Crypto Exchange Security

Crypto Exchange Security

This article is a practical summary of the top five areas, common to all major security standards and frameworks, which crypto exchange companies need to engage with, in order to protect their platform.

  1. Understand Risks and Threats
  2. Business Process Controls
  3. Policies and Procedures
  4. Vendors and Third Parties
  5. Security Vulnerabilities and Operational Capabilities (Pen Test!)

According to a 2019 Kaspersky study of cryptocurrency holders, 19% of the global population has owned a cryptocurrency. If this number is accurate, that means 1.46 billion people have found out how to mine, buy, or exchange in order to access this new market. What this number says to me is that a lot of average citizens have started to participate in this ecosystem meaning the market must mature not only in terms of ease of use but in meeting the expectations of users.

In 2020, crypto exchanges must put security, protection of users, and protection of funds at the forefront of their systems. There’s no other way that we can even hope to onboard the other 81% of the world unless the security, technical capabilities, and operational capabilities of exchanges can meet the expectations of the user base. The user base, the less sophisticated it gets, will rely on crypto exchanges as their single point of failure for their wealth, their savings, their tokens. Unsophisticated users cannot be trusted to maintain their own cold wallet or hot wallet. In reality, most people can’t even keep their mobile phone working; how can we trust them to manage complicated software or hardware to keep their own money safe?  How can we allow their hard-earned wealth to be lost due to an attack which moves their tokens outside of our/their control?

Globally, stock markets and stock brokerages are some of the most highly secured and highly regulated entities because they must be in order to protect the funds of the people who rely on them. They don’t do this because they want to; they do it because there are billions/trillions of dollars at risk. I believe that to most average crypto holders, an exchange is directly equivalent to their stock exchange, or their stockbroker – tokens have real value to them.  They have the same expectations of Crypto.com, Binance, Circle, Coinbase as they do of Goldman Sachs, Daiwa Securities, TD Waterhouse, Charles Schwab, Ameritrade, or any other global brokerage.

If users of the technology have expectations of how their money is to be protected, it’s time that all cryptocurrencies and crypto exchanges put in place the capabilities to deliver operational protections, insurance, and security controls.

This article is far too short to cover the vast amount of requirements that you could translate from standards from PCI, NIST, ISO, FDIC, FFIEC, FINRA, ASD, FCA or IOSCO, so I’d like to talk about five key areas that are most common to all of them and should be among the first things that you do to protect your crypto exchange platform.

Risks & Threats

The role of a CISO or head of security demands a full awareness of evolving threats and the ability to keep the organization ahead of the curve, balancing program agility with long-term information security strategies, while ensuring compliance with regulatory demands, especially in this world where the regulatory demands change by country or even by token type. Increased attention from users or investors means CISOs must also be able to demonstrate the organization’s maturity level around information security and risk posture at any time, providing data that shows the true security capabilities present.

One of the first steps in the process is to understand true risks and threats. Without exploring the legal risks, or compliance threats for being unlicensed or similar violations, let’s focus instead on cybersecurity, infrastructure, and operational risks.

Generally, the gold standard for understanding this area is to conduct a risk assessment and conduct a tabletop exercise. A tabletop exercise is one in which you pick a scenario and then discuss with your team how you would discover and then react to such a scenario.

Understanding your gaps can help you build out your technical and process capabilities. There are a few good resources to help get your mind thinking.

·         Center for Internet Security (CIS) Examples

·         SANS Institute

In addition to the above examples, it is often necessary to hire an external consultant to conduct your tabletop exercise, primarily due to the time or lack of skill from within the organization.

Kudelski Security has run a number of tabletop exercises on crypto exchanges, private banks, stock markets, and entire institutions. Our experience in this area may allow you to quickly uncover some major areas in which you might have missed yourself.

Business Process Controls

Many of the more complicated attacks start with common threats such as phishing, collusion, and other attacks focused on human or human processes. Generally speaking, there should be no human single points of failure within your business processes, but unless you document and test each of them, you may never know where your failure points are.

