A Basic Guide to Crypto Exchange Security

This article is a practical summary of the top five areas, common to all major security standards and frameworks, which crypto exchange companies need to engage with, to protect their platform.

1. Understand Risks and Threats
2. Business Process Controls
3. Policies and Procedures
4. Vendors and Third Parties
5. Security Vulnerabilities and Operational Capabilities (Pen Test!)

June 2022 began with bad news for the cryptocurrency holders. Paradoxically, in this bear market, the drop in value has made it an interesting investment proposal to a lot of people. The widely accepted view among analysts is cautious optimism that crypto will prove its enduring appeal and financial resilience. Whether the number of global crypto owners will reach the 1 billion mark by the end of 2022, per the Crypto.com Crypto Market Sizing Report, January 2022, remains yet to be seen. Uptake may slow down from the 178% rise in 2021, but growth will persist in the number of investors still attracted to crypto. Even though the quantity of daily transactions have dropped, the numbers of people who find out how to mine, buy, or exchange in order to access this market will still be impressive and the market will still evolve not only in terms of ease of use but in meeting the expectations of users.

In 2020, crypto exchanges must put security, protection of users, and protection of funds at the forefront of their systems – even has revenue has dropped. There’s no other way that we can even hope to onboard the other 81% of the world unless the security, technical capabilities, and operational capabilities of exchanges can meet the expectations of the user base. 

The less sophisticated the user base gets, the less sophisticated the tools get, and the more they will rely on crypto exchanges as their single point of failure for their wealth, their savings, their tokens. Unsophisticated users cannot be trusted to maintain their own cold wallet or hot wallet.  “Your keys your crypto” is a worrying proposition to many non-technical folks. 

Most people can’t even keep their mobile phone working; how can we trust them to manage complicated software or hardware to keep their own money safe? How can we allow their hard-earned wealth to be lost due to an attack which moves their tokens outside of our/their control?

Globally, stock markets and stock brokerages are some of the most highly secured and highly regulated entities because they must be to protect the funds of the people who rely on them. They don’t do this because they want to. They do it because there are billions/trillions of dollars at risk. 

I believe that to most average crypto holders, an exchange is directly equivalent to their stock exchange or their stockbroker – tokens have real value to them. They have the same expectations of Crypto.com, Binance, FTX, Coinbase as they do of Goldman Sachs, Daiwa Securities, TD Waterhouse, Charles Schwab, Ameritrade, or any other global brokerage.

If users of the technology have expectations of how their money is to be protected, it’s time that all cryptocurrencies and crypto exchanges put in place the capabilities to deliver operational protections, insurance, and security controls.

This article is far too short to cover the vast number of requirements that you could translate from standards like these:” 

• PCI
• NIST
• ISO
• FDIC
• FFIEC
• FINRA
• ASD
• FCA
• IOSCO

So instead, I’d like to talk about five key areas that are most common to all of them and should be among the first things that you do to protect your crypto exchange platform.

Risks & Threats

The role of a CISO or head of security demands a full awareness of evolving threats and the ability to keep the organization ahead of the curve. They need to balance program agility with long-term information security strategies, while ensuring compliance with regulatory demands, especially in this world where the regulatory demands change by country or even by token type. 

Increased attention from users or investors means CISOs must also be able to demonstrate the organization’s maturity level around information security and risk posture at any time, providing data that shows the true security capabilities present.

One of the first steps in the process is to understand true risks and threats. Without exploring the legal risks or compliance threats for being unlicensed or similar violations, let’s focus instead on cybersecurity, infrastructure, and operational risks.

Generally, the gold standard for understanding this area is to conduct a risk assessment and a tabletop exercise. A tabletop exercise is one in which you pick a scenario and then discuss (or act-out) with your team how you would discover and then react to such a scenario.  Who actually puts hands on keyboard when a breach is suspected is a very important conversation to have.

Understanding your gaps can help you build out your technical and process capabilities. There are a few good resources to help get your mind thinking.

• Center for Internet Security (CIS) Examples
• SANS Institute

In addition to the above examples, it is often necessary to hire an external consultant to conduct your tabletop exercise, primarily due to the time or lack of skill from within the organization.  Often, your internal team makes assumptions that may not be true during time of crisis.

Kudelski Security has run a number of tabletop exercises on crypto exchanges, private banks, stock markets, and entire institutions. Our experience in this area may allow you to quickly uncover some major areas in which you might have missed yourself.

Learn more about building cyber resilience with Kudelski Security’s incident preparedness services >>

Business Process Controls

Many of the more complicated attacks start with common threats such as phishing, collusion, and other attacks focused on human or human processes. Generally speaking, there should be no human single points of failure within your business processes or high-value token transfers. Unless you document and test each of them, you may never know where your failure points are.

In 2019, attacks across all organizations have increased with the highest number being human, errors, phishing attacks, and password reuse.

Walkthroughs or using external advisory services should determine if you need to improve your internal process controls, bring in technology consulting, use an external managed service, or build custom continuous auditing solutions. 

