blockchain 101 - nasact · 2019-09-20 · blockchain 101 1. how does it work? blockchain is a...

BLOCKCHAIN 101

Dan Altobelli, CPA, CISA, CEHAudit Manager

New Jersey Legislature

New Jersey Office of the State Auditor

BLOCKCHAIN 101

1. How does it work?

2. What is so great about

blockchain?

3. Blockchain and audit – Part I

4. Blockchain and audit - Part II

5. Blockchain Attack!

BLOCKCHAIN 1011. How does it work?

Blockchain is a shared, immutable ledger

that facilitates the process of recording

transactions and tracking assets in a

business network.

Virtually anything of value can be tracked

and traded on a blockchain network.

Bitcoin <> Blockchain – Bitcoin

Blockchain

BLOCKCHAIN 1011. How does it work?

BLOCKCHAIN 1011. How does it work?

Meet

Tommy the Transaction

BLOCKCHAIN 1011. How does it work?

6

15

2412 15 18

61524121518

BLOCKCHAIN 1011. How does it work?

61524121518

BLOCKCHAIN 1011. How does it work?

61524121518

BLOCKCHAIN 1011. How does it work?

6152412151824156181512

BLOCKCHAIN 1011. How does it work?

6152412151824156181512

85680303030

BLOCKCHAIN 1011. How does it work?

115983388710Hash of

Hashes

BLOCKCHAIN 1011. How does it work?

HASH OF BLOCK HEADER

BLOCKCHAIN 1011. How does it work?

HASH OF BLOCK HEADER

PREVIOUS HEADER HASH

BLOCKCHAIN 1011. How does it work?

BLOCKCHAIN 1011. How does it work?

BLOCKCHAIN 1011. How does it work?

BLOCKCHAIN 1011. How does it work?

BLOCKCHAIN 1012. What is so great about

blockchain?

The Pillars or Blockchain:

1. Decentralization

2. Transparency

3. Immutability

4. Anonymity

BLOCKCHAIN 1012. What is so great about

blockchain?

Three types of blockchains:

1. Public - no one is in charge

2. Private – one in-charge who looks

after the blockchain

3. Consortium or Federated –

more than one in-charge

BLOCKCHAIN 1012. What is so great about

blockchain?Public Private Consortium/Federated

Anyone can run a full node. In-charge determines who can run a node.

Only selected members of the consortium can run a full node and mine

Anyone can maketransactions.

In-charge determines who can make a transaction.

Only selected consortiummembers can make transactions.

Anyone can review or audit the blockchain.

In-charge determines who can review or audit the blockchain.

Only selected members of the consortium can review or audit the blockchain.

PermissionlessSecureTransparentInefficient

PrivatePower is consolidatedPrivateEfficient

PemissionedSemi-privateEfficient

BLOCKCHAIN 1012. What is so great about

blockchain?

Blockchain – Where might you see it?

1. Any kind of commerce

2. The sharing economy

3. Media (ebooks, music, etc)

4. Banking

5. Governance

6. Healthcare

7. IoT

8. Identity Management

BLOCKCHAIN 1013. Blockchain and Audit –

Part I

Blockchain’s impact on audit

1. Financial Audits

2. Continuous Monitoring

3. “Triple” Ledger Accounting

4. Fraud detection

5. IT General Controls

BLOCKCHAIN 1013. Blockchain and Audit –

Part I

Blockchain’s impact on the audit profession

1. Audits of Smart Contracts

2. Service Auditor or Consortium Blockchains

3. Blockchain administrator

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Auditing blockchain – Risks

1. Misconfigured access permissions

2. Poorly constructed rules

3. Insecure applications built on the tech

4. Personal information/right to be

forgotten

5. Key management

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Auditing blockchain – Audit Areas

1. Governance

2. Development

3. Security

4. Transactions

5. Consensus

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Auditing blockchain – Governance

• Management Oversight

• Regulatory Risk

• Business Continuity

• Vendor Management

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Auditing blockchain – Development

• Expertise

• Business Requirements and Design

• Testing

• Deployment

• Change Management

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Auditing blockchain – Security

• Wallet Management (Keys)

• Secure Coding

• Access Permissions and Management

• Network Vulnerability

• Endpoint Security

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Auditing blockchain – Transactions

• Transaction types

• Transaction Fees

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Auditing blockchain – Consensus

• Consensus configuration

• Mining Infrastructure

BLOCKCHAIN 1014. Blockchain and Audit –

Part II

Audit Programs

KPMG India – Auditing blockchain solutions

https://assets.kpmg/content/dam/kpmg/in/pdf/2018/10/A

uditing_Blockchain_Solutions.pdf

ISACA Blockchain Preparation Audit Program

(Free for members, $49 for others)

http://www.isaca.org/Knowledge-

Center/Research/ResearchDeliverables/Pages/Blockchain-

Preparation-Audit-Program.aspx?cid=pr_1236304&appeal=pr

BLOCKCHAIN 1015. Blockchain Attacks?!?!

Network Attacks

User Wallet Attacks

Smart Contract Attacks

Transaction Verification Mechanism Attacks

BLOCKCHAIN 1015. Blockchain Attack!

51% or Majority Attack

BLOCKCHAIN 1015. Blockchain Attack!

Network Attacks

User Wallet Attacks

Smart Contract Attacks

Transaction Verification Mechanism Attacks

Mining Pool Attacks

BLOCKCHAIN 101

QUESTIONS?