Uncategorized

What Is Real Estate Tokenization

 

As blockchain-powered solutions expand far beyond the financial industry, investors are beginning to turn their eye to the use of cross-industry tokenization. Blockchain’s decentralized and transparent characteristics make it appreciated by banks, investors, and logistic experts alike –– as its potential applications are innumerable and far reaching.

Now global governments have begun testing the waters of blockchain’s potential when it comes to property tokenization by putting certain property-related issues onto the blockchain.

Real Estate and Tokenization

The value of asset tokenization is particularly relevant in real estate markets, which is by far the largest asset class in terms of global asset value. According to a report, the size of the professionally managed global real estate investment market grew from $7.4 trillion in 2016 to $8.5 trillion in 2017.

Without question, home equity as a source of capital remains a global trend –– even if subject to market volatility. It still remains one of the safest places to place wealth, so it’s not surprising it’s going digital.

From enhanced liquidity to lower transaction costs and faster processes, tokenization of one of the world’s largest asset classes will undeniably change the way we buy, sell, and trade property in the not so distant future.

How Real Estate Tokenization Works

In a nutshell, tokenization is the process of transforming an asset into a digitally represented token. In the same sense, real estate tokenization is the process of digitizing the value and the ownership of property into a token –– or multiple fractional tokens –– that can be distributed among investors.

This process gives the property holder the right to own a portion of the property legally, and the creator of the token increased liquidity of funds.

Another set of advantages of tokenizing property assets are increased investment opportunities. By bringing in a large pool of global investors who would want to invest in real estate in other countries, new investment opportunities are expanded through an increase of asset liquidity and implementation of collective management use cases.

What Real Estate Can Be Tokenized?

Since tokenization is fairly flexible, a token could represent ownership of an underlying real asset, an equity interest in a legal entity, interest in a debt secured by the asset, or even a right to share in profits arising from use of the asset. Use cases are endless and new investment opportunities are still yet to be explored.

Even the types of property involved can vary. From single-family homes to office buildings to retail spaces, and everything in between, real estate can be defined in a broad manner. While this may sound too good to be true, several models of real-estate tokenization are already being actively used, including:

  • Timeshares
  • Special-purpose vehicles
  • Shares in real estate funds
  • Loans to development projects
  • Tokenized REITS

Join Hub Security’s TokenSoft’s CEO Mason Borda and CRO David Hochhauser online this Thursday, June 18th for a discussion on Real Estate Tokenization.

Digital Wallet for Enterprises

We had the pleasure to host the webinar ‘Digital Wallets for Enterprises’ last week. On the event we hosted Vipin Bharatha, an industry expert for blockchain and digital assets, along side David Hochhauser, Hub Security’s CRO. See the full recording below  

What is Ransomware

Today the world has become increasingly aware of the threat of cyber attacks and data breaches, but not all organizations know how to defend themselves against them. Systems breaches great and small have more than doubled in the past five years, and the attacks have grown in both sophistication and complexity. 

From DDoS to ransomware attacks, a cyberattack can have devastating consequences for a brand. Not only does it lead to a loss of consumer confidence, but the manner in which a company handles an attack can also have a significant impact on the business’s bottom line and reputation.

Learn more on cyber security, HSM and key management

In this article, we’ll take a bird’s-eye view at what ransomware is, who it targets, and how it works so you can work to defend you and your organization from future attacks.

What Are Ransomware Attacks

Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments.

Ransomware has cost businesses more than $75 billion per year in damages (Datto), and ransomware remains the most common form of cyberattack. By the end of 2016, 12.3 percent of global enterprise detections were ransomware, while only 1.8 percent of consumer detections were ransomware worldwide. By 2017, 35 percent of small and medium-sized businesses had experienced a ransomware attack of some kind.

According to a Kapersky Labs report, cybersecurity statistics show ransomware attacks were launched from within more than 190 countries, with financial services the second most targeted industry after healthcare.

Not only are banks at high-risk, but cities and municipalities are as well. In August 2019, 23 local government organizations in Texas were hit by a coordinated attack, likely from a single threat actor. In June 2019, the state of Florida was also hit hard by ransomware attacks, and in just one month no less than three Florida municipal governments were attacked by Emotet, TrickBot, and Ryuk ransomware.

How Ransomware Attacks Happen

Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack. This can have devastating results on a business.

