Author: Gili Nizani

What Is Digital Asset Security

 

The world has become increasingly aware of the threat of cyber attacks and data breaches, but not all organizations know how to defend themselves against them. Systems breaches great and small have more than doubled in the past five years, and the attacks have grown in sophistication and complexity.

From DDoS attacks to data loss, a cyberattack can have devastating consequences for a brand. Not only does it lead to a loss of consumer confidence, but the manner in which a company handles an attack can also have a significant impact on the business’s bottom line and reputation.

Nascent industries like cryptocurrency are also feeling the impact. Accounting agency KPMG told Bloomberg in March that the cryptocurrency market must enhance its digital asset security before $245 billion of the crypto industry can expand.

Learn more on digital assets, compliance and cyber security from our experts

While it may seem hopeless and at times even impossible, the good news is it’s not. There are a few key steps every organization can take to protect its digital landscape.  To protect digital assets, it’s good to start with the basics, like getting organized, understanding attack and breach implications.

The evolution of digital security has made digital asset management more transparent, accessible and streamlined than ever. But protecting digital assets comes with its own set of unique challenges. In this article, we’ll take a bird’s-eye view at the current state of the digital asset threat landscape, technology, and solutions.

What Is a Digital Asset

A digital asset can be anything in a digital format, from a text document to a private key to a database. In determining the priority of assets to protect, organizations must confront both external and internal challenges. The idea that some assets are of critical importance to a company must be at the heart of an effective strategy to protect against cyber threats.

The Difference Between a Digital Asset and a Digital Security

It may be surprising, but the first digital asset was in fact Bitcoin when it launched in 2009. Now, digital assets are prominent in discussions by the SEC, the Financial Crimes Enforcement Network, and other regulatory bodies. Digital assets have become a permanent fixture in finance.

Mason Borda, CEO of TokenSoft, outlined the distinction between the two. “A digital asset is a digital representation of something of value, for which ownership is verified and recorded on a distributed ledger.”

A digital security, on the other hand, is a “digital representation of an asset that happens to be a security, often an investment contract, for which ownership is verified and recorded on a distributed ledger. A digital security, which is subject to traditional securities laws, is often referred to as a security token.”

For example, a digital security could be a share of a corporation, a portion of a note, or a debt security. In some cases, it could also be fractionalized interest which some commentators have discussed as being an especially suitable use-case for the security token concept.

Digital Asset Threat Landscape

Industries around the world, from health to finance have seen their fair share of threats over the past decade. As companies and clients continue to expand their digital services, they’ll continue to face ongoing threats to their security’s IT and infrastructure.

Common Vulnerabilities

Credential Stuffing

Credential stuffing is a type of cyberattack that usually targets the personal data of banking customers. Using stolen account credentials, hackers can gain unauthorized access to user accounts using automated large-scale login requests.

The stolen information can then be used to bombard websites and servers in order to try to gain access to critical IT infrastructure. This practice is known as credential stuffing.

Credential stuffing differs from a brute force attack because in credential stuffing operations attackers are often using usernames and passwords that are known to have been good at some point or another. For banks, credential stuffing is an emerging and credible threat that will only get worse as the number of data breaches increases.

Phishing Attacks

Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack. This can have devastating results on a business.

One of the major news stories of 2013 was the Target data breach that affected 110 million users, including 41 million retail card accounts. It turns out that cybercriminals did not attack Target directly. They targeted a third-party HVAC vendor, which had trusted access to Target’s servers. Upon compromising FMS’s servers, gaining complete access to Target’s was simple.

Ransomware Attacks

Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments.

Ransomware has cost businesses more than $75 billion per year in damages (Datto), and ransomware remains the most common form of cyberattack. Banks remain top targets for ransomware attacks, as cybercriminals follow the money for big payoffs.

IoT Exploitation

While a majority of exploitation attempts stem from software vulnerabilities, they can just as easily begin from vulnerable pieces of hardware. Anything from an employee device to a router connected to an unsecured network can put an entire organization’s digital infrastructure at risk. Unbeknownst to many is how easily exploitable their IoT devices are since they’re often not required to have the same level of security scrutiny as computers.

Unsecured IoT devices, such as home routers, printers, and IP cameras are all vulnerable to attack. As institutions continue to connect more gadgetry to the internet, the number of potential security weaknesses on their networks are also more likely to increase. To breach an institution, attackers will target insecure devices to create a pathway to other systems. Once they have an entryway from an IoT device, they have full access to the entire network.

Cloud Storage Vulnerabilities

For many enterprise solutions, opting for a simple cloud-based solution often can do more harm than good. Trusting cloud providers can be risky business –– or better yet, a major risk for your business. However you choose to look at it, while many cloud providers promise to keep highly sensitive data secure many also fail to do so.

With the Wall Street Journal’s release of their investigation into the global hacking campaign known only as ‘Cloud Hopper,’ the true depth of the risks associated with compromised cloud data couldn’t be more evident, or alarming.

With so much information stored on the cloud, particularly for the use of public services, cloud providers have become easy targets for malicious attackers. To get a clearer picture of the problem, consider that over 1.4 billion records were lost to data breaches in March 2017 alone –– many of which involved cloud servers.

