https://blog.rsisecurity.com/how-to-achieve-cryptocurrency-security-standard-ccss-compliance/
Without a doubt, Bitcoin, cryptocurrency, and the blockchain are in the process of revolutionizing the entire landscape of global finance. Experts from major think tanks like the MIT Technology Review are predicting that cryptocurrency growth isn’t expected to slow anytime soon. As the cryptocurrency industry becomes more prevalent in various aspects of our personal and business lives, so is the need for regulatory standards to ensure transactions take place in a safe, secure manner. Which is exactly why the Cryptocurrency Security Standard (CCSS) was developed.
The CCSS is a framework formulated by a group of cryptocurrency developers, researchers, and security professionals. It’s a set of best practices that Bitcoin and cryptocurrency investors, professionals, and businesses should adhere to in order to ensure both ease and security of all transactions.
More specifically, the CCSS is an attempt to standardize various rules and software best practices used in crypto-related technologies like wallets and bitcoin exchanges. The goal is to keep customer funds secure and protect digital currency information against unauthorized data access, sensitive data loss, and data breaches.
So whether you’re investing in cryptocurrencies, use blockchain technology, or operate a business utilizing cryptocurrency or bitcoin transactions, CCSS is a standard that you’ll likely need to be in compliance with. Below is a primer on the key areas that CCSS covers, and what you’ll need to start doing to ensure you’re fully CCSS compliance today and in the near future.
CCSS Basics
The focus of CCSS is towards cryptocurrency security and transparency in handling customer funds, which is essential for growth and adoption of Bitcoin and cryptocurrencies into mainstream business and investing practices. Bitcoin security standards such as CCSS have become even more relevant with recent, high profile cyber breaches of cryptocurrency exchanges like Mt. Gox and Bter. These kinds of security issues have plagued various aspects of the crypto industry, and the creators of CCSS hope that by following these guidelines, the entire ecosystem can benefit from enhanced security.
CCSS is designed to complement existing information security standards (such as ISO 27001:2013) by introducing guidance for security best practices with respect to cryptocurrencies but is not designed to be a substitute or replacement. Rather, it’s designed to augment existing standards and be implemented by crypto focused cybersecurity professionals. CCSS covers ten aspects of any information system that stores, transacts with, or accepts cryptocurrencies. This can be either hardware or software, and you’ll be scored within three compliance levels depending on how secure each aspect of your systems are.
Moreover, each of the ten aspects are organized into two seperate domains that serve to structure CCSS, which are Cryptographic Asset Management and Cryptocurrency Operations. Below is a breakdown of each aspect within the two domains, and what you’ll need to focus on to fully comply with CCSS, no matter how your organization uses digital currency.
Cryptographic Asset Management
1. Key & Seed Generation
One of the most important aspects to cryptocurrency from a cybersecurity standpoint is key and seed generation. Seeds are basically a username/password combination that users need to access their cryptocurrency wallets. Therefore, seeds need to be unique and extremely difficult to guess via a brute force hack. If a hacker manages to generate the same 64 character seed as that of a specific user, they may be able to gain access to funds.
These seeds are then used to generate keys, which are used to sign transactions and generate public addresses where crypto funds are stored. Like every area of CCSS compliance, certification ranges from Level I to Level III, depending on the sophistication of your cybersecurity measures. To achieve basic compliance, you’ll need to work with your CCSS compliance partner to make sure all of the following areas are addresses in your key & seed generation practices:
- Operator-created keys and seeds
- Validation of creation methodology
- DRBG compliance
- Sufficient entropy pools
2. Wallet Creation
For those familiar with cryptocurrency, wallets are an integral part of how you conduct business. A wallet is purely digital, and are used to buy, store, and trade various cryptocurrencies from Bitcoin and Litecoin to Ethereum. Therefore, this aspect of CCSS covers the creation of a bitcoin wallet or addresses that are used to send and receive cryptocurrency. Wallets are created using key signing methodologies that can require a single key’s signature, multiple keys’ signatures, or a minimum number of signatures from many keys.
Furthermore, wallets can be created individually (otherwise referred to as JBOK wallets, or “Just a Bunch Of Keys”) or in a deterministic way that allows a set of addresses or key pairs to be created from a single master seed. Security of wallet creation is derived from the integrity of the wallet in the face of various risks such as a lost, stolen/, or compromised key, and the confidentiality of the wallet that would make it difficult to associate a wallet with a particular user. The following must be taken into account for wallet creation CCSS compliance:
- Unique address per transaction
- Multiple keys for signing
- Redundant key for recovery
- Deterministic wallets
- Geographic distribution of keys
- Organizational distribution of keys
3. Key Storage
The third aspect of CCSS covers how private keys and seeds are being stored while not in use. To best maintain the confidentiality of key and seed data, CCSS mandates they be stored in “as secure a manner as business concerns will allow.” You’ll want to make use of strategies like encryption, secret sharing, and physical locks (if and when appropriate).
To maximize the integrity of keys and seeds, you’ll need to create backups that will allow for recovery in the event that primary keys become inaccessible. Care should also be taken to ensure backups are stored with at least as much security as primary keys (if not more). It should also be noted that cryptographic assets that are generated by end-users of a system are not subject to the backup requirements of this section, as enforcing good behavior on end users is practically impossible.
When it comes to meeting the key storage requirements, make sure to cover all of the following:
- Primary keys are stored encrypted
- Backup key exists
- Backup key has environmental protection
- Backup key is access-controlled
- Backup key has tamper-evident seal
- Backup key is encrypted
4. Key Usage
Closely related to key storage, the key usage aspect of CCSS ensures that all keys and seeds are used in a secure manner. The goal is to maximize the confidentiality of private keys and ensure the integrity of all cryptocurrency funds. However, this section does not specifically cover the usage of backup keys, which are used only in case the primary key is lost, stolen, damaged, or otherwise inaccessible.