One of the major news stories of 2013 was the Target data breach that affected 110 million users, including 41 million retail card accounts. It turns out that cybercriminals did not attack Target directly. They targeted a third-party HVAC vendor, which had trusted access to Target’s servers. Upon compromising FMS’s servers, gaining complete access to Target’s was simple.

Learn more on cyber security, HSM and key management

Types of Ransomware Attacks

As far as ransomware goes, there are three primary kinds of ransomware. Each ranges in severity from mildly to code-red dangerous. Let’s break them down now.

Scareware Attacks

Scareware is actually not as scary as it sounds. This kind of attack is primarily supposed to seem scary when in reality the victim is safe until it provides unwarranted access. Scareware usually includes rogue security software and tech support scams, such as pop-up messages claiming that malware was discovered and the only way to get rid of it is to pay up. 

If an individual does nothing, they’ll likely continue to be bombarded with pop-ups while all files remain essentially safe. A legitimate cybersecurity software program would never solicit customers this way. If you don’t already have this company’s software on your device, then it would not be monitoring you for ransomware infection, plain and simple.

Screen Locker Attacks

When lock-screen ransomware gets access to a device, it means the user is frozen out of their PC entirely. Usually, when victims turn on their computer a large window appears, accompanied by an official-looking US Department of Justice seal stating illegal activity has been detected and the user must pay a fine. 

However, any official department who suspects illicit activity would simply not freeze someone out of their computer or demand payment. If they suspected piracy, child pornography, or other cybercrimes, any official office would go through the appropriate legal channels.

Encrypted Attacks

Encrypting ransomware is the type of ransomware that can cause real harm and lasting damage. Commonly deployed against small businesses and other larger organizations, the attack works by snatching up large sets of files and encrypting them, demanding payment in order to redeliver. 

The main reason this type is so dangerous is that once cybercriminals get a hold of sensitive data, no security software or system restore can get them back unless the ransom is paid. Even if an organization does decide to pay up, there’s no guarantee cybercriminals will provide the files back safely.

Conclusion

As we have already seen, 2020 will have many cyberthreats to contend with –– many due to COVID-19. Trojans such as Emotet and TrickBot had successful runs last year and we can expect them, or other multi-purpose malware like them, to make a comeback.

While it may seem hopeless and at times even impossible, the good news is it’s not. There are a few key steps every organization can take to protect its digital landscape.  To protect sensitive digital assets, it’s good to start with the basics, like getting organized, understanding attack and breach implications.

But protecting digital assets comes with its own set of unique challenges and proper preparation is required to thwart off and defend against these kinds of attacks. By having safely guarded cryptographic keys and organizational data –– and a proper HSM device in place to protect them –– organizations can protect themselves against incoming ransomware attacks by preventing them from happening in the first place.


Join Hub Security’s CTO online this Thursday, April 30th for a free webinar to discuss cybersecurity threats related to ransomware, IoT vulnerability, and quantum computing.

Token Regulation – How To Avoid Common Regulatory Mistakes

Jonathan joins Hub Security in our new video and goes over the legal framework on token issuance and explain how to issue tokens in a non-regulated and regulated form. We cover the common mistakes other issuers had with actual case studies. in addition we reviewed the different regulatory opportunities and how to qualify for sandbox regulation.

What Is Digital Asset Security

The world has become increasingly aware of the threat of cyber attacks and data breaches, but not all organizations know how to defend themselves against them. Systems breaches great and small have more than doubled in the past five years, and the attacks have grown in sophistication and complexity. 

From DDoS attacks to data loss, a cyberattack can have devastating consequences for a brand. Not only does it lead to a loss of consumer confidence, but the manner in which a company handles an attack can also have a significant impact on the business’s bottom line and reputation.

Nascent industries like cryptocurrency are also feeling the impact. Accounting agency KPMG told Bloomberg in March that the cryptocurrency market must enhance its digital asset security before $245 billion of the crypto industry can expand. 

Learn more on digital assets, compliance and cyber security from our experts

While it may seem hopeless and at times even impossible, the good news is it’s not. There are a few key steps every organization can take to protect its digital landscape.  To protect digital assets, it’s good to start with the basics, like getting organized, understanding attack and breach implications.

The evolution of digital security has made digital asset management more transparent, accessible and streamlined than ever. But protecting digital assets comes with its own set of unique challenges. In this article, we’ll take a bird’s-eye view at the current state of the digital asset threat landscape, technology, and solutions.  

