Identify exploitable vulnerabilities in networks, web applications, physical facilities, and human assets to better understand susceptibility to security threats and cyberattacks.
Assess people, processes, and procedures through simulated email phishing attacks, telephone vishing, and onsite attempts to breach physical safeguards.
Execute goal-based attacks that leverage advanced tools and techniques to test an organization's existing defenses, procedures, and responses to real-world cyberattacks.
Cryptocurrencies are gaining traction in our digital world with the efficiencies of decentralization and promises of transaction security. Yet while the transactions may be easier and more difficult to fake, organizations dealing in cryptocurrency must still take security precautions.
Cutting out the central authority reduces processing fees and expedites fund transfer. Still, without a central repository, digital cryptocurrency balances are in danger of being completely decimated by a computer crash, a hack, and other unexpected events.
Organizations handling cryptocurrency (or "cryptos") must ensure they are taking precautions to secure transactions and remain compliant with the CryptoCurrency Security Standard (CCSS). Let's consider several key (pun intended) areas to consider when securing all information systems that store, accept, or transact with cryptocurrencies such as Bitcoin, Litecoin, and Ethereum.
4 Key Cryptocurrency Security Measures
Key/Seed Generation
A cryptocurrency system requires secure creation of cryptographic keys and seeds. In examining your organization's security measures in this area, pay close attention to confidentiality and unguessable numbers. Confidentiality ensures that newly created keys or seeds are not obtained by an unintended party. Using unguessable numbers protects against unintended actors impersonating the intended key/seed holder.
Wallet/Key Usage
Maintaining cryptocurrency wallet/key usage integrity is also critical. Risks such as lost or stolen keys or unintentional disclosure of the wallet holder's identity can be avoided with best practices such as:
Checking identification, references, and background of all key/seed-holders
Assigning redundant keys to each wallet for recovery purposes
Storing keys that have signing authority in different locations.
The organization needs to control who has access to crypto information and can take action. Those who are keyholders need to undergo rigorous training regarding roles and procedures. Along with proper onboarding, you should also have protocols in place to revoke privileges when staff leaves the company. Employing "least privilege principles" — in which users are given the bare minimum of permissions needed to do their work and no more — to the cryptocurrency information system can improve security.
Key Storage
Just as you'd carefully protect the key to a bank vault, an organization needs to maximize security of its cryptocurrency keys. They should be stored using means such as encryption, secret sharing, and physical locks where appropriate. Backup keys/seeds should also be kept securely stored (in paper, digital, or other form) protected against environmental risks.
Ongoing Assessment
No doubt the people who built and maintain your organizational information system are technically skilled, knowledgable, and experienced. But even the best heart doctor would go to another expert to get an objective diagnosis. Inviting an outside expert to identify risks and control deficiencies can help you avoid cryptocurrency system flaws that might be overlooked or underestimated by staff.
Other Considerations
It's also important to have a key compromise policy in place. Having a process in place dictating actions that must be taken in the event a cryptographic key/seed or its holder is compromised can reduce risk and decrease losses.
A data sanitization policy is necessary as well. With data persisting on digital media even after deletion, you need to ensure your staff understands the risks. Avoid information leakage from decommissioned devices like servers, hard disk drives, and removable storage, by providing trained employees with access to tools that perform secure deletion of data.
For compliance purposes, organizations dealing in cryptos must also establish regular proofs of reserve funds. Audit logs are also an extremely valuable tool to help understand how unexpected security incidents occurred and more quickly resolve inconsistencies to return the information system to a consistent state.
Bank on RedTeam Security's Help with Cryptocurrency
Use RedTeam Security free Cryptocurrency Security Checklist to assess your CCSS compliance. CCSS has three security levels:
At Level 1 the information system protects wallets with strong levels of security.
Level 2 reflects enhanced levels of security with formal, enforced policies and procedures.
At Level 3 multiple actors are required for all-critical actions, data authenticity is verified with advanced authentication mechanisms, and assets are distributed geographically and organizationally.
Developed directly from the CCSS guidelines and supported by RedTeam Security broad cryptocurrency security expertise, the checklists help organizations score 10 aspects of cryptocurrency security.
National TV news and media outlets often consult with us for our expertise as a boutique, high-touch ethical hacking firm highly trained in a narrow field of cybersecurity. Please click on any logo below to view the featured story.
Get a Customized Proposal
Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.
Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.
Dedicated Client Portal
Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.
Certified Security Experts
Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.
Research-Focused Approach
We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.
Free Remediation Testing
Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.