It’s important to have a blueprint that you can follow to determine the focus or order of your investments. Without a business-aligned program, you may not be able to meet all evolving needs. Focusing review on only online attacks is probably missing your #1 attack vector: your own employees.

Learn more about Secure Blueprint, Kudelski Security’s Cyber Business Management Platform >>

Policies and Procedures

We know you needed to get to market quickly to meet demand from your investors, customers, or as a competitive edge. This likely resulted in code reuse, open-source selection, and not taking the time to document any or all your policies and procedures upon which you can measure your business and technical capabilities.  You may have created the minimum-viable documentation to pass regulatory scrutiny, but I bet it is far from fully comprehensive.

This is probably the thing that technologists hate the most. Some like to build repeatable processes, but most hate to write it down. I’m not going to say that you must, but you should probably just hire an external documentation writer or bring in an outside consultant that can walk through your process with you and take the time to document it for you. Face it, you probably won’t do it yourself.

Remember how I said above that most regulations have a requirement to document your policies and procedures. No matter where you are in the world, or which jurisdiction you will be regulated by, I guarantee that you will have a requirement to write down and then test your policies and procedures.  “Show Evidence” is often the tag line used by auditors.

As you think about what you need, likely based on principals from ISO 27002, you’ll ultimately design and develop a cybersecurity program, hopefully with support from our experienced advisors that have both strategic and tactical elements. These advisors can help you do this right by helping with projects like: 

• architecting your security infrastructure
• architecting your policies
• establishing a risk management program
• developing effective reporting
• implementing your information security management system

Learn more about Kudelski Security’s comprehensive suite of Advisory Services >>

Vendors & Third Parties

We are only as strong as our weakest link, right? When we hire suppliers, connect to external systems, or bring data in/out of our network we open things up to risks that are present in those environments also.

Generally, an assessment must be done on your third parties, especially if you transmit or receive private or customer information with them. This is often started by exchanging questionnaires with your third parties and hoping that they provide accurate answers. It’s especially tough if you are the smaller entity in the agreement.  In the crypto world, these third parties are often small startups who have solved the problem “first” – such as automated user KYC, or chain analytics.

There are some general guidelines that you can follow when building out a third-party risk program, especially in the crypto space where most vendors have immature processes.

Read more: Building a Vendor Risk Management Program >>

Security Vulnerabilities & Operational Capabilities

Within something like a crypto exchange, it is almost never the blockchain that gets compromised. In fact, it is very unlikely that cryptography is what will be compromised. What is likely is that your website could have a failure that results in attackers compromising the exchange – failures such as: 

• logic problems in the forms
• user errors in logging in or out
• problems with cookies, tokens, or session-keys
• authentication problems with passwords or multi-factor authentication
• cross-site-scripting
• operational flow misses which allow attackers to compromise the exchange through administrative settings and “overrides”

Testing your smart contract will not uncover any of these flaws, which is why it is important to review the more traditional things that you can do to analyze your full system surface area of attack.

In 2019 there have been seven major attacks (and lots of small ones) that have resulted in 4.4 billion in losses. That’s not a small amount, and you absolutely need to do whatever you can to ensure that you don’t add to this statistic.

It is absolutely not enough anymore to simply run an open-source script against your code or review your smart contract. What you need to realize is that your entire environment is in-scope when it comes to risk and attacks – especially the technical bits that connect to the internet which are directly accessible by robotic botnet attacks and well-funded threat actors. 

It is important to do full penetration tests from the external and internal perspective. It is important to scan and repair vulnerabilities. And it is important to monitor for operational and security alerts, which may be attacks.

Unless you have spent significantly on security staff who have traditional cybersecurity expertise, like systems security, penetration testing, and software development, you should probably bring in a third-party which can build-out and execute against your testing and operational needs.

From Kudelski Security’s viewpoint, testing a crypto exchange is very similar to testing money-flow with heightened secrecy for a private bank. The main categories that we can focus when we do a crypto exchange test include:

• Onboarding:  User-validation, private documents, user-forms, KYC
• Data:   Data inflow/outflow of any information taken or presented to the user
• Financial:  Money-flow, purchase, sale, crypto-trade
• Credentials, Authentication, authorization, enrollment, deletion
• Software security testing, API testing
• Architectural review
• Tokens:  Wallets, Custody, MPC

When you determine the type of vendor to work with on this sort of assessment, you want to bring in experts in all areas of this, not just someone who is good at cryptocurrency. The vast majority of the vulnerabilities have nothing to do with cryptocurrency. Pen testers with years of experience using human validation in addition to automated tools, hardware assessment where there are cold wallets, and additional skills are all things you should look for in your chosen company.

Get in Touch

If you are a believer in the future of cryptocurrency, digital tokens, digital twins, security tokens, and the new business models in which these enable, then you need a secure environment in which to buy, sell, trade, and hold on to these tokens. 

Why wouldn’t you require a level of security of this environment equivalent to that of a first-world banking environment? You should work with a security company that has experience in this environment; your customers trust you to do the right thing. If you’re interested in consulting with our team, get in touch here.