What Is a Digital Asset

A digital asset can be anything in a digital format, from a text document to a private key to a database. In determining the priority of assets to protect, organizations must confront both external and internal challenges. The idea that some assets are of critical importance to a company must be at the heart of an effective strategy to protect against cyber threats. 

The Difference Between a Digital Asset and a Digital Security

It may be surprising, but the first digital asset was in fact Bitcoin when it launched in 2009. Now, digital assets are prominent in discussions by the SEC, the Financial Crimes Enforcement Network, and other regulatory bodies. Digital assets have become a permanent fixture in finance.

Mason Borda, CEO of TokenSoft, outlined the distinction between the two. “A digital asset is a digital representation of something of value, for which ownership is verified and recorded on a distributed ledger.”

A digital security, on the other hand, is a “digital representation of an asset that happens to be a security, often an investment contract, for which ownership is verified and recorded on a distributed ledger. A digital security, which is subject to traditional securities laws, is often referred to as a security token.”

For example, a digital security could be a share of a corporation, a portion of a note, or a debt security. In some cases, it could also be fractionalized interest which some commentators have discussed as being an especially suitable use-case for the security token concept.

Digital Asset Threat Landscape

Industries around the world, from health to finance have seen their fair share of threats over the past decade. As companies and clients continue to expand their digital services, they’ll continue to face ongoing threats to their security’s IT and infrastructure. 

Common Vulnerabilities

Credential Stuffing

Credential stuffing is a type of cyberattack that usually targets the personal data of banking customers. Using stolen account credentials, hackers can gain unauthorized access to user accounts using automated large-scale login requests. 

The stolen information can then be used to bombard websites and servers in order to try to gain access to critical IT infrastructure. This practice is known as credential stuffing.

Credential stuffing differs from a brute force attack because in credential stuffing operations attackers are often using usernames and passwords that are known to have been good at some point or another. For banks, credential stuffing is an emerging and credible threat that will only get worse as the number of data breaches increases.

Phishing Attacks

Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack. This can have devastating results on a business.

One of the major news stories of 2013 was the Target data breach that affected 110 million users, including 41 million retail card accounts. It turns out that cybercriminals did not attack Target directly. They targeted a third-party HVAC vendor, which had trusted access to Target’s servers. Upon compromising FMS’s servers, gaining complete access to Target’s was simple.

Ransomware Attacks

Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments.

Ransomware has cost businesses more than $75 billion per year in damages (Datto), and ransomware remains the most common form of cyberattack. Banks remain top targets for ransomware attacks, as cybercriminals follow the money for big payoffs. 

IoT Exploitation

While a majority of exploitation attempts stem from software vulnerabilities, they can just as easily begin from vulnerable pieces of hardware. Anything from an employee device to a router connected to an unsecured network can put an entire organization’s digital infrastructure at risk. Unbeknownst to many is how easily exploitable their IoT devices are since they’re often not required to have the same level of security scrutiny as computers. 

Unsecured IoT devices, such as home routers, printers, and IP cameras are all vulnerable to attack. As institutions continue to connect more gadgetry to the internet, the number of potential security weaknesses on their networks are also more likely to increase. To breach an institution, attackers will target insecure devices to create a pathway to other systems. Once they have an entryway from an IoT device, they have full access to the entire network. 

Cloud Storage Vulnerabilities

For many enterprise solutions, opting for a simple cloud-based solution often can do more harm than good. Trusting cloud providers can be risky business –– or better yet, a major risk for your business. However you choose to look at it, while many cloud providers promise to keep highly sensitive data secure many also fail to do so. 

With the Wall Street Journal’s release of their investigation into the global hacking campaign known only as ‘Cloud Hopper,’ the true depth of the risks associated with compromised cloud data couldn’t be more evident, or alarming. 

With so much information stored on the cloud, particularly for the use of public services, cloud providers have become easy targets for malicious attackers. To get a clearer picture of the problem, consider that over 1.4 billion records were lost to data breaches in March 2017 alone –– many of which involved cloud servers.

Contrary to what many may believe, the sole responsibility for protecting corporate and customer data in the cloud lies with the cloud customer, not the service provider. Hence, no cloud provider is legally or contractually obligated to ensure the safety of customer data –– as much as they may promise to do so.

In cases of breached data, a company may be required to disclose the breach to authorities and alert customers and potential victims. Regulations like HIPAA and HITECH in the healthcare industry and the EU Data Protection Directive are laws that outline the necessity of such disclosures. 