In 2019, attacks across all organizations have increased with the highest number being human, errors, phishing attacks, and password reuse.

Walkthroughs or using external Advisory Services should determine if you need to improve your internal process controls, bring in technology consulting, use an external managed service, or build custom continuous auditing solutions. It’s important to have a blueprint that you can follow to determine the focus or order of your investments. Without a business-aligned program, you may not be able to meet all evolving needs. Focusing review on only online attacks is probably missing your #1 attack vector: your own employees.

Policies and Procedures

We know you had to get to market quickly to meet demand from your investors, customers, or to get to market first. This likely resulted in code reuse, open source selection, and is not really taking the time to write down any or all of your policies and procedures upon which you can measure your business and technical capabilities.

This is probably the thing that technologists hate the most, taking the time to document what they have done. Some like to build repeatable processes, but most hate to write it down. I’m just going to say that you have to, but you should probably just hire an external documentation writer, or bring in an outside consultant that can walk through your process with you and take the time to document it for you – working with your internal team. Face it, you’ll probably not do it yourself.

Remember how I said above that most regulations have a requirement to document your policies and procedures. No matter where you are in the world, or which jurisdiction you will be regulated by – I guarantee that you will have a requirement to write down and then test your policies and procedures.

As you think about what you need, likely based on principals from ISO 27002, you’ll ultimately design and develop a cybersecurity program, hopefully with support from our experienced advisors that have both a strategic and tactical elements. Getting help to architect your security infrastructure, architect your policies, establish a risk management program, develop effective reporting and implement your information security management system is all part of doing this right.

Vendors & Third Parties

We are only as strong as our weakest link, right?  When we hire suppliers, connect to external systems, or bring data in/out of our network we open things up to risks that are present in those environments also.

Generally, an assessment must be done on your third parties, especially if you transmit or receive private or customer information with them.This is often started by exchanging questionnaires with your third parties and hoping that they provide accurate answers.It’s especially tough if you are the smaller entity in the agreement.

There are some general guidelines that you can follow when building out a third-party risk program, especially in the crypto space where most vendors have immature processes.

Security Vulnerabilities & Operational Capabilities

Within something like a crypto exchange, it is almost never the blockchain that gets compromised. In fact, it is very unlikely that cryptography is what will be compromised. What is likely is that your web site could have a failure, there are logic problems in the forms, user errors in logging in or out, problems with cookies, cross-site-scripting, or operational flow misses which allow attackers to compromise the exchange. Testing your smart contract will not uncover any of these flaws, which is why it is important to review the more traditional things that you can do to analyze your full system surface area of attack.

In 2019 there have been seven major attacks (and lots of small ones) that have resulted in 4.4 billion in losses. That’s not a small amount, and you absolutely need to do whatever you can to ensure that you don’t add to this statistic.

It is absolutely not enough anymore to simply run an open source script against your code or review your smart contract. What you need to realize is that your entire environment is in-scope when it comes to risk and attacks – especially the technical bits that connect to the internet which are directly accessible by robotic botnet attacks and well-funded threat actors. It is important to do full penetration tests from the external and internal perspective, it is important to scan and repair vulnerabilities, and it is important to monitor for operational and security alerts, which may be attacks.

Unless you have spent significantly on security staff who have traditional cybersecurity expertise, including systems security, pentesting, and software development, you should probably bring in a third-party which can build-out and execute against your testing and operational needs.

From Kudelski Security’s viewpoint, testing a crypto exchange is very similar to testing money-flow with heightened secrecy for a private bank. The main categories that we can focus when we do a crypto exchange test include the following areas:

·         User-validation, private documents, user-forms, KYC

·         Data testing, including inflow/outflow of any information taken or presented to the user

·         Money-glow, purchase, sale, crypto-trade

·         Authentication, authorization, enrollment, deletion

·         Software security testing, API testing

·         Architectural review

When you determine the type of vendor to work with on this sort of assessment, you want to bring in experts in all areas of this, not just someone who is good at cryptocurrency. The vast majority of the vulnerabilities have nothing to do with cryptocurrency. Pen testers with years of experience using human validation in addition to automated tools, hardware assessment where there are cold wallets, and additional skills are all things you should look for in your chosen company.