Contrary to what many may believe, the sole responsibility for protecting corporate and customer data in the cloud lies with the cloud customer, not the service provider. Hence, no cloud provider is legally or contractually obligated to ensure the safety of customer data –– as much as they may promise to do so.

In cases of breached data, a company may be required to disclose the breach to authorities and alert customers and potential victims. Regulations like HIPAA and HITECH in the healthcare industry and the EU Data Protection Directive are laws that outline the necessity of such disclosures.

Using legally-mandated breach disclosures, regulators can issue hefty fines against a company, and it’s not uncommon for consumers whose data was compromised to file lawsuits.

Many cloud services available today have a number of stringent security protocols in place to protect the data they store. However, it’s the responsibility of any given organization to implement a plan for protecting their customer’s data on the cloud. Here are just a few ways your digital assets are vulnerable when stored on the cloud.

Data Breaches

Cloud data storage security has forced today’s cybercriminals to invent new ways to circumvent today’s cyber solutions in order to gain access to the sensitive data of millions of businesses and individuals.

A data breach can have huge consequences for a company, both legally and reputationally. A data breach can expose sensitive customer information, intellectual property, and trade secrets, all of which can lead to serious consequences for any business. Companies could potentially face lawsuits and hefty fines, as well as damage to the brand image that could last for years.

In May 2016, hackers stole an estimated 167 million LinkedIn email addresses and passwords causing irreparable damage to the brand’s customer trust. While cloud storage providers work to implement rigorous security measures, the same threats that impact traditional storage networks also threaten those of the cloud.

Today it’s possible for a hacker to listen for a ‘side-channel timing exposure,’ signaling the arrival of an encryption key on another VM of the same host. This kind of breach can lead to an organization’s most sensitive internal data falling into the wrong hands.

Data Loss

A data breach can lead to data loss which can take place when a disk drive dies without a proper backup in place. Like losing the key to your house, data loss occurs when the owner of encrypted data loses the key that unlocks it.

A data loss could occur as a result of a malicious attack. On Easter weekend in 2011, small amounts of data were lost for some Amazon Web Service customers as its EC2 cloud suffered “a re-mirroring storm” due to human operator error.

While the chances of losing all your data in the cloud aren’t that high, there have been reports of hackers gaining access to cloud data centers and wiping all the data. That’s why it’s critical for organizations to distribute their applications across several zones, and backup their data using off-site storage if and when possible.

On top of this, companies need to be aware of compliance policies that dictate what they can and can’t do with the data they collect. By complying with these rules, companies can work to protect their data and the data of their customers’ in the event of a data breach.

Since both data breaches and data losses can lead to a loss of consumer confidence in a brand, the manner in which a company handles an attack will also have a significant impact on the business’s bottom line and reputation.

Compromised Credentials

Although account hijacking sounds too simple to be a serious concern for cloud services, consider the impact of a compromised account. An attacker with control of an account has the ability to eavesdrop on transactions, manipulate data, provide false responses to customers, and redirect customers to a phishing or competitor’s site. Even worse, if a compromised account is connected to other accounts, it’s possible to quickly lose control of multiple accounts all at once.

There are many security threats that can be easily prevented with the creation of secure, unique passwords. While remembering complex passwords can be a challenge, the use of a trusted password manager like Dashlane or OnePassword can really simplify things.

Businesses that provide employee training in order to raise awareness of such vulnerabilities can stress the importance of creating secure credentials on a company-wide scale. In addition to using strong passwords, companies can also work to protect themselves by defining the right user roles and creating processes for identifying critical changes made by other users.

Hacked Interfaces and Insecure APIs

In today’s cloud era, companies try to make services available to millions while limiting any damage anonymous users may do to their service. They do this with the use of APIs, or public-facing application programming interfaces, that defines how a third party connects an application to the service.

Most cloud services use APIs to communicate with other cloud services, leaving a wide gap for potential exploitation. As a result, the security of APIs has a direct effect on the security of the cloud services, and the chances of getting hacked increases. Such a hack has the potential to cause a business to lose confidential information related to their customers or other parties.

The best way for businesses to protect themselves from API hacks is to implement threat modeling applications and systems into the development lifecycle. It’s also recommended to perform comprehensive code reviews regularly to ensure that there aren’t any security gaps that have the potential to be exploited.

DDoS and DoS Attacks

DDoS attacks have the potential to cripple an organization’s public cloud and affect the availability of enterprises that run critical infrastructure in the cloud. This kind of malicious attack can be debilitating for a business, slowing systems down or timing out requests while consuming huge amounts of processing power.

Today’s attackers have improvised increasingly sophisticated ways of carrying out an assault before hundreds of thousands of automated requests for service can be detected and screened.

This makes it harder than ever to detect which components of incoming traffic are the bad actors and which are legitimate users. For companies, experiencing a DoS attack feels like being caught in rush-hour traffic with no way out –– and there’s nothing you can do about it but sit and wait it out.

While DoS attacks have been around since the dawn of the decade, cloud computing has made DoS attacks more prevalent than ever. In some cases, persistent DoS attacks can be too costly and time-consuming; it forces businesses to shut down their service until remediations can be made.