Using legally-mandated breach disclosures, regulators can issue hefty fines against a company, and it’s not uncommon for consumers whose data was compromised to file lawsuits.

Many cloud services available today have a number of stringent security protocols in place to protect the data they store. However, it’s the responsibility of any given organization to implement a plan for protecting their customer’s data on the cloud. Here are just a few ways your digital assets are vulnerable when stored on the cloud.

Data Breaches

Cloud data storage security has forced today’s cybercriminals to invent new ways to circumvent today’s cyber solutions in order to gain access to the sensitive data of millions of businesses and individuals.

A data breach can have huge consequences for a company, both legally and reputationally. A data breach can expose sensitive customer information, intellectual property, and trade secrets, all of which can lead to serious consequences for any business. Companies could potentially face lawsuits and hefty fines, as well as damage to the brand image that could last for years.

In May 2016, hackers stole an estimated 167 million LinkedIn email addresses and passwords causing irreparable damage to the brand’s customer trust. While cloud storage providers work to implement rigorous security measures, the same threats that impact traditional storage networks also threaten those of the cloud.

Today it’s possible for a hacker to listen for a ‘side-channel timing exposure,’ signaling the arrival of an encryption key on another VM of the same host. This kind of breach can lead to an organization’s most sensitive internal data falling into the wrong hands.

Data Loss

A data breach can lead to data loss which can take place when a disk drive dies without a proper backup in place. Like losing the key to your house, data loss occurs when the owner of encrypted data loses the key that unlocks it.

A data loss could occur as a result of a malicious attack. On Easter weekend in 2011, small amounts of data were lost for some Amazon Web Service customers as its EC2 cloud suffered “a re-mirroring storm” due to human operator error.

While the chances of losing all your data in the cloud aren’t that high, there have been reports of hackers gaining access to cloud data centers and wiping all the data. That’s why it’s critical for organizations to distribute their applications across several zones, and backup their data using off-site storage if and when possible.

On top of this, companies need to be aware of compliance policies that dictate what they can and can’t do with the data they collect. By complying with these rules, companies can work to protect their data and the data of their customers’ in the event of a data breach.

Since both data breaches and data losses can lead to a loss of consumer confidence in a brand, the manner in which a company handles an attack will also have a significant impact on the business’s bottom line and reputation.

Compromised Credentials

Although account hijacking sounds too simple to be a serious concern for cloud services, consider the impact of a compromised account. An attacker with control of an account has the ability to eavesdrop on transactions, manipulate data, provide false responses to customers, and redirect customers to a phishing or competitor’s site. Even worse, if a compromised account is connected to other accounts, it’s possible to quickly lose control of multiple accounts all at once.

There are many security threats that can be easily prevented with the creation of secure, unique passwords. While remembering complex passwords can be a challenge, the use of a trusted password manager like Dashlane or OnePassword can really simplify things.

Businesses that provide employee training in order to raise awareness of such vulnerabilities can stress the importance of creating secure credentials on a company-wide scale. In addition to using strong passwords, companies can also work to protect themselves by defining the right user roles and creating processes for identifying critical changes made by other users.

Hacked Interfaces and Insecure APIs

In today’s cloud era, companies try to make services available to millions while limiting any damage anonymous users may do to their service. They do this with the use of APIs, or public-facing application programming interfaces, that defines how a third party connects an application to the service.

Most cloud services use APIs to communicate with other cloud services, leaving a wide gap for potential exploitation. As a result, the security of APIs has a direct effect on the security of the cloud services, and the chances of getting hacked increases. Such a hack has the potential to cause a business to lose confidential information related to their customers or other parties.

The best way for businesses to protect themselves from API hacks is to implement threat modeling applications and systems into the development lifecycle. It’s also recommended to perform comprehensive code reviews regularly to ensure that there aren’t any security gaps that have the potential to be exploited.

DDoS and DoS Attacks

DDoS attacks have the potential to cripple an organization’s public cloud and affect the availability of enterprises that run critical infrastructure in the cloud. This kind of malicious attack can be debilitating for a business, slowing systems down or timing out requests while consuming huge amounts of processing power.

Today’s attackers have improvised increasingly sophisticated ways of carrying out an assault before hundreds of thousands of automated requests for service can be detected and screened.

This makes it harder than ever to detect which components of incoming traffic are the bad actors and which are legitimate users. For companies, experiencing a DoS attack feels like being caught in rush-hour traffic with no way out –– and there’s nothing you can do about it but sit and wait it out.

