Beware of digital pickpockets: How to secure cryptographic keys

By Jeffrey Kok, Vice President of Solution Engineers, APJ, CyberArk

The Australian financial market is being increasingly disrupted by Fintech. The number of fintech startups in Australia had increased from less than 100 in 2014 to almost 600 in 2017. Banks are having to respond to digital disruption quickly and sometimes without warning or adequate preparation. The rise of cryptocurrency is already challenging banks with more innovative systems for transaction settlement.

Despite its recent decline, overall, cryptocurrency values have skyrocketed over the past few years. With this comes a major financial incentive for cyber criminals to design malicious code and sophisticated hacking tools to harvest cryptocurrency coins. One quick way for attackers to enjoy a huge pay day is by compromising a digital wallet and stealing the wallet’s private key – the unforgeable ‘signature’ that allows cryptocurrency to be spent – giving them full control of the funds.

The security of cryptocurrency becomes more important as retailers begin to accept cryptocurrency as payment, alongside cash and credit. Queensland tourist town Agnes Water has named itself “Australia’s first digital currency town” by having the country’s highest concentration of stores that accept cryptocurrency. This retail trend is commercialising decentralised currency and forcing the hand of big banks to get on board.

The advantage criminals have in targeting cryptocurrency is the anonymity of the transactions. With currencies such as Bitcoin and Etherium gaining more and more credibility, organisations across all industries will need to implement security controls to mitigate risk against the exposure of crypto-credentials. So, what do you need to know to secure your digital wallet?

Firstly, there are two types of digital wallets: hot and cold.

Hot wallets are used by individual users and organisations to store smaller amounts of currency, providing fluidity for quick transfers and exchanges. Cryptocurrency services such as Coinbase and Bittrex manage and store the wallet’s private key and provide users with easy access. Generally, this type of managed service is password protected.

Cold wallets are used by organisations and security-savvy individuals, and usually hold much larger amounts of digital currency. Cold wallets keep their associated private key off the internet completely, often storing it on an offline computer.

Secondly, cryptocurrency private keys are not exclusively used by humans. There are many automated processes that also perform cryptocurrency transactions requiring private keys. Securing these keys for both human and machine users is a foundational first step, followed by authenticating and identifying who has access to the keys, controlling the access and monitoring its usage.

Cryptocurrency private keys need to be treated as another type of privileged credential that needs to be protected.

Here are six key considerations to help secure and protect cryptographic keys:

1.       Store cryptographic keys in a secure digital vault: Move keys into a digital vault with multiple layers of security wrapped around it and enforce multi-factor authentication to all users with access.

2.       Introduce role segregation: Control individual access to stored keys, preventing even the most privileged administrators from getting to them unless explicit permissions have been granted.

3.       Enable secure application access: Restrict access to stored keys for authorised applications and verify that the applications are legitimate.

4.       Audit and review access key activity: Audit all activities related to key access and implement trigger events to alert the necessary individuals of any key activity.

5.       Enforce workflow approvals: Enforce workflow approvals for anything considered to be highly sensitive and the same goes for accessing the keys.

6.       Monitor cryptocurrency administrator activities: Facilitate connections – similar to an automated secure proxy/jump host – to target systems that are used to perform cryptocurrency administrator activities, e.g. the system hosting the wallet.