Many cloud services have systems in place for protecting cloud customers against these kinds of attacks, but the best way to ensure you don’t fall victim to one is to prevent an attack from happening in the first place.

Blockchain Vulnerabilities

With blockchain’s industry value estimated to hit $23B by 2023, it’s hard to keep track of the number of blockchain-based solutions developed to date. While security features inherent in blockchains make Distributed Ledger Technology (DLT) resistant to attack, they do not make it immune.

In fact, DLT technology is subject to a number of issues that centralized databases are not. While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their data.

Blockchains’s unique security features don’t make it immune to exploitation. Rather, with far more limited attack vectors, blockchain security relies heavily on the security of its weakest endpoint: the cryptographic key.

The Role of Private Key Infrastructure (PKI)

Encryption is most commonly used on documents and messages before they’re transmitted, but if the recipient of the information cannot verify its source or the identity of the sender, the authenticity of the information may not be trustworthy.

This is the primary reason for the use of keys when decrypting data. Keys are shared between the sender and receiver of encrypted communications and verified by digital certificates in order to establish the integrity of any incoming information.

Public Key and Private Keys

In the world of data encryption and decryption, there are typically two kinds of encryption, asymmetric and symmetric. Symmetric, is when both the sender and recipient of the information have an identical key that allows for the translation of the incoming data. In cases of symmetric encryption, both parties must make efforts to keep the key secret and safeguarded –– which is inherently more risky.

That’s asymmetrical cryptography and the use of public keys come in useful. Used more often today, a public key can be used to encode information and a private key is used to decrypt it. A good example of this would be credit card usage, such as pin transactions.

Decryption Using Public Keys

The Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke private keys, digital certificates and public-keys. Public keys are the basis for a Public Key Infrastructure when encrypting highly-sensitive data. PKIs enable the use of digital signatures and encryption across large user sets.

Often they help establish the identity of people and devices, enabling controlled access to systems and resources, protecting data and authenticating transactions. Many of today’s emerging technologies, especially within the fintech space, are becoming more and more reliant on PKI technology to guarantee security and protection of sensitive data.

Generating Cryptographic Private Keys

All cryptographic private keys generated within a PKI infrastructure must be random. By design, a computer is unable to generate a truly random value because it is a finite-state machine.

Therefore, a unique physical process is needed in order to generate random numbers and keys. HSM devices contain unique hardware that uses a physical process to generate a reliable source of randomness, that in turn is used to generate truly perfect random keys.

Hardware Security Modules (HSMs)

That leads us to the important role hardware security modules play in critical infrastructure security. A hardware security module, or HSM device, is a dedicated cryptographic processor designed to protect highly critical and sensitive keys and assets. Customizable HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world.

This piece of hardware may look small but is mighty powerful. It has the ability to securely manage, process, and store cryptographic keys inside its hardened, tamper-resistant shell.

The Use of HSMs

Outside of banking, enterprises use HSM devices to protect anything from transaction data, identity, and applications. HSMs are excellent at securing cryptographic keys and encryption, decryption, authentication, and digital signing services for a wide range of applications, including database encryption and SSL/TLS for web servers.

With wide-ranging use, many industries and businesses have come to rely on programmable HSM devices to provide quick, safe and secure data transactions and verification. Whatever the use case may be, the key elements of any programmable HSM device require that it:

  1. Is designed using specialized hardware that is well-tested and certified.
  2. Has a security-oriented Operating System.
  3. Has access to a network interface controlled by strict internal parameters.
  4. Actively stores and protects cryptographic material.

The Use of HSMs for Blockchain

With blockchain’s industry value estimated to hit $23B by 2023, it’s hard to keep track of the blockchain-based financial solutions taking off left and right, such as ICOs and STOs. Proponents of distributed ledger technology (DLT) consider it to be one of the best ways to secure transactions.

But while blockchains have many desirable features –– such as transaction efficiency –– there are still other conditions to consider when it comes to leveraging its technology. The growing consensus among blockchain security experts highlights the need for blockchain-compatible security solutions that will directly address the threat of data theft and exploitation.

There are many ways in which customizable HSM devices can be used in blockchain, leveraging this established hardware technology to protect keys. After all, this emerging industry needs more and better solutions to protect currencies and mitigate risks of theft, hacks, or security breaches.

There are six potential uses of flexible HSM hardware to foster security in the blockchain:

  1. Generation of private and public key pairs: The HSM needs to support the blockchains specific algorithms.
  2. Secure storage for private keys: Private keys must remain secure and private.
  3. Secure signature and verification: Send valid transactions to the blockchain by signing them and verify transactions whenever needed.
  4. Hierarchical deterministic wallet support: Ability to derive key-pairs in a secure environment from a single key master according to BIP32.
  5. Encryption, decryption and use of keys records from key databases: A significant number of applications require secure key storage and a secure environment for their usage.
  6. Logging: Usage tracking needs to be secure as well. Being able to audit and monitor how and when keys are used without the ability to modify and alter the logs.

