Cryptocurrencies are gaining traction in our digital world with the efficiencies of decentralization and promises of transaction security. Yet while the transactions may be easier and more difficult to fake, organizations dealing in cryptocurrency must still take security precautions.
Cutting out the central authority reduces processing fees and expedites fund transfer. Still, without a central repository, digital cryptocurrency balances are in danger of being completely decimated by a computer crash, a hack, and other unexpected events.
Organizations handling cryptocurrency (or “cryptos”) must ensure they are taking precautions to secure transactions and remain compliant with the CryptoCurrency Security Standard (CCSS). Let’s consider several key (pun intended) areas to consider when securing all information systems that store, accept, or transact with cryptocurrencies such as Bitcoin, Litecoin, and Ethereum.
A cryptocurrency system requires secure creation of cryptographic keys and seeds. In examining your organization’s security measures in this area, pay close attention to confidentiality and unguessable numbers. Confidentiality ensures that newly created keys or seeds are not obtained by an unintended party. Using unguessable numbers protects against unintended actors impersonating the intended key/seed holder.
Maintaining cryptocurrency wallet/key usage integrity is also critical. Risks such as lost or stolen keys or unintentional disclosure of the wallet holder’s identity can be avoided with best practices such as:
The organization needs to control who has access to crypto information and can take action. Those who are keyholders need to undergo rigorous training regarding roles and procedures. Along with proper onboarding, you should also have protocols in place to revoke privileges when staff leaves the company. Employing “least privilege principles” — in which users are given the bare minimum of permissions needed to do their work and no more — to the cryptocurrency information system can improve security.
Just as you’d carefully protect the key to a bank vault, an organization needs to maximize security of its cryptocurrency keys. They should be stored using means such as encryption, secret sharing, and physical locks where appropriate. Backup keys/seeds should also be kept securely stored (in paper, digital, or other form) protected against environmental risks.
No doubt the people who built and maintain your organizational information system are technically skilled, knowledgable, and experienced. But even the best heart doctor would go to another expert to get an objective diagnosis. Inviting an outside expert to identify risks and control deficiencies can help you avoid cryptocurrency system flaws that might be overlooked or underestimated by staff.
It’s also important to have a key compromise policy in place. Having a process in place dictating actions that must be taken in the event a cryptographic key/seed or its holder is compromised can reduce risk and decrease losses.
A data sanitization policy is necessary as well. With data persisting on digital media even after deletion, you need to ensure your staff understands the risks. Avoid information leakage from decommissioned devices like servers, hard disk drives, and removable storage, by providing trained employees with access to tools that perform secure deletion of data.
For compliance purposes, organizations dealing in cryptos must also establish regular proofs of reserve funds. Audit logs are also an extremely valuable tool to help understand how unexpected security incidents occurred and more quickly resolve inconsistencies to return the information system to a consistent state.
Use RedTeam Security free Cryptocurrency Security Checklist to assess your CCSS compliance. CCSS has three security levels:
Developed directly from the CCSS guidelines and supported by RedTeam Security broad cryptocurrency security expertise, the checklists help organizations score 10 aspects of cryptocurrency security.
For a more customized CCCS consultation, book a one-on-one session with our team.