While DoS attacks have been around since the dawn of the decade, cloud computing has made DoS attacks more prevalent than ever. In some cases, persistent DoS attacks can be too costly and time-consuming; it forces businesses to shut down their service until remediations can be made.

Many cloud services have systems in place for protecting cloud customers against these kinds of attacks, but the best way to ensure you don’t fall victim to one is to prevent an attack from happening in the first place.

Blockchain Vulnerabilities

With blockchain’s industry value estimated to hit $23B by 2023, it’s hard to keep track of the number of blockchain-based solutions developed to date. While security features inherent in blockchains make Distributed Ledger Technology (DLT) resistant to attack, they do not make it immune. 

In fact, DLT technology is subject to a number of issues that centralized databases are not. While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their data.

Blockchains’s unique security features don’t make it immune to exploitation. Rather, with far more limited attack vectors, blockchain security relies heavily on the security of its weakest endpoint: the cryptographic key.

The Role of Private Key Infrastructure (PKI)

Encryption is most commonly used on documents and messages before they’re transmitted, but if the recipient of the information cannot verify its source or the identity of the sender, the authenticity of the information may not be trustworthy.

This is the primary reason for the use of keys when decrypting data. Keys are shared between the sender and receiver of encrypted communications and verified by digital certificates in order to establish the integrity of any incoming information.

Public Key and Private Keys

In the world of data encryption and decryption, there are typically two kinds of encryption, asymmetric and symmetric. Symmetric, is when both the sender and recipient of the information have an identical key that allows for the translation of the incoming data. In cases of symmetric encryption, both parties must make efforts to keep the key secret and safeguarded –– which is inherently more risky.

That’s asymmetrical cryptography and the use of public keys come in useful. Used more often today, a public key can be used to encode information and a private key is used to decrypt it. A good example of this would be credit card usage, such as pin transactions.

Decryption Using Public Keys

The Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke private keys, digital certificates and public-keys. Public keys are the basis for a Public Key Infrastructure when encrypting highly-sensitive data. PKIs enable the use of digital signatures and encryption across large user sets. 

Often they help establish the identity of people and devices, enabling controlled access to systems and resources, protecting data and authenticating transactions. Many of today’s emerging technologies, especially within the fintech space, are becoming more and more reliant on PKI technology to guarantee security and protection of sensitive data.

Generating Cryptographic Private Keys

All cryptographic private keys generated within a PKI infrastructure must be random. By design, a computer is unable to generate a truly random value because it is a finite-state machine. 

Therefore, a unique physical process is needed in order to generate random numbers and keys. HSM devices contain unique hardware that uses a physical process to generate a reliable source of randomness, that in turn is used to generate truly perfect random keys.

Hardware Security Modules (HSMs)

That leads us to the important role hardware security modules play in true digital asset security and protection. A hardware security module, or HSM device, is a dedicated cryptographic processor designed to protect highly critical and sensitive keys and assets. HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world. 

This piece of hardware may look small but is mighty powerful. It has the ability to securely manage, process, and store cryptographic keys inside its hardened, tamper-resistant shell.

The Use of HSMs

Outside of banking, enterprises use HSM devices to protect anything from transaction data, identity, and applications. HSMs are excellent at securing cryptographic keys and encryption, decryption, authentication, and digital signing services for a wide range of applications, including database encryption and SSL/TLS for web servers.

With wide-ranging use, many industries and businesses have come to rely on HSM devices to provide quick, safe and secure data transactions and verification. Whatever the use case may be, the key elements of any HSM device require that it:

  1. Is designed using specialized hardware that is well-tested and certified.
  2. Has a security-oriented Operating System.
  3. Has access to a network interface controlled by strict internal parameters.
  4. Actively stores and protects cryptographic material.

The Use of HSMs for Blockchain

With blockchain’s industry value estimated to hit $23B by 2023, it’s hard to keep track of the blockchain-based financial solutions taking off left and right, such as ICOs and STOs. Proponents of distributed ledger technology (DLT) consider it to be one of the best ways to secure transactions. 

But while blockchains have many desirable features –– such as transaction efficiency –– there are still other conditions to consider when it comes to leveraging its technology. The growing consensus among blockchain security experts highlights the need for blockchain-compatible security solutions that will directly address the threat of data theft and exploitation.

