- hello@group8.co
- 12 Marina View, Singapore
In recent years, cryptocurrencies, also known colloquially as crypto, have gained much traction among not just investors and traders, but a range of businesses from online gaming to social platforms. This trend is mostly due to the primary advantages of such virtual, cryptography-secured mediums of exchange. Through the usage of blockchain technology and the decentralisation of issuing new units and recording exchange processes, cryptocurrency transactions are highly efficient and mostly secure. For organisations, using crypto for operational, transactional, and investment purposes is also attractive for it may grant them access to new demographic audiences and capital and liquidity pools.
However, the beneficial elements of cryptocurrency can be a double-edged sword. For example, while the decentralised blockchain system expedites fund transfers and significantly reduces processing fees, it does not monitor or evaluate transactions as a centralised authority would. This may weaken the security of the blockchain and put crypto balances of organisations and individuals at risk.
Ultimately, cryptocurrency technology is relatively still in its infancy, and cybercriminals will always be hard at work devising new attack vectors and identifying weaknesses within the blockchain. Hence, regardless of how allegedly challenging it is now to hack the cryptocurrency system through fake transactions and whatnot, safe crypto storage and transfer should still be top cybersecurity priorities for any organisation dealing with such digital assets. Companies must also practise vigilance in monitoring crypto developments and ensuring security precautions are kept up-to-date with them.
It would be best for companies involved with cryptocurrency to comply with the CryptoCurrency Security Standard (CCSS). The CCSS is an open requirement created to reinforce approved information security practices and accompany pre-existing standards (e.g, ISO 27001, PCI DSS, etc.) to defend crypto information against unpermitted data access, confidential data loss, and data breaches. So, if you are considering entering your business into the crypto scene, or are already in it, we have outlined below the 5 critical cybersecurity areas of crypto management that you should know.
Cryptocurrency private keys are alphanumeric passwords that are used to access any crypto funds associated with them, sign transactions, and prove ownership of a blockchain address. They are stored together with public keys, which are used to receive deposits, in a crypto wallet. Certainly, it is vital to ensure that one’s crypto wallet and private key do not fall into the wrong hands. To lessen the consequences of dropping one’s wallet and reduce the risks of losing the keys or accidentally disclosing the identity of the wallet holder, these are some of the best practices to follow:
● Creating a unique address for each transaction, which ensures third parties cannot simply view all the other transactions linked to your account through a blockchain explorer in attempting to determine your identity.
● Enforcing multi-signature arrangements to withdraw funds from the wallet, meaning that transactions must be validated by two or more authorised parties. This ensures that a single keyholder cannot unilaterally manipulate crypto transfers.
● Limiting the usage of keys and seeds, also known as backup keys that restore users’ balances if their crypto wallet gets displaced or damaged, to only secure environments.
● Verifying the trustworthiness of all key and seed holders by reviewing their identity, references, and backgrounds.
● Spreading out the storage of valuable cryptocurrencies (e.g., BTC, Ethereum-based tokens, and altcoins) across multiple wallets, such that you lower the risk of losing access to all your coins as the case will be if you store everything in just one wallet.
In addition, organisations should ideally always maintain the visibility of personnel that can access their crypto information – these keyholders would have to be thoroughly informed of their responsibilities and the processes they need to undergo. The top management of your organisation can also officialise the annulment of wallet-access privileges for ex-staff. One of the best security practices is for organisations to provide employees with the absolute bare minimum of permissions to utilise the crypto information system for their work.
It would be ideal for all cryptocurrency systems to securely generate cryptographic keys and seeds. To do so, organisations should place a high focus on these two aspects: unguessable keys and confidentiality. Unguessable keys protect crypto assets against threat actors that want to imitate authorised key and seed holders, while confidentiality prevents newly generated keys or seeds from being acquired by unintended parties. The CCSS provides a list of critical actions that organisations should take to create unguessable and confidential keys. It mentions key points such as ensuring that keys and seeds are created by their operators, through a deterministic random bit generator (DRBG) that conforms to the recommendations of NIST SP 800-90A, and on a system with sufficient entropy.
