It is now more widely expected that cryptocurrencies (“cryptos”) are here to stay and they will continue to evolve until they become the mainstream currency. Although the global shift to crypto will not happen anytime soon, the perspective is that it is only a matter of time WHEN and not IF. Until that day, there will be a lot of “shaking out” before cryptos go mainstream.
One of the biggest challenges of cryptos is confidence. People and organizations are concerned about the authentication, authorization and/or confidentiality limitations of cryptocurrency transactions. Such restrictions are currently hindering the adoption rate of cryptos. By standardizing the security techniques and methodologies used by cryptosystems around the world, end users will be able to more easily make educated decisions about which products and services to use and which companies to partner with. On the other hand, many cryptos, such as Bitcoin, are not governed by a central control point or “authority”; standardization on security will be a challenging process. Standard approaches to a secure environment will come from the cryptos that adopt permissioned ledger mechanisms like Ripple XRP. In permissioned ledger environments, while read permissions may be public or restricted to an arbitrary extent, write permissions are held centralized to one organization. As such, standardization on security is more feasible.
The success of online payments with traditional or fiat currencies can be attributed in part to the PCI DSS (Payment Card Industry Data Security Standard). This standard was led by the major payment brands, namely American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. and it has now become the defacto standard for organizations that handle or store credit card details. Non-compliance with this standard means that an organization will not be able to make online payments using credit cards.
A security standard in the crypto space, commonly referred to as CCSS (Cryptocurrency Security Standard), was introduced in 2014 to provide guidance specific to the safe management of cryptocurrencies. This standard is currently the standard for any information system that handles and manages crypto wallets as part of its business logic.
The CCSS is an open standard that focuses on the storage and use of cryptocurrencies within an organization[i]. CCSS is designed to complement standard information security practices and complement, not replace, existing standards (ISO 27001, PCI, etc.). The CCSS standard cannot be compared to PCI DSS as an equivalent standard. While the PCI DSS standard applies to the entire transaction flow (ie from the technology used to acquire transactions to how the information in the transaction is handled through all steps of processing), the CCSS standard does not provide the same coverage and focus on the secure management of the crypto wallets. Additional security measures will be required to secure the environments within which the crypto-security management components operate.
CCSS is divided into three levels of increasing security.
An information system that has achieved Level I security has the ability to protect crypto wallets with strong levels of security. A higher level II of CCSS translates into enhanced levels of security with formalized policies and procedures enforced at every step within the respective business processes. In level III of CCSS, multiple actors are required for the all-critical actions, advanced authentication mechanisms are employed to ensure authenticity of data, and assets are distributed geographically and organizationally.
Taken together, these requirements make crypto wallets more resilient to compromise.
To ensure that the standard remains neutral and up-to-date with industry best practices, the CCSS is maintained by the CCSS Steering Committee, which consists of experts on cryptospace topics.
In addition to this committee, one also finds the Cryptocurrency Certification Consortium (C4). This group establishes cryptocurrency standards that help ensure a balance of openness and privacy, security and usability, as well as trust and decentralization. C4 also provides certification so that professionals can assert their knowledge in cryptocurrencies in the same way they can assert other skills. Before C4, there was no way for hiring managers and/or placement firms to validate Bitcoin knowledge in their candidates like they could with other knowledge such as networking, security and accounting. The next step is to have a more general cryptocurrency certification and possibly a certification for CCSS compliance reviewers.
Although this standard has been around since 2014 and the number of crypto systems has mushroomed recently, very few organizations demand compliance with the CCSS when it comes to managing crypto wallets. In fact, it is observed that a significant number of businesses in this space, mainly start-ups, do not follow best security practices, and their operations do not meet minimal security standards. Beginners usually don’t invest the right amount of time and resources into security best practices. They do not have formal security verification standards in place and they do not perform regular penetration testing on their systems. Taken together, such characteristics make these organizations more attractive and vulnerable to cyber breaches.
While reviewing current breaches, it appears that every system that has suffered a high-profile cryptocurrency breach has been found to be non-compliant with CCSS Level 1. In contrast, systems that meet CCSS Level 2 or higher are more likely to withstand cyber attacks that have given attackers full access to the crypto-mechanical parts of cryptocurrency. From an IT audit perspective, testing for CCSS compliance will provide a reasonable degree of assurance that the risks associated with managing crypto wallets are minimized and mitigated.
Security is always an important consideration, especially when it comes to financial transactions. Money stolen from cryptocurrency wallets is usually not recoverable. As a result, providing the necessary confidence that cryptocurrency wallets are managed by controls that comply with industry guidelines becomes an important issue for anyone using any form of cryptocurrency.
[i] https://cryptoconsortium.org/standards/CCSS
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