There are many ways in which HSM devices can be used in blockchain, leveraging this established hardware technology to protect keys. After all, this emerging industry needs more and better solutions to protect currencies and mitigate risks of theft, hacks, or security breaches.

There are six potential uses of HSM hardware to foster security in the blockchain:

  1. Generation of private and public key pairs: The HSM needs to support the blockchains specific algorithms.
  2. Secure storage for private keys: Private keys must remain secure and private.
  3. Secure signature and verification: Send valid transactions to the blockchain by signing them and verify transactions whenever needed.
  4. Hierarchical deterministic wallet support: Ability to derive key-pairs in a secure environment from a single key master according to BIP32.
  5. Encryption, decryption and use of keys records from key databases: A significant number of applications require secure key storage and a secure environment for their usage.
  6. Logging: Usage tracking needs to be secure as well. Being able to audit and monitor how and when keys are used without the ability to modify and alter the logs.

HSM Operating Environment

Any programmer would normally mix the database access code, business-logic and cryptographic calls in one single application, leaving it dangerously vulnerable to exploitation and attack. This is a dangerous approach, as an attacker can leverage crafted data to access cryptographic materials, steal keys, install an arbitrary certificate, and so on.

To prevent such intrusions, advanced HSM devices require two separate operational zones. A single one that holds the business logic, and a second for cryptography which is entrusted with the cryptographic operation.

Remote HSM management allows multiple security teams to perform tasks from a central remote location without the need to travel to a physical data center. A remote HSM management solution provides users with operational cost savings and flexibility. Remote HSM management capabilities are distinctive in that they require more stringent security controls.

Banks and other institutions have been wrestling with these unique challenges for decades. That’s why it’s become important for the blockchain community to embrace tried and tested solutions, such as HSM, which may be crucial in helping blockchain evolve and mature.

Conclusion

In the face of such diverse and imminent threats, companies often make the right decision to spend more on cybersecurity. But many are unsure how to go about it, often misallocating time, money and resources in their mitigation strategies.

For example, a global financial-services company might leave cybersecurity investments mainly to the discretion of the chief information security officer (CISO). This can lead to security teams being isolated from business leaders, and the resulting controls were not focused on the most critical assets that require protection.

Another example may be a healthcare provider that makes patient data its only priority, while other infosec areas are neglected, such as confidential financial data relevant to big-dollar negotiations.

These common examples illustrate the growing need for a unified, enterprise-wide approach to cyber risk which involves the business and the risk, IT, and cybersecurity groups. 

Leaders of these groups must begin to work together in order to identify and protect an organization’s critical digital assets as a priority.  Cybersecurity investment must be a key part of the business budget cycle and investment decisions must be more evidence-based and sensitive to changes.

Whether the future of many of the world’s largest industries will evolve to adopt blockchain technology is still up for debate. But if history teaches us anything, it’s that it’s going to take a lot more to protect our digital assets in 2020.

Learn more on digital assets, compliance and cyber security from our experts

German Banks Expand Crypto Service Offerings Under New Law

The Fifth European Money Laundering directive came into effect January 1st, which updates a fourth EU Money Laundering Directive to include crypto services. The law allows for the sale and custody of Bitcoin and other cryptocurrencies across the EU, including Germany.

The update gives banks permission to treat bitcoin, or ethereum as stocks or bonds, allowing them to also offer related fintech services to customers. Up to date, almost no German institute offered its customers virtual assets, but the new law has changed all that.

Now BaFin, the country’s financial regulator, has received more than 40 expressions of interest from banks looking for approval to operate a crypto custody business.

One of the first financial institutions to offer cryptocurrency services is Solarisbank in Berlin. The bank launched a subsidiary, Solaris Digital Assets, in December last year to drive the adoption of digital assets. Solarisbank has a full banking license and has been providing services to numerous German fintech startups.

“Digital assets will fundamentally change the financial market,” Michael Offermann, Managing Director for crypto banking activities at Solarisbank. “As soon as it becomes easier to buy and store bitcoin… we expect strong growth.”

With the blockchain industry’s value estimated to hit $23B by 2023 blockchain-based solutions and services are becoming more ubiquitous than ever. As the industry grows though, so do its risks.

While the security features inherent in blockchains make DLT resistant to attack, they do not make it immune. In fact, DLT technology is subject to a number of issues that centralized databases are not. The growing list of blockchain technology providers who have become victims of malicious hacks keeps mounting.