HSM Operating Environment

Any programmer would normally mix the database access code, business-logic and cryptographic calls in one single application, leaving it dangerously vulnerable to exploitation and attack. This is a dangerous approach, as an attacker can leverage crafted data to access cryptographic materials, steal keys, install an arbitrary certificate, and so on.

To prevent such intrusions, advanced customizable HSM devices require two separate operational zones. A single one that holds the business logic, and a second for cryptography which is entrusted with the cryptographic operation.

Remote HSM management allows multiple security teams to perform tasks from a central remote location without the need to travel to a physical data center. A flexible HSM management solution provides users with operational cost savings and flexibility. Remote HSM management capabilities are distinctive in that they require more stringent security controls.

Banks and other institutions have been wrestling with these unique challenges for decades. That’s why it’s become important for the blockchain community to embrace tried and tested solutions, such as programmable HSMs, which may be crucial in helping blockchain evolve and mature.

Conclusion

In the face of such diverse and imminent threats, companies often make the right decision to spend more on cybersecurity. But many are unsure how to go about it, often misallocating time, money and resources in their mitigation strategies.

For example, a global financial-services company might leave cybersecurity investments mainly to the discretion of the chief information security officer (CISO). This can lead to security teams being isolated from business leaders, and the resulting controls were not focused on the most critical assets that require protection.

Another example may be a healthcare provider that makes patient data its only priority, while other infosec areas are neglected, such as confidential financial data relevant to big-dollar negotiations.

These common examples illustrate the growing need for a unified, enterprise-wide approach to cyber risk which involves the business and the risk, IT, and cybersecurity groups.

Leaders of these groups must begin to work together in order to identify and protect an organization’s critical digital assets as a priority.  Critical infrastructure security investment must be a key part of the business budget cycle and investment decisions must be more evidence-based and sensitive to changes.

Whether the future of many of the world’s largest industries will evolve to adopt blockchain technology is still up for debate. But if history teaches us anything, it’s that it’s going to take a lot more to protect our digital assets in 2020.

Learn more on digital assets, compliance and cybersecurity from our experts

Deutsche Banken erweitern Krypto-Serviceangebote nach neuem Recht

Die 5. EU-Geldwäscherichtlinie ist am 1. Januar 2020 in Kraft getreten und baut auf die 4. EU-Geldwäscherichtlinie auf. Unter anderem nimmt sie nun auch Anbieter von Kryptowährungen in die Pflicht. Das Gesetz bezieht EU-weit Verkauf und Verwaltung von Bitcoin und anderen Kryptowährungen mit ein.

Die Erweiterung erlaubt Banken, Bitcoin oder Ethereum wie Wert- oder Pfandbriefe zu behandeln. So können dem Kunden alle damit verbundenen Finanztechnologien angeboten werden. Bis jetzt hat nahezu kein einziges deutsches Geldinstitut virtuelle Währungen im Programm – doch das wird sich nun im Zuge des neuen Gesetzes ändern.

Bei der Bundesanstalt für Finanzdienstleistungsaufsicht BaFin sind bereits 40 Anfragen von Banken für die Genehmigung von Krypto-Custody-Lizenzen eingegangen.

Eines der ersten Geldinstitute, das Dienstleistungen im Bereich der Kryptowährungen anbietet, ist die Solarisbank aus Berlin. Sie hat im Dezember vergangenen Jahres die Tochter Solaris Digital Assets gegründet, um sich dem digitalen Anlagenmarkt anzunehmen. Solarisbank ist im Besitz einer vollen Banklizenz und hat ihre Dienste bereits in der Vergangenheit zahlreichen deutschen FinTech-Startups angeboten.

“Digitale Vermögenswerte werden den Finanzmarkt grundlegend ändern” sagt Michael Offermann, geschäftsführender Direktor für Kryptobanking bei Solarisbank. “Sobald Kauf und Verwahrung von Bitcoin einfacher werden, erwarten wir einen starken Zuwachs.”

Der Blockchain-Wert der Industrie knackt Schätzungen zufolge 2023 die 23 Milliarden-Dollar-Marke. Blockchainbasierte Dienste werden also allgegenwärtig sein. Doch das Wachstum der Industrie bringt auch Gefahren mit sich. (-mehr)

Die inhärenten Sicherheitsvorkehrungen von Blockchains können Angriffe auf DLT-Transaktionen abwehren, machen sie jedoch nicht immun. Tatsächlich hat die Distributed-Ledger-Technologie mit Gefahren zu kämpfen, die zentralen Datenbanken fremd sind. Die Liste der Anbieter von Blockchain-Technik, die Opfer von Hackerangriffen geworden sind, wird immer länger.

Während manche Experten die Öffentlichkeit immer wieder daran erinnern, dass DLT gegenwärtigen Datensicherheitslösungen weit voraus ist, glauben andere wiederum, Firmen sollten extra Maßnahmen zur ausreichenden Sicherung ihrer digitalen Vermögenswerte ergreifen. Mit wachsenden Nutzerzahlen von Blockchain- und DLT-basierten Technologien im Regierungs- und Wirtschaftssektor wächst das Bedürfnis, die mit ihrer Nutzung verbundenen Risiken zu diskutieren.

