10 Ways Cryptocurrency Exchanges Can Improve Their Security

Crypto companies in many ways are software companies as well as financial companies – so audits in these key areas are strongly encouraged. One of the key ways to lower the inherent risks on a crypto exchange and identify and address potential weaknesses in its systems, is through System and Organization Controls (SOC) reports. 

SOC-1 audits are focused on what’s known as ICFR or internal controls related to financial reporting, and this helps detect and address any risks and ensures that the crypto exchanges services will not negatively impact an exchange user’s finances. Additionally, SOC-2 audits highlight issues related to IT security.

Being that crypto exchanges develop their own software and applications, secure code scanning is another important method of cybersecurity to consider. Secure code scanning is used to help discover exploits in application security and it can come in a number of forms including:

• Software Composition Analysis (SCA)
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Interactive Application Security Testing (IAST)

Secure code scanning tools that are widely available including those from the likes of OWASP (Open Web Application Security Project), GitHub, Checkmarx and more.

Penetration tests (or pen tests) are used to realistically simulate the thinking, tactics, tools and techniques used by actual hackers, in order to identify and fix as many holes as possible within an organization’s defenses.

Pen tests typically begin with the testers doing a reconnaissance on the targeted organization, then the team will develop a plan of attack based on that information. Once the test is carried out, a report is generated that details the steps that were taken to carry out the attack and any critical security findings. Then recommendations for improving the security of the target system are compiled and given to the organization’s security team.

People often confuse penetration testing with other security methods including code reviews, vulnerability, and red teaming, which we’ll cover next.

Major cryptocurrency exchanges have top-tier security teams that rigorously test their products and services, and one of these teams is the red team.

Like penetration testing, red teaming takes a proactive approach to security, but with a more sophisticated approach. Red teams are focused on breaching an organization’s security from the outside, and they are often tasked with getting through the defenses of what’s known as the blue team, who are tasked with defending an organization. 

The red team often focus on three attack vectors that cyber criminals target:

1) Cyber – which includes things like ransomware

2) Human – whis is an often overlooked area of weakness within an organization, as humans have often been right in the middle of large scale crypto exchange hacks

3) Physical attack vectors – which include safes, desks, buildings and more

One of the most important keys to crypto exchange security is how the assets managed by the exchange are stored and secured. Here are some key methods to consider:

• Use a multisig approach to transferring/accessing assets: This helps eliminate any single point of failure and removes the reliance on any one private key or individual.

• Geographically distribute data and funds: This is yet another way to remove any single points of failure, as well as keeping funds much safer.

• Keep most funds offline: We’ve already covered the importance of cold storage. Many crypto exchanges keep the vast majority of their funds completely offline, geo-distributed, and even protected by armed guards, like in the case of Kraken. 

• Use a reputable and secure custodian: Crypto custodians like BitGo allow crypto exchanges to operate at scale and with added security. They also offer a number of technology and insurance solutions. 

Sometimes the biggest threat to an organization that deals with crypto assets and system information isn’t an external cyber criminal, or a bug inside of an application’s code – it’s the people inside of the organization. 

That’s why it’s highly advised to have systems and processes in place to help prevent insider threats. Mitigating insider security threats in a crypto exchange can include, among other things:

• Having multiple signatories to perform sensitive functions or transfer crypto assets out of cold storage
• Requiring physical keys and multi-factor authentication to access systems and important application
• Ensuring that all employees are run through rigorous background checks and ongoing screening

Crypto exchange users, including individuals and investors, are the lifeblood of the business. So it pays to ensure users are as educated as possible on common mistakes, scams, and cyber attacks.

For instance, we covered a phishing attack that targeted Coinbase users in this previous article. Also, companies like Gemini, Kraken and Binance all have a plethora of education materials on how to be a safe user of their exchange services, and it’s highly encouraged to always keep users fully aware of new attack vectors that surface which can directly affect them as well. 

Bug bounties are a great way to incentivize ethical hackers to find vulnerabilities within the cybersecurity of an organization. They can also be an effective way to find security talent that truly understands the complexities of cybersecurity.

Conversely, it’s also worthwhile, as a crypto exchange, to disclose security vulnerabilities in hardware devices like wallets, applications, and other platforms to the appropriate organization. In fact, taking a proactive approach to find those vulnerabilities helps make the entire crypto ecosystem more secure. 

Each jurisdiction a crypto exchange operates in will have specific legal and regulatory requirements, so acquiring the right licenses, and registering as a money business and crypto exchange where necessary will ensure the operation stays compliant and that users’ assets are not put at jeopardy.

The tactics of cyber criminals are ever evolving, while the value of crypto assets exchanges manage will likely grow as crypto gains more adoption. This means that hackers will continue to target crypto exchanges and use more advanced methods of breaching systems that house valuable assets and information, including yours. One of the best ways to ensure the security of a crypto exchange is to partner with an elite blockchain cybersecurity firm like Halborn. For more information on how we can keep your crypto exchange safe, reach out to our blockchain security experts at halborn@protonmail.com.