Cryptocurrency seems to bring out the best effort from cybercriminals. From nation states to traditional attackers, the rise in crypto-related attacks is staggering. The motivation is obvious: it’s financially driven. Despite the recent drop, cryptocurrency values have skyrocketed over the past couple of years. This is incentivizing attackers to create malicious code and sophisticated hacking tools to harvest cryptocurrency coins. One quick way to a massive payday is by compromising a digital wallet and stealing the wallet’s private key. When attackers get their hands on a digital wallet, they can take full control of the funds.
Retailers have started to accept cryptocurrency right alongside good old-fashioned cash and credit. This trend is commercializing decentralized currency and forcing the hand of many big banks to get on board. The leg up criminals have, in many of these attacks, is the anonymity involved in crypto-transactions. As this form of currency gains more credibility, organizations in every industry will need to implement security controls to mitigate risk against crypto-credentials from becoming exposed.
A quick review of digital wallets
There are two types of digital wallets: hot wallets and cold wallets. It’s easier to think of these wallets as bank accounts, where hot wallets would be the checking account and cold wallets would be the savings account. Typically, hot wallets are used by individual users and organizations to store smaller amounts of currency, adding the need to be more fluid in nature for quick transfers and exchanges. Hot wallets are usually always connected to the internet to be ready to use, ensuring the fluidity of transactions. There are many cryptocurrency services such as Coinbase and Bittrex that manage and store the wallet’s private key and provide users with easy access. In most cases, this type of managed service is password protected.
Conversely, cold wallets, used by organizations and security-savvy individuals, typically hold much larger amounts of digital currency. This type of wallet keeps its associated private key off the internet completely (for obvious reasons) and often stores it on an offline computer. Yet, as demonstrated by some of the recent attacks, if the network becomes compromised, then the keys will follow suit shortly thereafter.
There are solutions available that store private keys on a USB stick-like device that does not allow the extraction of the private key. The device is simply inserted into a computer to prove the user has access to the key (using cryptographic functionality zero trust algorithms). This solution provides sound security on the private keys, however, this is not suitable for larger organizations that need to control who has access to the device and its associated credentials.
Don’t get digitally mugged
Cryptocurrency private keys are not exclusively used by human users. There are many automated processes that perform cryptocurrency transactions as well. Securing private keys for all users (both human and machine) is a foundational first step, quickly followed by authenticating and identifying who has access to the keys, controlling the access and monitoring its usage.
What’s essential is that we start to view cryptocurrency private keys as another type of a privileged credential, and take steps to manage and protect them, with the appropriate workflows and access controls.
Here are six key (pun intended) considerations to help secure and protect cryptographic keys:
- 1. Store cryptographic keys in a secure digital vault – Move keys into a digital vault with multiple layers of security wrapped around it, enforce multi-factor authentication to all users who have access to the vault.
- 2. Introduce role segregation – Control individual access to stored keys, preventing even the most privileged administrators from getting to them unless explicit permissions have been granted.
- 3. Enable secure application access – Enable access to stored keys for authorized applications and verify that the applications are legitimate.
- 4. Audit and review access key activity – Audit all activity related to key access and implement trigger events to alert the necessary individuals of any key activity.
- 5. Enforce workflow approvals – Enforce workflow approvals for anything considered to be highly sensitive and the same goes for accessing the keys.
- 6. Monitor cryptocurrency administrator activities – Facilitate connections – similar to an automated secure proxy/jump host – to target systems that are used to perform cryptocurrency administrator activities (e.g. the system hosting the wallet).
Cybercriminals will continue to look at this technology as another opportunity to line their pockets. But with organizations needing to respond to the demand for this type of currency, it’s essential to put in place safeguards, rather than just jumping on the trend. Safeguarding critical systems from key harvesting and many other types of advanced attacks will be key in ensuring they don’t find themselves caught out.