While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their digital assets. As more governmental and commercial sectors adopt blockchain and DLT-based technology, there’s a growing need for discussion of the risks still associated with its use.

With all the cyber threats that exist today, banks are more vulnerable than ever to becoming the next victim of malicious cyberattacks, such as credential stuffing, phishing, and ransomware. The good news is, there are proven steps banks can already take to protect their digital assets from prying eyes.

1. Assess Cloud Security

Assess their cloud security’s current state compared to security benchmarks, best practices and compliance standards.

2. Monitor Cloud Security

A vulnerability management tool can help banks automate threat detection and protect against potential threats before they become a problem.

3. Strict Access Management Policies

By only providing access permissions to employees who require it, banks can ensure their organization is well-protected from within.

4. Disaster Recovery Plans

Having a plan in place can help banks avoid data loss and allows them to minimize downtime after a disruption. This only works if data is backed up regularly and often.

5. Encrypt Data Cryptographically

Encrypting data cryptographically, and protecting the cryptographic keys to that kingdom with a secure HSM, ensures sensitive digital assets are always protected –– even if a bank’s IT structure is critically compromised.



Learn more on digital assets, compliance and cyber security from our experts

Security Token Offerings Find a New Dawn with Blockchain Compatible HSMs

With the explosion of distributed ledger technology (DLT) as a safe and secure solution for the transparent handling and sharing of information across organizations, many are quick to jump on the DLT bandwagon. With blockchain’s industry value estimated to hit $23B by 2023, it’s hard to keep track of the blockchain-based financial solutions taking off left and right, such as ICOs and STOs.

Proponents of the distributed ledger technology known as blockchain consider it to be one of the best ways to secure transactions. But while blockchains have many desirable features –– such as transaction efficiency –– there are still other conditions to consider when it comes to leveraging its technology.

The publication of DTCC’s most recent paper on the matter outlines key risks associated with the use of the DLT technology, and an acknowledgment of the many security risks still associated with its use for both small businesses and enterprises alike. As the industry grows though, so do its risks. 

As security concerns related to the use of blockchain have continued to raise alarm bells across the nascent industry, the growing consensus among blockchain security experts highlights the need for blockchain-compatible security solutions that will directly address the threat of data theft and exploitation.

The excitement surrounding the use of Initial Coin Offerings (ICOs) over the past few years has been tainted by an onslaught of hacks, scams, and pivotal mistakes committed by investors. As it turns out, one of crypto’s biggest appeals — limited oversight and government regulation — also proves to be its greatest vulnerability.

But crypto assets are a new dawn. With the inception of the Security Token Offering (STO), the cryptosphere is beginning to reach true legitimacy in the financial world. Today, services such as Tokensoft’s offer a full suite of technology and consulting services for investors –– helping them maintain, trade and manage the entire lifecycle of a digital security.

Earlier this month TokenSoft announced its partnership with Tel Aviv-based cybersecurity firm Hub Security to provide clients of its transfer agent access to military-grade HSM protection. The military-grade hardware update ensures investor’s tokens and assets are safe and secure with Hub Security’s next-gen HSM and independent OS for the encryption, management and distribution of keys.

“TokenSoft’s new partnership with Hub Security allows us to provide members with top-tier, military-grade protection for their tokens, keys and assets –– accessible from anywhere in the world,” said Mason Borda, TokenSoft’s CEO.

Hub Security’s miniHSM device is the first of its kind to attempt to address the threat of data theft and exploitation head on. Built uniquely for the use of tokens, cryptocurrencies and other blockchain-based products, the device offers scalable, air-tight security that can support any blockchain-based digital asset.

HUB Security’s combination of hardware and software solutions includes ultra-secure internal signing authorization flow with a multi-signature vault, hardware firewall, access control, and a deep neural network learning system designed to anticipate and prevent cyberattacks.

Join Hub Security and TokenSoft online on Thursday, April 2nd for a free webinar with TokenSoft CEO, Mason Borda, to discuss the regulatory and security concerns surrounding the use and management of STOs.

Distributed Ledger Technology Implementations Require Refreshed Approach to Security, According to New DTCC Paper

A paper published February by the Depository Trust & Clearing Corporation (DTCC) calls for a more coordinated strategy around the development of a principles-based framework to identify and address DLT-specific security risks. With the adoption of distributed ledger technology (DLT) expected to grow in financial services, the DTCC’s white paper, Security of DLT Networks, outlines recommendations for establishing a comprehensive industry-wide DLT Security Framework.