Die zahlreichen Cyberbedrohungen von heute machen Banken zu beliebten Zielen von Cyberattacken wie Credential Stuffing , Phishing und Ransomware. Die gute Nachricht dabei ist, dass bereits bewährte Schritte unternommen werden können, um digitale Vermögenswerte zu sichern.

1. Cloud Security auswerten

Banken können den momentanen Sicherheitszustand der Cloud mit Sicherheitsmaßstäben, best practices und Regelkonformität vergleichen.

2. Cloud Security überwachen

Banken können mithilfe eines Risiko-Management-Tools die Gefahrenerkennung automatisieren – so werden potentielle Gefahren angegangen, bevor sie zum Problem werden.

3. Strenge Richtlinien für das Zugangsmanagement

Banken können sich vor internen Gefahren schützen, indem sie nur denjenigen Mitarbeitern Zugangsrechte garantieren, die sie wirklich brauchen. 

4. Disaster-Recovery-Lösungen

Mit dem richtigen Plan in der Hinterhand können Banken Datenverlust verhindern und die Ausfallzeit nach einer Störung minimieren. Das kann natürlich nur funktionieren, wenn regelmäßige und zahlreiche Backups durchgeführt werden.

5. Daten kryptographisch verschlüsseln

Kryptographische Verschlüsselungen und Sicherung der kryptographischen Schlüssel mit HSM sorgen dafür, dass sensible digitale Vermögenswerte immer geschützt sind – selbst im Falle einer Gefährdung der IT-Struktur einer Bank.

Learn more on digital assets, compliance and cyber security from our experts

Heightened Coronavirus Travel Ban Raises Cybersecurity Risks & Threats

While the World Health Organization (WHO) hasn’t declared the novel coronavirus a global pandemic yet, the infectious disease continues to spread at a rapid pace, affecting both the global economy and global health. The virus has been detected inover 85 countries as of Money and data from Johns Hopkins University confirms more than 110,000 cases of the virus attributed to the COVID-19 disease.

In an attempt to control the spread of the virus, we’ve seen an increase in restrictions on travel. Last week the US announced that travelers coming into the US on direct flights from Italy and South Korea will be screened for symptoms, while travelers from China are already being screened. One sector of the tech economy already feeling the immediate impact of the changing policies is industry events. From travel bans to bans of large gatherings, officials are canceling industry conferences left and right; leaving conference organizers, attendees, exhibitors, and sponsors scrambling to make new plans.

But now, due to the coronavirus outbreak and an increase in travel restrictions, the way we work may be undergoing a radical shift. Now more remote workers are working from home than ever as the global workforce shifts to mitigate the spread of COVID-19. Soon the cohorts working from home will grow into armies as the Chinese Lunar New Year comes to an end and Chinese companies begin restarting operations. Now because of the heightened pace of coronavirus’s spread, the return to work is likely to usher in the world’s largest work-from-home experiment. In 2020, working from home is no longer a privilege –– it’s a necessity.

While we won’t know the coronavirus’s effects on the overall nature of work for some time, we do know that working from home lends serious questions to the heightened cybersecurity risk for many InfoSec and IT security employees. Unlike working from the office, working from home often means working in an unsecured environment. This shift’s effect on many working specifically in banking and cloud enterprise should cause alarm. Employees with high-access management permissions should be on high alert as they self-quarantine, especially if they are responsible for accessing highly sensitive financial, business or consumer data without proper endpoint security measures in place.

In another risk, outlined in a December 2019 weekly tech advice column, the FBI’s Portland office released an ominous warning to US homeowners, “Your fridge and your laptop should not be on the same network.” That’s because your most vulnerable IoT devices –– think wireless cameras, baby monitors, smart thermostats and smart locks, all hold unique vulnerabilities that can be easily exploited. It’s no secret in the cybersecurity world that today’s hackers specifically target home IoT devices to gain entry to your home’s wireless network.

The FBI’s best advice for keeping your devices secure and safe? “Keep your most private, sensitive data on a separate system from your other IoT devices.” According to the FBI’s recommendation, you should have two routers at home: one for your IoT devices and another one for your more private devices.

Whatever the future of work may look like, the cybersecurity implications of a home-based workforce cannot be denied. Companies and cybersecurity professionals must mobilize to provide their organization’s workforce with proper cybersec and threat prevention training. In order to mitigate the cyber risks of a home workforce, heightened education and training is needed for the cyber risks associated with the post-corona economy.

Learn more about Hub Security’s miniHSm device and military-grade key management solutions and how they can help you stay secure and protected –– no matter where you’re working from.

DTCC Paper Outlines New Approach to DLT Implementation

 

A paper published February by the Depository Trust & Clearing Corporation (DTCC) calls for a more coordinated strategy around the development of a principles-based framework to identify and address DLT-specific security risks. With the adoption of distributed ledger technology (DLT) expected to grow in financial services, the DTCC’s white paper, Security of DLT Networks, outlines recommendations for establishing a comprehensive industry-wide DLT Security Framework.

Established in 1999, the DTCC is a holding company that consists of five clearing corporations and one depository, making it the world’s largest financial services corporation dealing in post-trade transactions. In 2011, the DTCC settled the vast majority of securities transactions in the United States and close to $1.7 quadrillion in value worldwide, making it by far the highest financial value processor in the world.

