockchain threats, these companies are reminiscent of early Web 2.0 cybersecurity companies like Mandiant and Foundstone, which grew rapidly with Web 2.0 .
In a 2021 report titled “Analysis of Bitcoin’s Use in Illicit Finance,” former CIA Director Mike Morell argues that “the blockchain that records Bitcoin transactions is an underutilized forensics tool, It can be used more widely by law enforcement and the intelligence community to identify and disrupt illicit activity. In short, blockchain analytics is an efficient crime-fighting and intelligence-gathering tool.”
what is the difference?
Blockchains are transparent and open, and for those accustomed to closed databases and opaque operations, this is something that requires a fresh look. Blockchain and crypto companies tend to be less concerned with intellectual property protection than typical Web 2.0 companies. The code is usually open source and based on public security audits to inspire user confidence.
Web 2.0 security practices focus on dealing with consequences, not avoiding it in the first place; Web 3.0 information security moves to code, engineering, and architecture, with a focus on prevention.
The Web3.0 ecosystem is more open in nature, and projects are usually hosted in the community on Discord, Twitter. In a recent article, two Web 3.0 project managers, Lenny Rachitsky and Jason Shah, described how they transitioned from their former careers to Web 3.0, calling for a complete departure from the current technology working model. They see the lack of a monitoring/data collection driven ecosystem to underpin Web 3.0 and the need to ensure code is released as bug-free as possible.
As a result, Web 3.0 has implications for information security, privacy, and surveillance, and information security professionals are critical to establishing industry standards ahead of and in addition to regulatory requirements.
Talent is on the move
It’s not just people who see the potential that are already working on Web 3.0, some of the best hackers in the world are already working on Web 3.0 full-time. E.g:
Information security professionals should be familiar with various “layer 1” blockchain networks, such as Bitcoin and Ethereum, privacy coins of particular relevance to the information security field, such as Monero and Zcash, and learn more about cryptocurrencies, tokens , DeFi, the meaning of NFT.
Information security professionals need to start learning early in order to be equipped with cryptocurrency knowledge in future security cases and investigations.
Here are some tips and resources for those seeking to learn more:
- – Check out the blogs of security companies that write Web 3.0 research, and the voices who believe that Web 3.0 has the potential to empower people and free expression.
- -Try to set up a crypto wallet and transfer cryptocurrencies in and out, then look at the blockchain to understand how these transactions work.
- – Learn about major smart contract platforms, their execution environments and associated programming languages. Want to build dApps? You can refer to several BuildSpace tutorials or join resource communities like Developer DAO, Surge. Check out the blockchain-specific security repositories on Github, such as awesome-ethereum-security and awesome-evm-security.
- – Participate in several open bounties on Immunefi.
- -Think about how to monitor wallets of various blockchains, and how to obtain this data.
- – Learn about common vectors and methods of phishing, especially threats on Discord and Twitter. Learn about red flags like NFT wash trading and other scams. Check out previous big hacks and recent scams.
- – For larger organizations, be sure to incorporate cryptocurrency handling into your security incident response plan, and be sure to have business and technical procedures in place for any incident involving the crypto industry. For example, Marsh’s ransomware guide is both handy and comprehensive.
long road ahead
There is no magic bullet for information security, and blockchain is no exception. Decentralized systems also face similar risks to other computers. Blockchain is an inherently insecure network — but it does lay the groundwork for secure transactions at scale, and that capability is critical to continuing to scale internet services.
It is also worth noting that decentralized technology does not automatically generate decentralized power, and Web 3.0 has a long way to go. Security experts can help by promoting a fair power structure in Web 3.0 systems , placing security and privacy at the heart of the system.
As technology strategists Scott Smith and Lina Srivastava wrote in the Stanford Journal of Social Innovation: “If Web 3.0 offers an opportunity to solve the problems of Web 2.0, it requires a complete value system. This means that social good must Not only an integral part of social ideology, but also an integral part of the architecture of any new network or new technology.”
Despite the obvious potential of Web 3.0 and blockchain, these technologies have no inherent ability to underpin human rights or democracy. Information security practitioners can help them integrate positive values as an extension of their vision to protect Internet users. Once we get over our reluctance to work in the Web 3.0 world, I’m sure we can do it.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/thinking-about-information-security-in-the-web-3-0-era-turning-to-code-engineering-and-architecture-to-focus-on-prevention/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.