Cryptocurrencies are gaining traction in our digital world with the efficiencies of decentralization and promises of transaction security. Yet while the transactions may be easier and more difficult to fake, organizations dealing in cryptocurrency must still take security precautions.
Cutting out the central authority reduces processing fees and expedites fund transfer. Still, without a central repository, digital cryptocurrency balances are in danger of being completely decimated by a computer crash, a hack, and other unexpected events.
Organizations handling cryptocurrency (or “cryptos”) must ensure they are taking precautions to secure transactions and remain compliant with the CryptoCurrency Security Standard (CCSS). Let’s consider several key (pun intended) areas to consider when securing all information systems that store, accept, or transact with cryptocurrencies such as Bitcoin, Litecoin and Ethereum.
4 Key Cryptocurrency Security Measures
A cryptocurrency system requires secure creation of cryptographic keys and seeds. In examining your organization’s security measures in this area, pay close attention to confidentiality and unguessable numbers. Confidentiality ensures that newly created keys or seeds are not obtained by an unintended party. Using unguessable numbers protects against unintended actors impersonating the intended key/seed holder.
Maintaining cryptocurrency wallet/key usage integrity is also critical. Risks such as lost or stolen keys or unintentional disclosure of the wallet holder’s identity can be avoided with best practices such as:
- Generating unique addresses for every transaction
- Requiring a minimum of 2 signatures in order to spend funds from the wallet
- Using keys/seeds only in trusted environments
- Checking identification, references, and background of all key/seed-holders
- Assigning redundant keys to each wallet for recovery purposes
- Storing keys that have signing authority in different locations.
The organization needs to be control who has access to crypto information and can take action. Those who are key holders need to undergo rigorous training regarding roles and procedures. Along with proper onboarding, you should also have protocols in place to revoke privileges when staff leave the company. Employing “least privilege principles” — in which users are given the bare minimum of permissions needed to do their work and no more — to the crytocurrency information system can improve security.
Just as you’d carefully protect the key to a bank vault, an organization needs to maximize security of its cryptocurrency keys. They should be stored using means such as encryption, secret sharing, and physical locks where appropriate. Backup keys/seeds should also be kept securely stored (in paper, digital, or other form) protected against environmental risks.
No doubt the people who built and maintain your organizational information system are technically skilled, knowledgable, and experienced. But even the best heart doctor would go to another expert to get an objective diagnosis. Inviting an outside expert to identify risks and control deficiencies can help you avoid cryptocurrency system flaws that might be overlooked or underestimated by staff.
It’s also important to have a key compromise policy in place. Having a process in place dictating actions that must be taken in the event a cryptographic key/seed or its holder is compromised can reduce risk and decrease losses.
A data sanitization policy is necessary as well. With data persisting on digital media even after deletion, you need to ensure your staff understands the risks. Avoid information leakage from decommissioned devices like servers, hard disk drives, and removable storage, by providing trained employees with access to tools that perform secure deletion of data.
For compliance purposes, organizations dealing in cryptos must also establish regular proofs of reserve funds. Audit logs are also an extremely valuable tool to help understand how unexpected security incidents occurred and more quickly resolve inconsistencies to return the information system to a consistent state.
Bank on RedTeam’s Help with Cryptocurrency
- At Level 1 the information system protects wallets with strong levels of security.
- Level 2 reflects enhanced levels of security with formal, enforced policies and procedures.
- At Level 3 multiple actors are required for all-critical actions, data authenticity is verified with advanced authentication mechanisms, and assets are distributed geographically and organizationally.