CCSS is created collaboratively by a group of developers, researchers and security experts with the goal of giving users a safe and secure means of handling cryptocurrencies, including Bitcoin, Ethereum, Litecoin, and many others. It is not meant to be a standalone governing document; rather, it should be used in tandem with existing best practices for information security, like ISO 27001.
CCSS addresses 10 key aspects of cryptocurrency security, including hardware and software, personnel, policies and procedures, and more. These 10 areas are used as a scoring system, with the culminating total determining an organization’s overall level of security on a scale of one to three. Level I is the lowest level and offers strong security measures, while Level III is the highest and offers the most comprehensive measure of security.
Cryptocurrency Security Levels
Cryptocurrency security levels are assigned based on 10 security aspects:
- Key/Seed Generation
- Wallet Creation
- Key Storage
- Key Usage
- Key Compromise Policy
- Keyholder Grant/Revoke Policies and Procedures
- Third-Party Security Audits/Pentests
- Data Sanitization Policy
- Proof of Reserve
- Audit Logs
These security levels are assigned based on the lowest common rating among all categories. So, for example, if a Level I organization meets some, but not all Level II criteria, it will retain a Level I rating until all Level II criteria are met.
The security levels are described by the CCSS Steering Committee as follows:
Security Level I
An organization or system that has achieved Level 1 security protects its information assets with strong levels of security and has proven so by audit. Using industry-standard controls, most risks to the system’s information assets have been addressed. Although this is the lowest cryptocurrency security rating, it still represents a strong level of security.
Security Level 2
A Level II system uses additional enhanced controls to exceed strong levels of security. Level 2 organizations make use of decentralized security technologies like multiple signatures, which provide redundancy if any one key or person is compromised.
Security Level 3
An information system demonstrating Level III cryptocurrency security has implemented formal policies and procedures that are enforced at every step within their business processes to exceed enhanced levels of security. Multiple actors are required for all critical actions, data authenticity is protected by advanced authentication mechanisms, and assets are distributed geographically and organizationally in such a way to mitigate the chance of compromise to the highest degree possible.
Cryptocurrency Penetration Testing
Among the other requirements outlined above, all information systems wishing to achieve Level I CCSS compliance must make use of regular third-party security auditing and penetration testing.
Our Cryptocurrency penetration testing, including Bitcoin penetration testing, Ethereum penetration testing and more, assesses the security of cryptocurrency exchanges and platforms and identifies vulnerabilities that may pose a risk to the assets and security of users on those platforms. The goal is to uncover security flaws and risks so they can be mitigated before a bad actor is able to take advantage of them for improper or malicious purposes.
In general, cryptocurrency organizations should maintain a documented cybersecurity policy and conduct third-party penetration testing annually.
Cryptocurrency Physical Security Testing
While most cryptocurrency transactions take place virtually, bad actors are ever-determined, and the frequency of physical cryptocurrency attacks is on the rise. From brazen armed attacks to stealth, covert burglaries, malicious actors are increasingly taking their efforts offline to misappropriate Bitcoin and other high-value virtual currencies.
Physical cryptocurrency penetration testing can assess your readiness for such an attack. RedTeam Security can help you take your cryptocurrency penetration test from the digital realm to the real world, uncovering vulnerabilities not just within your networks and devices but in your facilities, access control mechanisms, and other physical assets.
Cryptocurrency Social Engineering
The highly technical world of cryptocurrency isn’t immune to classical social engineering techniques like phishing and spoofing. In fact, criminals are putting new and creative spins on traditional social engineering scenarios to attack from every angle, from ICOs (initial coin offerings) to fraudulent coin wallets and more.
Social engineering testing for cryptocurrency can uncover vulnerabilities of the human variety—places where individuals may put the integrity of the currency at risk.
Cryptocurrency Security Checklist
Assess your compliance with the CryptoCurrency Security Standard using our free downloadable checklist.