Cryptocurrencies like Bitcoin and Ripple changed the world in more ways than imaginable. Though they bring numerous benefits to the economics of finance, they attract a lot of attention from cybercriminals. After all, they are virtual currencies, and they can get lost or stolen as any currency stored digitally.
And since they are a lot younger than their traditional counterparts (currencies like the United States Dollar and the Euro), they are more vulnerable to various attacks. Also, the organizations dealing with cryptocurrencies are very young, with some businesses as young as two to three years like Binance — one of the top cryptocurrency exchanges on the planet — was founded in 2017.
Then, there are hardly any industry-proven and recommended standards for securing cryptocurrencies, unlike the traditional currencies. For instance, there is PCI DSS (Payment Card Industry Data Security Standard) for organizations asking for, processing, or storing credit card information. One can say PCI DSS is a security standard for organizations working with traditional currencies.
However, it all changed with the introduction of the Cryptocurrency Security Standard (CCSS). So, what is this standard, and how it helps organizations?
What is the Cryptocurrency Security Standard?
Cryptocurrency Security Standard (CCSS) is “a set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions. By standardizing the techniques and methodologies used by systems around the globe, end-users will be able to easily make educated decisions about which products and services to use and with which companies they wish to align,” according to the CryptoCurrency Certification Consortium (C4) — the organization defining these standards.
Cryptocurrency Security Standard (CCSS) — like other federal regulations and industry standards such as General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS) — helps in securing the information systems and performing cybersecurity risk assessments, allowing organizations to confirm their own and customers’ data is secure. CCSS is a much-needed breakthrough in the world of blockchain and cryptocurrencies.
The reason being cryptocurrencies, thanks to their rising popularity and prices, have become lucrative targets for cybercriminals. That is, businesses working with blockchain technology and/or cryptocurrencies are under high risk of getting attacked. That is why CCSS is essential for these organizations.
For example, 2019 witnessed the most cryptocurrency hacks.
“In 2019, hackers have successfully breached 11 major cryptocurrency exchanges and have stolen more than $283 million worth of cryptocurrency, according to blockchain analysis firm Chainalysis. The 11 hacks represent the highest number of security breaches at cryptocurrency exchange portals recorded in a single year in the last decade, up from six incidents recorded in the previous year, in 2018,” reported ZDNet.
How CCSS Helps in Securing Blockchain and Cryptocurrency Organizations?
Cryptocurrency Security Standard (CCSS) lays out the methodologies and techniques used for information security by blockchain and cryptocurrency organizations, like most of the data standards. It is created to complement the existing information security standards like ISO 27001:2013 by introducing the best security practices for cryptocurrencies like Bitcoin and Ethereum.
That means businesses asking for, storing, or working with cryptocurrencies in any manner must follow industry-proven standards, then follow the CCSS as well.
CCSS compiles a list of 10 aspects of securing information systems working with cryptocurrencies. These security aspects are unique techniques for achieving a piece of an information system. Among these ten aspects, their minimum value defines the information system’s overall value per this standard. CCSS defines three levels of security — Level I, Level II, and Level III — with Level I having the lowest security among all three levels, and Level III having the best and most comprehensive protection according to the Cryptocurrency Security Standard.
Cryptocurrency Security Standard organizes these aspects into two domains: Cryptographic Asset Management and Cryptocurrency Operations. Under the second domain, it asks for Security Audits, meaning organizations must undergo cybersecurity risk assessments and third-party reviews of their security controls, systems, policies, and processes.
These risk assessments help security teams to validate the installed security controls are working correctly as expected since these assessments include penetration and vulnerability tests for finding out potential attack areas. For example, Crypto.com — one of the established exchanges — gained CCSS Level III and completed a detailed cyber risk assessment in December 2019 for validating its security infrastructure.
However, CCSS clearly states that its scope retains within the cryptocurrency boundary of information systems. That is, it does not cover the common, known security practices and standards for improving cybersecurity. That is why CCSS must be complementarily implemented after following the industry standards known for cybersecurity like ISO 27001, PCI DSS, HIPAA, FINRA, and GDPR.
CCSS Level I
An information system with CCSS Level I has shown during the auditing that they protect their information assets with strong security levels. That is, the information system was able to address most of the risks introduced to its information assets, thanks to its security controls meeting industry standards. And though it is the lowest level of the Cryptocurrency Security Standard, it still affirms that the system provides strong security for cryptocurrency assets.
CCSS Level II
An information system that has achieved CCSS Level II has shown that they protect their information assets with strong security levels along with enhanced controls. They address most risks on its information assets, and in addition, it utilizes decentralized security technologies like multiple signatures, exceeding most industry standards. Also, they provide redundant security if any key or person gets compromised or unavailable, thus providing hardened security.
CCSS Level III
An information system labeled with CCSS Level III has successfully proven during auditing that they employ the strongest levels of security for protecting their information assets. They exceed enhanced controls with standard policies and procedures enforced at each step of their business processes. Also, they require multiple actors to approve all critical actions, implement advanced authentication measures for checking data authenticity, distribute their assets geographically and organizationally to mitigate the risk of getting a person or organization compromised during an attack, thus providing the highest security.