Established in 1999, the DTCC is a holding company that consists of five clearing corporations and one depository, making it the world’s largest financial services corporation dealing in post-trade transactions. In 2011, the DTCC settled the vast majority of securities transactions in the United States and close to $1.7 quadrillion in value worldwide, making it by far the highest financial value processor in the world.

The paper outlines the need for today’s organizations to review existing security guidelines, gaps in their approach to DLT security, and the need for increased standards. The paper also suggests the possible formation of an Industry Consortium to spearhead this topic.

“With adoption of DLT across the financial services ecosystem likely to continue to increase in the coming years, we need to be certain that all DLT-related security risks are identified and addressed to maintain the safety and stability of the markets,” said Stephen Scharf, Chief Security Officer at DTCC. “DLT offers great potential, but as with any new technology, it also comes with certain risks. Traditional security measures may not be adequate, so it is critically important that this topic is top of mind for any DLT implementation.”

According to the paper, the establishment of a DLT Security Framework would:

  • Assist in the completion of risk evaluations across an individual firm’s security assessments via best practices and tools, such as risk management & oversight, cybersecurity controls, third-party management, and incident & event management.
  • Address key aspects of the DLT key management lifecycle, including DLT-specific security considerations associated with the creation, maintenance, storage and disposal of sensitive information.
  • Provide security guidance and practices respective to account access with the use of cryptographic hash functions, standard authentication methods and bridging the security gap between DLT and traditional IT environments.

Many enterprises are beginning to pilot and deploy DLT technology. While many of these blockchain-based solutions are generally considered secure, as DTCC notes, they are not immune to security risks or regulatory constraints. Companies must begin to consider the security implications associated with the use of DLT as early on in the project as possible. If there’s one take away from the paper’s release, it’s a crude warning to organizations: take careful consideration of your DLT solution’s security before writing a single line of code.

Global ‘Cloud Hopper’ Hacking Campaign Reveals Major Security Gaps in Cloud Security

The Wall Street Journal recently wrote a full-fledged report on their investigation into the state-sponsored Chinese global hacking campaign called ‘Cloud Hopper.’ Its investigation reveals the true depth of the risks associated with compromised cloud data in one of the largest-ever global corporate espionage efforts.

Cybersecurity investigators first identified aspects of the hack in 2016, revealing that cyber-attackers allegedly working for China’s intelligence services stole volumes of intellectual property, security clearance details and other records from dozens of international companies over the past several years.

Hackers, known as APT10 to Western officials and researchers, gained access to cloud service providers where companies believed their data was being safely stored and protected. Once in, the hackers freely and anonymously hopped from client to client, evading investigator’s attempts to eliminate them. For years.

Now the WSJ is reporting that the attack was actually much worse than initially reported –– going far beyond the 14 yet to be named companies listed in the indictment. While most names are still hidden, it’s reported that the hack stretched across at least a dozen cloud providers, including CGI Group Inc., Tieto Oyj, and International Business Machines Corp. (IBM)

Some of the companies targeted include mining company Rio Tinto PLC (RIO), and health-care giant Philips NV. Both had highly-sensitive data compromised in the attack, including mining prospects and sensitive medical data and research. The Journal also uncovered hundreds of firms that had relationships with breached cloud providers, including Philips, American Airlines Group Inc., Deutsche Bank AG, Allianz SE and GlaxoSmithKline PLC.

The Journal found that Hewlett Packard Enterprise Co. (HPE), also compromised in the attack, was so overwhelmed that the cloud company didn’t see the hackers re-enter their clients’ networks –– even as they gave customers the all-clear. Even worse, it’s still unknown if the hackers remain in the companies’ network today. The Journal reviewed data provided by Security Scorecard, a cybersecurity firm, and identified thousands of IP addresses globally still reporting back to APT10’s network between April and mid-November.

FBI Director Chris Wray said that access gained through cloud providers provided hackers with the equivalent of a master key to an entire apartment complex.

What made it worse, was investigators in and out of government said many of the major cloud companies attempted to stonewall clients about what was happening inside their networks. Officials at the Department of Homeland Security grew so frustrated that they’re now reportedly working to revise federal contracts that would force them to comply with future probes.

Meet Us November 2019

Leave your details bellow and we will get back to you shortly to schedule a meeting!


Scroll to top

JOIN OUR NEWSLETTER

Keep up with cyber security news!