The road to secure crypto: start getting risk management priorities on your threat modeling radar

Karl Steinkamp, Director, PCI Product and Quality Assurance

While attending the biggest event in crypto history earlier this month in Miami, it struck me that, although irrational over-exuberance was the mood, the reality is really sinking in: We are in a new payments industry paradigm shift. It’s not a fad anymore, and it’s not going away. An exclamation to the event was the notice that on June 9, 2021, El Salvador has officially adopted bitcoin as legal tender (currency) for the country.

Here are some risk management priorities to keep in mind, and some top takeaways I realized at Bitcoin 2021 that security and compliance leaders should be considering.

Attack surface management (ASM) must evolve

Attack surfaces where financial assets are held or transacted will change completely, while identifying and managing new vulnerabilities on crypto technologies will present challenges. Software and hardware dynamics will have an impact on how encryption key management is orchestrated for custodial and non-custodial wallets and their associated private keys, which may reduce reliance on third parties.

In many ways, this gives consumers more protection and control in spending and storing crypto assets vs. credit card data, cash, or hard assets. Users will have to contend with existing and emerging challenges presented by hardware and software wallets, forcing companies that provide wallet solutions to re-examine their software development and secure product lifecycles to some extent. Patch management for a software wallet and/or a firmware update for your hardware wallet will need to be considered. In a similar vein around software updates, development and maintenance of Ethereum-based smart contracts coding and integrity is, and will be, critical to prevent exploitation and manipulation by unauthorized parties.

Security teams need to stay on top of the knowns and unknowns in the DevSecOps phases of creating crypto-based digital commerce solutions. Traditional passwords and multi-factor authentications will apply to new systems within the scope of an organization’s crypto environment.

Supply chains running in hybrid cloud environments with traditional “speed of money” workloads operating in parallel with blockchain technology will complicate things. Digital supply chains are becoming increasingly mission-critical, and third-party service provider relationships and commercial-off-the-shelf (COTS)/Software-as-a-Service (SaaS) applications will require similar but different due diligence, care, and attention.

New network designs and crypto-focused architectures will expose new attack surfaces that will mandate enhanced physical protections of new locations that carry crypto risk. This means points of sale, vendor premises, mining facilities, data centers, remote workers, IoT locations, and others. To account for adjustments in a company’s risk profile, each company will need to review and update their annual risk assessment for these emerging threats and vulnerabilities.

You can bet that cybercriminals are already conjuring up more SMS spam to attempt to defeat multi-factor authentication (MFA), social engineering attacks targeting crypto wallets, and API attacks and distributed denial-of-service attacks targeting exchanges and trading platforms. Unfortunately, once stolen, crypto assets "settle" much more rapidly than traditional fiat currencies (USD, GBP, etc.), and are less likely to be recovered.

Criminals are keeping up

As quickly as we are establishing best practice ASM in this historic asset/currency shift, the bad guys are transitioning even faster to crypto targets. This isn’t exactly new — they’ve had crypto in their sights since 2010. But their focus has accelerated, shifting like a hockey stick up and to the right, thanks in part to ransomware proliferation and bitcoin becoming the adversaries’ favored means of exchange.

There was another event that took place recently. One of the many Russian hacker forums was perhaps a bit less glamorous than Bitcoin 2021 in Miami, but far more sinister. It brazenly offered $100,000 in contest prizes for creating methods targeting crypto technologies.

In addition to the recent institutionalized, state-sponsored attacks on pipeline, meat processing, transportation authorities, television stations, and other infrastructure-level targets, expect more ransomware attacks in general, and from the likes of Ransomware as a Service (RaaS) providers with ties to Russia in particular.

FBI Director Christopher Wray likened ransomware to the 9/11 attack. Expect the ransomware scourge to be treated more like terrorism and expect the continued use of crypto assets as the preferred ransom payment platform. A recent White House memo also draws national attention to the issue.

Cybercriminals see the writing on the wall as the crypto asset space continues to expand at a dizzying pace. Attackers are getting more sophisticated, and both small-time hackers and nation state actors see the tipping point and long-term value of crypto assets vs. traditional fiat.

Miami was a turning point. The town itself has gone crypto and is adopting new practices like crypto tax payments, crypto payroll for city employees, and Bitcoin ATMs sprinkled around the convention center. But the occurrence of Russian hacker forums more purposely signals that cybercriminals are migrating into crypto. We can learn from both events in adopting the inevitable new payments paradigm. We can start by sorting through the noise, and re-imagining our security programs.

Karl Steinkamp

Author

Karl Steinkamp — Director, PCI Product and Quality Assurance

Top