The paper outlines the need for today’s organizations to review existing security guidelines, gaps in their approach to DLT security, and the need for increased standards. The paper also suggests the possible formation of an Industry Consortium to spearhead this topic.

“With adoption of DLT across the financial services ecosystem likely to continue to increase in the coming years, we need to be certain that all DLT-related security risks are identified and addressed to maintain the safety and stability of the markets,” said Stephen Scharf, Chief Security Officer at DTCC. “DLT offers great potential, but as with any new technology, it also comes with certain risks. Traditional security measures may not be adequate, so it is critically important that this topic is top of mind for any DLT implementation.”

According to the paper, the establishment of a DLT Security Framework would:

  • Assist in the completion of risk evaluations across an individual firm’s security assessments via best practices and tools, such as risk management & oversight, cybersecurity controls, third-party management, and incident & event management.
  • Address key aspects of the DLT key management lifecycle, including DLT-specific security considerations associated with the creation, maintenance, storage and disposal of sensitive information.
  • Provide security guidance and practices respective to account access with the use of cryptographic hash functions, standard authentication methods and bridging the security gap between DLT and traditional IT environments.

Many enterprises are beginning to pilot and deploy DLT technology. While many of these blockchain-based solutions are generally considered secure, as DTCC notes, they are not immune to security risks or regulatory constraints. Companies must begin to consider the security implications associated with the use of DLT as early on in the project as possible. If there’s one take away from the paper’s release, it’s a crude warning to organizations: take careful consideration of your DLT solution’s security before writing a single line of code.

4 Blockchain Security Risks To Consider Before Building a Blockchain-based Solution

With the blockchain industry’s value estimated to hit $23B by 2023, it’s hard to keep track of the amount of blockchain-based solutions launching each month. As the industry grows though, so does its risks. While the security features inherent in blockchains make DLT resistant to attack, they do not make it immune. In fact, DLT technology is subject to a number of issues that centralized databases are not.

The growing list of blockchain technology providers who have become victims of malicious hacks and attacks is starting to make many wonder if blockchain is really as secure as it’s made out to be. While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their data –– especially on the cloud.

As more governmental, industrial, and commercial sectors adopt the use of blockchain and DLT-based technology, there’s a growing need for discussion. Below are some points to consider which also serve as a means to raise awareness of the risks still associated with the use of blockchain and Distributed Ledger Technology.

Blockchain Security Risks

1. Endpoint Vulnerabilities

One of the most common points of vulnerability with DLT technology is actually outside of the blockchain. Endpoint vulnerabilities are critical because of where they take place: at the time and place humans and blockchains meet. Simply put, an endpoint could be anywhere an individual is using to access sensitive data such as the computer of a bank employee.

Since most hackers know there’s no use in attempting to guess a user’s keys, they spend a lot of time trying to steal them. The best chance of obtaining keys is to attack the weakest point in the entire system, a personal computer or mobile device.

The process of accessing the blockchain in order to receive that data is what makes endpoints so vulnerable. Endpoints provide malicious attackers the opportunity they need to get nasty code in or out. Once a device is exploited, hackers can piggyback off the credentials of high-access users in order to do the most amount of damage.

2. Vendors

As DLT adoption continues to grow, many look to new solutions to provide them with the security and protection DLT technology promises. But while many new products continue to grow, it also creates another security vertical of great concern: vendor risks. Often, companies looking to deploy 3rd-party blockchain apps and platforms are not aware of the security risks associated with faulty and exposed vendors.

It’s not uncommon for vendor solutions to have limited focus on security measures with weak security controls on their own systems, flawed code, and even personnel vulnerabilities that can easily expose their clients’ blockchain credentials to unauthorized users. This threat is especially relevant when discussing products that involve the use of smart contracts. Since an organization’s entire operation and policies can be housed as a smart contract on a blockchain, a vulnerability of this magnitude has the potential to be catastrophic.

3. Untested Code

While Bitcoin has been around awhile, blockchain technology is still considered highly experimental. While we still don’t know the full scale of what’s possible ––– security experts can agree on one thing: every new blockchain product that leverages DLT technology must undergo vigorous testing before being released to the public. While some DLT projects are tempted to launch their half-heartedly tested code on live blockchains, the cyber risks can be damaging and long-lasting.

As new technologies enter the market, developers are incentivized to be first or early with the release of applications, often at the risk of deploying insufficiently tested code on live blockchains. Given the decentralized model of many blockchain solutions, the risks are often greater due to the irreversibility of the technology.

4. The On-ramp 

The on-ramp of digital assets is one of the most critically exposed points in the development of a blockchain-based solution. More specifically, how are the assets and information securely signed on to a blockchain? This all comes down to the private keys used to sign and encrypt blockchain transactions. If someone gets ahold of the keys, the entire downstream blockchain-based solution is corrupted.

Not only is protecting these keys critical but also ensuring they’re used safely, e.g. not exposed by software when used to sign a transaction. Additionally, the process of approval for using the keys must be protected –– otherwise, someone can hack or impersonate an approver and sign a malicious transaction. And of course, this element of your blockchain solution needs to be considered from the start, or else it will likely prevent or slow down a successful transition into production.