Organisations should practise a high level of carefulness when storing their cryptocurrency keys and seeds digitally, physically, or in any other form. Here, they have to be mindful of the types of crypto wallets available, and the pros and cons of using them:
• Online wallets: Also considered a kind of custodial wallet, they are online third-party services through which one can access their crypto funds from any internet-connected browser. Most of the time, private keys are withheld by the wallet provider. While such wallets increase the convenience of storing and extracting crypto, hackers can target them with greater ease.
• Software wallets: These are computer or smartphone applications that give the user control over private keys and access to crypto balances. They are still a type of hot wallet, meaning that they are connected to the Internet. Hence, private keys will still be much exposed to cyber-attackers.
• Paper wallets: Referring to offline mediums for keeping crypto assets, they involve printing the private keys and associated addresses on a piece of paper. There are high risks attached to this storage method. First, the paper can be easily damaged by a variety of environmental factors. Second, one will need to manually enter their keys in a transaction tool by using their internet browser, exposing their keys to cyber threats.
• Hardware wallets: They are offline, physical devices for users to store private keys and verify transaction details. Such wallets are considered the most secure in comparison to their counterparts currently, as hackers will not be able to steal one’s private keys even after seizing control of their computer.
Of course, it is always advised for organisations to have extra offline, backup wallets to store their keys. This serves as a precautionary measure against compromised wallets and lost or destroyed keys.
Certain essential policies can also be implemented to further boost an organisation’s cryptocurrency security. A couple of these are key compromise policies and data sanitisation policies. Establishing a key compromise policy provides cyber incident response teams with the protocols and steps they must take to reduce losses in the event that a crypto key, seed, or holder is compromised.
The CCSS also recommends for companies to adopt a comprehensive data sanitisation policy, which involves the secure and permanent deletion of data to ensure it cannot be restored. This is because data can still be preserved in cyberspace even when it gets 'deleted' through conventional means. Hence, it would be best for employees to be trained and provided with the necessary tools to thoroughly wipe decommissioned devices such as hard disk drives, servers, and removable storage to avoid the leakage of information regarding crypto assets, keys, seeds, or wallets.
Last but not least, it is essential to regularly keep a record of reserve funds, including crypto assets, for compliance purposes. In addition, audit logs can be extremely valuable tools that allow companies to determine how security incidents occur, such as crypto theft, and more swiftly resolve system inconsistencies as well as revert the information system to a stable state.
It makes sense for any organisation to have confidence in the abilities of the experts who build and maintain their information systems and networks. However, in this day and age where cyber threats are relentlessly increasing and advancing, no business can ever be too cautious with their security measures. The danger is heightened for companies located in more technologically advanced countries, such as Singapore, as they usually become the prime targets for malicious hackers.
To protect vital crypto assets, your organisation can consider engaging external cybersecurity services in Singapore to identify exploitable holes in its management of crypto accounts which may have been normally underestimated or overlooked by average employees. For instance, conducting a penetration test can confirm if your staff are resistant to phishing, which is a method frequently used by cybercriminals to launch crypto heists. And if your organisation directly depends on any blockchain-based solutions or applications, be it for crypto or other types of operations, security assessments specific to blockchain networks are also available and should be considered seriously.
Given the recent high-profile security incidents in the world of cryptocurrencies and related technologies, it is even more crucial that businesses cover all the bases of their cybersecurity system to stay ahead of the emerging and evolving threats.
At GROUP8, we understand the necessity of having robust cybersecurity controls for organisations to protect their numerous assets, cryptocurrency or not. Thus, we offer an entire ecosystem of offensive-inspired cybersecurity solutions, including blockchain security, phishing detection, smart contract audits, and CREST-certified pen test in Singapore. If your business is in search of trusted and industry-leading cybersecurity services, do not hesitate to contact us at hello@group8.co for help.