eLearningClasses.com
Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Six Steps to Secure Cryptographic Keys

Corey O’Connor, Product Marketing Manager, CyberArk

Cryptocurrency seems to bring out the best effort from cyber criminals.

From nation states to traditional attackers, the rise in crypto-related attacks is gathering serious momentum.

2018 has certainly been dominated by major multi-million dollar heists related to crypto-currencies. The motivation is clear: crypto crime is a lucrative business. Despite the recent drop, cryptocurrency values have skyrocketed over the past couple of years incentivising attackers to create malicious code and sophisticated hacking tools to harvest cryptocurrency coins. One quick way to a massive pay out is achieved by compromising a digital wallet and stealing the wallet’s private key. When attackers get their hands on a digital wallet, they can take full control of any funds.

Many online outlets have started to accept cryptocurrency right alongside good old-fashioned cash and credit. This trend is commercialising decentralised currency and forcing the hand of many big banks to get on board. The leg up criminals have, in many of these attacks, is the anonymity involved in crypto-transactions. As this form of currency gains more credibility, organisations across all sectors will need to implement security controls to mitigate risk against crypto-credentials being exploited.

So, what are digital wallets?

There are two types of digital wallets: hot wallets and cold wallets. It’s easier to think of these wallets as bank accounts, where hot wallets would be the checking account and cold wallets would be the savings account. Typically, hot wallets are used by end users and organisations to store smaller amounts of currency, adding the need to be more fluid in nature for quick transfers and exchanges. Hot wallets are usually always connected to the Internet to be ready to use and ensuring the fluidity of transactions. There are many cryptocurrency services such as Coinbase and Bittrex that manage and store the wallet’s private key and provide users with easy access. In most cases, this type of managed service is password protected.

Conversely, cold wallets, used by organisations and security-savvy individuals, typically hold much larger amounts of digital currency. This type of wallet keeps its associated private key off the internet completely (for obvious reasons) and often stores it on an offline computer. Yet, as demonstrated by some of the recent hacks, if the network becomes compromised, then the keys will follow suit shortly thereafter.

There are solutions out there that store private keys on a USB stick-like device that does not allow the extraction of the private key. The device is simply inserted into a computer to prove the user has access to the key (using cryptographic functionality zero trust algorithms). This solution provides sound security on the private keys; however, this is not suitable for larger organisations that need to control who has access to the device and its associated credentials.

How to avoid a ‘digital mugging’

Cryptocurrency private keys are not always used just by human users. There are many automated processes that perform cryptocurrency transactions as well. Securing private keys for all users (both human and machine) is a critical first step, swiftly followed by authenticating and identifying who has access to the keys, controlling the access and monitoring its usage.

What’s imperative is that we start to view cryptocurrency private keys as another type of a privileged credential, and take steps to manage and protect them, with the appropriate workflows and access controls.

Here are six key (excuse the pun) considerations to help secure and protect cryptographic keys:

  1. Store cryptographic keys in a secure digital vault – Move keys into a digital vault with multiple layers of security wrapped around it, enforce multi-factor authentication to all users who have access to the vault.
  2. Introduce role segregation – Control individual access to stored keys, preventing even the most privileged administrators from getting to them unless explicit permissions have been granted.
  3. Enable secure application access – Enable access to stored keys for authorised applications and verify that the applications are legitimate.
  4. Audit and review access key activity – Audit all activity related to key access and implement trigger events to alert the necessary individuals of any key activity.
  5. Enforce workflow approvals – Enforce workflow approvals for anything considered to be highly sensitive and the same goes for accessing the keys.
  6. Monitor cryptocurrency administrator activities – Facilitate connections – similar to an automated secure proxy/jump host – to target systems that are used to perform cryptocurrency administrator activities (e.g. the system hosting the wallet).

Cybercriminals will continue to look at this technology as another opportunity to line their pockets and it is increasingly hard to stay one step ahead of these savvy hackers. But with organisations needing to respond to demand for this type of currency, it’s essential to put in place safeguards, rather than just jumping in on the trend.  Protecting critical systems from key harvesting and many other types of advanced attacks will be key in ensuring they don’t find themselves caught out.