Looking Forward

Adopting new technologies always comes with the fear of the unknown. While blockchain-based solutions continue to provide customers with high levels of security and transparency, the onus falls on product designers to begin considering security from day one. From design to development, every step in the product development cycle is crucial to ensuring products are safe, reliable and secure for consumer use.

What Blockchain-based Projects Need to Consider Before Writing a Single Line of Code

With the explosion of distributed ledger technology (DLT) as a safe and secure solution for transparently handling and sharing information across organizations, many businesses are jumping on the DLT bandwagon. Proponents of the distributed ledger technology known as blockchain consider it to be one of the best ways to secure transactions.

But while blockchains have many desirable features, such as transaction efficiency, there are still other conditions and requirements to consider when leveraging blockchain technology for business. The publication of DTCC’s most recent paper on the matter outlines key risks associated with the use of the nascent technology and an acknowledgment of the many security risks still associated with its use for both small businesses and enterprises alike.

“With the adoption of DLT across the financial services ecosystem likely to continue to increase in the coming years, we need to be certain that all DLT-related security risks are identified and addressed to maintain the safety and stability of the markets,” said Stephen Scharf, Chief Security Officer at DTCC.

With hundreds of new blockchain-based products released each year, many of today’s development teams don’t consider the security risks associated with the use of DLT early enough on in the project development cycle. Infosec usually isn’t on every founder’s mind when they start projects, especially when it comes to pilots. Once things are in the air, often they are forced to take a few steps back once they realize they hadn’t considered security performance and infrastructure from the get-go. Interestingly, the same is often true for blockchain vendors who are in a rush to get their products deployed.

The fact of the matter is, most don’t consider the fact that all blockchains aren’t created equal. It’s important for businesses to be aware of this fact when evaluating whether the technology they’ve chosen will have the proper security measures they require –– both internal and regulatory.

For fintech solutions looking to meet security regulation standards, opting for a simple cloud-based solution often can do more harm than good. Trusting cloud providers can be risky business –– or better yet, a major risk for your business. However you choose to look at it, while many cloud providers promise to keep highly sensitive data secure many also fail to do so as the recent WSJ’s Cloud Hopper investigation revealed.

When establishing a private blockchain, businesses must consider the best platform for deployment. While blockchain has inherent properties that provide security, known vulnerabilities in any infrastructure can be manipulated by those looking to get their hands on yours or your customer’s data.

Ideally, you should have an infrastructure with integrated security that can:

  • Prevent even root users and administrators from accessing privileged information.
  • Prevent illegitimate attempts to change data or applications within the network.
  • Protect encryption keys using the highest-grade security standards.

Considering these capabilities before developing your DLT-based solution will ensure your blockchain network has the added protection it needs to prevent attacks from both within and without.


Learn more on Hub Security blockchain protection

Top 5 Cyber Threats Facing Cloud Security in 2020

More data and applications than ever are moving to the cloud, creating unique infosecurity challenges for both cloud providers and cloud customers alike. In this article, we outline the top 5 security threats organizations face when using cloud services.

Turkish Bank Launches Blockchain Platform for Digital Gold Transfers

Turkey’s Takasbank announced the release of its blockchain-based gold-backed transfer system Dec. 30th. Developed by the Istanbul Clearing, Settlement and Custody Bank, the BiGA Digital Gold trading platform provides banks with a blockchain-based system for the issuance, repayment, and transfer of digitized gold.

FBI Warns Against IoT Vulnerabilities

In the not-that-unlikely chance a business’s network is compromised, their entire infrastructure is at risk of exploitation. Gaining access to high-risk digital assets can lead to devastating revenue damages –– which is nothing to take lightly.

CBDCs Are on the Rise, Are Banks Prepared?

As more investors and businesses turn to the tokenization of digital assets, there’s no stopping the inevitable rise of digital currencies worldwide.

EY Focuses on Blockchain Security with Launch of Smart Contract Analyzer

rnst & Young (EY) launched its token and smart contract review service. The tool will allow companies and individuals to evaluate smart contracts and tokens for known security risks.

Digital Asset Alert: HK SFC Issues New Regulations

The Hong Kong Securities and Futures Commission (SFC) issued a position paper Nov. 6th defining a new regulatory framework for virtual asset trading platforms. In it, they outlined the parameters under which VSTs would be eligible to apply for a license from the SFC. Virtual asset trading platforms are platforms that offering trading of security tokens.

A virtual asset is a digital representation of value. Also known as a cryptocurrency, a crypto-asset or a digital token, the estimated total market value of virtual assets is now between $200-300 billion. As of November 2019, there are over 3,000 digital tokens and 200 virtual asset trading platforms.

Now the SFC adopted a new set of regulatory standards for virtual asset trading platforms similar to those applicable to licensed securities brokers and automated trading venues. The standards were passed in order to address key regulatory concerns surrounding the tokenization of digital assets. Of primary concern to regulators are the safe protection of assets, KYC requirements, anti-money laundering, and terrorism counter-financing.