If you are a believer in the future of cryptocurrency, digital tokens, digital twins, security tokens and the new business models in which these enable then you need a secure environment in which to buy, sell, trade and hold on to these tokens. Why wouldn’t you require a level of security of this environment equivalent to that of a first-world banking environment? You should work with a security company to help that has experience in this environment; your customers trust you to do the right thing.

Blockchain Does Not Remove Cybersecurity Risks

Blockchain Does Not Remove Cybersecurity Risks

The Binance Hack shows us once again that simply by moving the world to blockchain, it will not remove the risks associated with two major areas: Users and Basic Best Practice Hygiene. It’s frustrating to me as a 20-year practitioner that we continue to make the same mistakes as 20-years ago, just in a different programming language.

Risk Area 1: End Users

First, systems are only as weak as the users. No matter how good the system is, any loss of information, compromise, virus, misunderstanding, or exploit of an end user or their ‘key’ to your system WILL result in a compromise to their account. Sometimes a backend system will catch a transaction that is unexpected but often ‘insurance’ just pays back the user because most financial institutions still will not accuse their users of being stupid or provide help to make an end-user computer system better, it’s better PR to just make them whole. Good on Binance … they just made the users whole. From a prevention standpoint though, until there are more measures directly aimed at proving the intent and identity of the user, with backend detection, AI, behavior, signal detection, instrumentation, incidents will continue to happen within #blockchain infrastructures just as in any traditional system.

Risk Area 2: Lack of Basic Hygiene

Second, companies have to stop Skipping basic cybersecurity hygiene! I’m very happy to read that Binance had back-end systems that noticed something, but I’m guessing that they do not have a fully functional managed security provider, SIEM, behavior tool, systems instrumentation, etc. I have not talked to Binance specifically but have tried reaching out to exchanges to ask about their cybersecurity abilities, and without fail get “We take care of all of that internally.” Unless these exchanges have all built a fully operational staff of cyber experts (haha) these breaches will continue to happen. Please do not believe that your expert developers understand cybersecurity like the actual cyber experts. 90% of a blockchain system is the same application risks as a traditional data center system. Don’t forget what we have learned from NIST, PCI, HIPAA, etc.

If you run a crypto project or an exchange, I would love the opportunity to have my team run a short cybersecurity assessment on your environment and start to make some headway in improving architecture, monitoring, or response so that we can get your detection and response time to near zero.

Welcome to the Year of Trust Delivery with the Enterprise DLT

Welcome to the Year of Trust Delivery with the Enterprise DLT

Ledgers of transactions have existed for millennia, mostly validated by some centralized authority to vouch for their accuracy. Although centralized authorities have done an excellent job; there are times when it might not be in your best interest to trust any centralized authority to validate the authenticity or accuracy of information or to prove transactional validity. In cases where this is true, Digital Ledger Technology (DLT) can come to the rescue. For a DLT to work, lots of participants must agree to participate in proving that the information or transactions are accurate. Each of these participants are given a copy of the data and then they all execute specialized computer programs, each proving that the integrity and availability of the information is factually accurate. When enough participants agree that the accuracy is there, the transaction is confirmed, thus affirming TRUTH without relying on a single third party.

If you are an enterprise level officer reading this article, you are likely to be called upon to increase the trust level or PROVE to your customers, clients, patients, or constituents that you can still be trusted. In 2019, building solutions based on an enterprise DLT are likely to be part of your technology solution to this business ask.

I’m hoping terms like Bitcoin, Ethereum, and Blockchain aren’t crossing your eyes for the first time. These, the technology that backs them, and conversations surrounding them have been the talk of major news publications and the internet-at-large for a year or more now, driven primarily by the price fluctuations of the crypto-currency value. What you may not have realized, is that the technology foundation underneath cryptocurrencies is DLT.