There are many risks present when using keys, some of which can lead to significant negative consequences. Loss of funds, malware modification of keys, and unauthorized transactions by outside malicious actors are just a few things that can occur. According to CCSS, full key use compliance should consider all of the following:
- Key access requires user password & authentication
- Keys are only used in a trusted environment
- Operator reference checks
- Operator ID checks
- Operator background checks
- Spends are verified before signing
- No two keys are used on one device
- DRBG Compliance
5. Key Compromise Protocol
Hope for the best, plan for the worse, as the old adage goes. Cryptocurrency security is no exception to the rule, which is why CCSS mandates the existence of a specific protocol that your organization will take in the event keys and/or seeds have been compromised or hacked. Your protocol mus outline actions that will be taken in the event of a breach, depending on whether a private key has been stolen, destroyed, become known, or otherwise compromised. Proper policies and procedures to govern malicious events decrease risks associated with things like lost funds and disclosed trade secrets.
Lack of Key Compromise Protocol (KCP) will actually prevent your organization from reaching the highest Level III certification under CCSS. Examples of when a KCP would be invoked include the identification of tampering of a tamper-evident seal placed on key material, the apparent disappearance of an operator whose closest friends and family cannot identify their whereabouts or the receipt of communication that credibly indicates an operator or key is likely at risk of being hacked. The execution of KCPs must make use of Authenticated Communication Channels to ensure messages are only sent or received by authenticated actors.
KCP compliance consists of two main portions:
- Have an Existing KCP
- Regular KCP Trainings and Rehearsals
6. Keyholder Access Procedures
If keys are the most important pieces of information related to cryptocurrency, then coming in a close second are the individuals who have access to them. That’s why CCS has standards about the policies and procedures surrounding how users are granted (and revoked) access to keys or seeds that store organizational and/or end-user funds.
You’ll need to consider the access that your staff has to information systems, and restrict access to information that’s not vital to the performance of their regular duties. Improper onboarding and offboarding also pose risks to key and seed information, so you’ll want to background check all new employees, and immediately revoke access when employees quit or are terminated. Your key access procedure compliance plan under CCSS is as follows:
- Access Grant and Revoke Procedures Checklist
- All Requests made via Authenticated Communication Channel
- Grant and Revoke Audit Trail
Cryptocurrency Operations
7. Security Audits
This aspect covers third-party reviews of security systems, technical controls, and policies that protect any system from all forms of risk. You’ll need to conduct penetration and vulnerability tests to identify potential weaknesses and paths around existing security measures.
Regardless of the technical skill, knowledge, and experience of personnel who build and maintain your systems, third-person reviews are necessary to identify risks and control deficiencies that were either overlooked or underestimated by your internal staff.
For the same reasons that software development companies require third parties to test a product to assess its viability, different people than those who implement a cryptocurrency system should assess its security. Third parties provide a fresh viewpoint, are independent of technical controls and are able to be more objective when assessing your security systems.
There’s only one requirement to this CCSS aspect, but it’s a big one: Conduct a Third Party Security Audit.
8. Data Sanitation
At some point in time, you may want (or need) to remove cryptographic keys from digital media or hardware. This could be anything from PC hard drives and USB drives, to smartphones and cloud servers. Hackers are now employing ever more sophisticated digital forensic techniques to recover data which has (ostensibly) been erased or deleted.
That’s why CCSS covers the proper sanitization of all digital media upon its removal and/or disposal from your facilities. You’ll need to properly remove all keys from digital media devices, and do your best to eliminate the risk of information leakage from decommissioned devices like servers, hard disk drives, and removable storage devices.
Your data sanitation procedure (DSP) checklist should contain the following two items:
- Have an Existing DSP
- Maintain Audit Trail of all Media Sanitization
9. Proof of Reserve
Just like a bank, cryptocurrency exchanges and wallets need to have enough currency in “reserve” to ensure liquidity for all users as they buy, sell, and cash out to various currencies. CCSS requires that cryptocurrency companies be able to show proof of control of all reserve funds held in their systems.
This rule is partly due to past cases where cryptocurrency organizations were operating at only a fraction of the reserve funds they claimed to have in reserve. This is a huge risk, as bitcoin exchanges and wallets need to have the ability to cover all funds in the event of a simultaneous withdrawal by all bitcoin users. Proofs of reserve provide assurance to the public that all funds are available at any given time, eliminating risk of fund loss altogether.
Just make sure to work with your compliance partner to conduct regular Proof of Reserve Audits to reach CCSS compliance.
10. Audit Logs
Finally, you need to maintain audit logs of system maintenance that provide a record of all changes to date. In the event of a breach or cybersecurity incident, audit logs can prove extremely valuable in helping investigators understand how the attack occurred, properly diagnose symptoms, and formulate a plan for how to resolve issues and stabilize your systems and service.
Just make sure to both Apply Audit Logs and ensure there’s a Backup of Audit Logs to reach minimum Level I CCSS compliance.
Concluding thoughts
So, whether you’re a crypto investor, business, or exchange, by now you should realize why CCSS exists, the aspects it covers, and steps you can take today towards reaching full compliance and prepare your business to face cyber threats. And don’t forget to consider engaging with a CCSS compliance partner to make your journey that much more efficient and worry-free. For more information on cybersecurity solutions, contact RSI Security today.