Photo – Rikki Chan

According to the position paper released this month, the SFC will only grant licenses to platforms that are capable of meeting the standards outlined by their committee. While enthusiasm for ICOs waned throughout 2019, other forms of virtual asset fundraising hold continued buzz. Securities such as STOs are typically structured to provide the same features as traditional securities, but also involve digital proof of asset ownership using blockchain technology.

“Regulators need to be open to the benefits of innovation, but they should also be ready to tackle the risks to investors which some financial technologies give rise to,” said Mr. Ashley Alder, the SFC’s Chief Executive Officer.

As part of the newly announced regulations, the SFC also made it clear that virtual assets traded on licensed platforms will not require compliance with the same set of financial regulations as traditional security offerings.

Additionally, the SFC issued a warning to investors regarding the high risks associated with purchasing virtual asset futures contracts, citing their unregulated nature and security vulnerabilities. While this warning served largely as a side note to the excitement surrounding the announcement, investors and digital asset owners alike likely still have a long way to go before these concerns can be fully addressed and their digital assets safeguarded.

To learn more on HUB Security solutions for digital assets and key management or submit details below.

Request a Demo





Wyoming Takes the Lead in Blockchain Regulations, Will Others Follow?

Wyoming announced last month it may be the first state to make ‘blockchain banks’ a thing. If this sounds strange to you –– it’s because legally and conceptually it is. To date, hundreds of cryptocurrencies have roamed the blockchain network unchecked and unregulated.

When blockchain technology first emerged, many thought cryptocurrencies would change everything –– from how we make purchases to how we invest. But institutional investors need more than a cryptocurrency ledger to satisfy regulators that they can protect customers’ assets.

Now Wyoming is looking to change all that with the introduction of Bill H.R. 2144 (116) to the Wyoming State Legislature. Announced November 11th, the Bill outlines a path to legalization of SPDIs –– legally known as “special purpose depository institutions” –– which would serve business unable to secure FDIC-insured banking services due to their dealings with cryptocurrency.

Since February, a number of important bills were passed in Wyoming aimed at building the infrastructure for what will soon become the most crypto-friendly state in the US. In January, Wyoming’s Senate passed a bill allowing for cryptocurrencies to be recognized as money, and the same month passed another bill defining certain open blockchain tokens as intangible personal property. It’s even rumored that five new “blockchain banks” could bring as much as $20 billion in assets into Wyoming by 2020.

The rapid innovation of blockchain technology and the growing use of virtual currency and digital assets has resulted in many blockchain innovators being unable to access secure banking services. These kinds of bureaucratic legislative hiccups continue to stall the development of blockchain services and products in marketplaces the world over.

Now that’s all about to change, with Wyoming of all states leading the way to a more secure crypto future. With the newfound legal foundations for crypto-based products in place, young companies will now be left to face their next big challenge: protecting their customers’ digital assets from digital threats.

As long as innovators continue to use blockchain, legislators will need to keep pace with the rapid advancement of such technologies –– or lose out on the opportunity to provide the much-needed legal infrastructure for what is still known as the ‘wild west’ era of blockchain technology.

The Rise of Blockchain Banking

As the financial industry begins its long-awaited move to adaptive blockchain technology, many banks are becoming increasingly open to the use of crypto-based solutions for digitizing assets. It’s no secret the future of banking is digital for many financial institutions looking to modernize their product offerings. It even appears likely we’re headed toward an era of national digital currencies backed by central banks. Hats off to Mike Orcutt.

But HSBC’s decision to be the first financial institution to move $20 billion worth of assets to a blockchain platform is possibly enormously rewarding––– or risky. While the future of blockchain-based platforms such as HSBC’s Digital Vault looks promising, security experts voice growing concerns over the management of such large amounts of digital assets.

While the rise in usage of blockchain technology has made financial asset management more transparent and accessible, the crypto world has seen its fair share of threats over the past decade. From Binance to Bitpoint to Quadriga’s wild story, the industry’s shift in reliance on the blockchain has its own perils.

Blockchains are particularly attractive to hackers since once they gain access to the private keys it’s game over and fraudulent transactions are very difficult to reverse(if at all). While blockchains have unique security features, they also have their unique vulnerabilities. As banks expand their digital solution, they will continue to face continuous ongoing threats to their blockchain infrastructure. As long as vulnerabilities as these exist, banks must learn to embrace innovative solutions that can keep their most sensitive assets secure.

Today we know that marketing tactics which branded blockchain technology as unhackable were simply misleading ––– and wrong. In total, since the beginning of 2017, hackers have stolen nearly $2 billion worth of cryptocurrency, mostly from exchanges, and that’s just what’s revealed publicly. Contrary to popular belief, these attackers aren’t just lone opportunists either, they’re sophisticated cybercrime organizations. According to Chainalysis, just two of these groups, both of which are still active today, have stolen a combined $1 billion from exchanges.

Whether the future of banking relies on the blockchain or paper-tracking is still up for debate. But if history teaches us anything, it’s that we’re still not out of the woods when it comes to protecting our most sensitive piece of data. Even if we’re HSBC.

To learn more and schedule a live demo with Hub Security, Click here.

Request a Demo





Scroll to top

JOIN OUR NEWSLETTER

Keep up with cyber security news!