As you probably saw on the news or experienced first-hand, the value of the cryptocurrencies plummeted in the last half of 2018 and many startups in the ecosystem have declared the equivalent of bankruptcy. To some, this is a sign that the world is just not ready AT ALL for digital currency or shows that it was not ready for new types of funding models, as seen with the ICO craze. To others, like me, this is a time to review the ecosystem of products that were (or were not) developed for these cryptocurrencies, see which technologies stuck, and then see which solutions are bordering on becoming enterprise ready so that we can realize the benefits.

As I look into what is coming in 2019, I see that we are ready as an industry to drop the word “blockchain” for enterprise-level conversations and instead focus on DLT.

Although most enterprises do not need a monetary cryptocurrency, some may want a utility token in which to exchange value between corporate entities, or reward employees for good deeds (PayPal Employee Reward Token), but often enterprises just want to prove the truth instead of exchanging value. Enterprises likely will focus on building trust with this technology because there is a large trust gap in the world today.

The area of focus I see in 2019 is Trust Delivery.

Trust is delivered with DLT because you can ensure the data has not been modified. In many cases, you can ensure that the integrity is present, that privacy is preserved, and that the centralized entity has not taken steps to leak the data, access the data, or modify the data to suit their own needs. I believe people in the world want to see transparent proof that enterprises are moving to the next level to protect them. In fact, consumers are likely to move toward a model where they start with distrust and enterprises must build that trust back up. There have been far too many data breaches for consumers to believe otherwise.

In 2019, a number of uses cases will likely be focused on by enterprises, all of which will need services, tools, and foundational infrastructures to appropriately deliver them:

  • Proof that data is private, and that privacy is preserved as data is transferred
  • Proof that data has been written as intended, preserves its integrity, and can only be updated and accessed by the intended owner
  • Proof that no third party has accessed the data
  • Proof that entities have monitored all of the above

All of the above need tools, infrastructures, blueprints, and expertise. Enterprises are looking to be fast or slow followers in the area of DLT, which means many of them are lacking the internal skill to deliver a quick technology solution when asked by their management. I don’t want to focus on the skills gap in the world of DLT or encryption, but I instead want to just point-out that expertise will need to be externalized in this space. This is one of the few areas which I would personally recommend going outside of your company to initially or permanently build your expertise.

If I were to give three pieces of advice to start 2019, it’s this:

  1. Never invent your own cryptography: One of the top sins of information security is to invent your own cryptography – which in the world of DLT is the number one rule. Enterprises should bring in trusted builders, libraries, and methods to ensure that the foundation of their trust infrastructure is sound.
  2.  Always get a second opinion if you are delivering a trust solution: There is a reason international standard recommendations like SANS, PCI, NIST, and HIPAA require third-party audits. These are required because no matter how good YOUR experts are, humans are fallible and you’ll always want to bring in one or many external parties to ensure your code is reviewed, tested, audited, pen tested, attacked, monitored, etc. Your level of diligence should match the importance of your application and the data within. Plus, your customers will appreciate it.
  3. Do not forget the basics: DLT (Blockchain) is simply application code and really strong math. This means that you need all of the common enterprise architecture components WITH IT to deliver a comprehensive solution. Do not forget things like the SANS TOP 20 when you look to build an architecture. People do not first attack the difficult cryptography – they first attack the common easy vectors like password reuse, unpatched infrastructure, or administrative interfaces that you accidentally left exposed to the internet. Please don’t let your DLT solution be compromised because you forgot one of the basics.

As we move quickly into the world of trust in 2019 and your organization looks to speed ahead or just dip their toes into the world of “Enterprise DLT” (aka Blockchain), keep in mind that not only do you have to use trusted and proven math solutions, apply your historic security practices and audit your built product – but you need to have a solid business case to enhance or improve something useful within your company.

To me, in 2019, the number one blockchain business case is Trust building.