At the moment, the crypto industry lacks some common standards. Hackers often take advantage of this weakness to exploit crypto-based companies. How can the end users be sure the crypto platform they want to use is secure enough?
This points to one thing: the industry needs security standards to attain maturity and wider adoption. The CryptoCurrency Certification Consortium (C4) founded the CryptoCurrency Security Standard (CCSS) to fix this loophole. This article is a complete guide to inform you about everything you need to know about the CCSS.
CryptoCurrency Security Standard (CCSS) is a list of crypto asset management requirements that all crypto-related companies should meet. These companies can include crypto marketplaces, storage solutions, exchanges, and web applications.
It aims to introduce two important factors to the industry: optimal security and transparency. Hackers have a lower chance of penetrating a crypto company that is CCSS-compliant. The CCSS requirements close the loopholes.
Cryptocurrency exchanges will also become more transparent to their users if they meet the CCSS requirements. The users are sure that an auditor has gone through the digital assets management systems of the company. This helps them make more informed decisions about crypto companies.
Note that the creators of CCSS did not design it to be a stand-alone standard. That is, it should complement existing standards rather than replace them. The crypto space is set to be safer with the introduction of CCSS and existing information security standards.
CCSS audit flow. C4
Here is an explanation of the CCSS audit flow and how they work:
The platform has a database of approved auditors called CCSSA. Currently, there are only 32 Cryptocurrency Security Standard Auditors, 9 of whom are from Hacken! Anyone who wants to obtain a CCSS audit will have to look through the profile of all the existing auditors and pick one of them.
The Crypto Consortium Organization expects the hiring company to have done its due diligence before selecting an auditor. The organization only certifies as far as the exams are concerned and does not “endorse” any specific auditor. The hiring companies must ensure the auditor has certifications in other prominent information security exams.
This is where the companies and auditor will discuss the project. The first important point to discuss is the scope. The company will inform the auditor about their crypto asset management system and how the latter can come in.
The scope may be adjusted based on the expert opinion of the CCSSA. The scope at this point does not need to be specific, only an overview. In addition, this is the stage where both parties negotiate all necessary aspect of the agreement.
The auditor must indicate an interest in auditing the project. The Intent to Audit form is on the C4 website. This is an important step in showing that both parties are ready to proceed to the next level of the audit.
C4 operates a Peer Review Options List (PROL). The PROL is a list of other auditors on CCSS. They join the selected auditor to review the documentation and the most-befitting certification path for the company. Both the company and auditor must negotiate the fees of the CCSS-PR. The C4 is not involved in it.
The auditor, CCSSA-PR, and the company must sign the Appendix 1 form. The form is a caveat that C4 is not involved in the auditing. As a result, only the auditor is liable in case of any legal issue.
This is where the CCSSA gets to work. The CCSSA must assess the systems, processes, and people involved in crypto asset management.
They must ensure that the company meets CCSS specifications. The auditor does not have to stop there. They must also review information systems from a broader perspective. Recall that CCSS is only complementary and not absolute.
The CCSSA must confirm that the company is worthy of the certification if they successfully pass the aspect controls and requirements.
The auditor must submit their report to the CCSSA-PR to check whether the company should be verified. The CCSSA-PR will check the method of collecting evidence and the overall CCSS-worthiness of the company. Note that the CCSSA-PR has nothing to do with verifying the evidence. In fact, the auditor should abstract sensitive personal information during the peer review process.
The moment the CCSSA-PR has approved the report, the C4 should get the following details:
The C4 will send a Certificate of Compliance to the CCSSA; so far there have been no irregularities in the report. The CCSSA will pass on the Certificate of Compliance to the company.
Crypto companies must pass asset management quality checks before certification. Here are the requirements:
The method of deriving seed phrases and keys must be secure, confidential, and unpredictable. Otherwise, it will be the easiest point hackers can exploit crypto assets.
The first requirement is that the users must be the ones to create their cryptographic keys. This is a necessary precursor to privacy.
But if an automated agent were to use the keys, the admin must generate the keys offline. Then they can send it to the target device. Once they have done that, they must also delete the keys from their end following the requirements.
This method ensures the privacy of any platform that uses an automated signing agent.
C4 also demands entities incorporate the Deterministic Random Bit Generator (DRBG) for their key and seed generation. The DRBG makes the keys highly unpredictable.
Ideally, crypto wallets must be impossible to breach. The creation of such a wallet goes a long way in determining the extent of its security. CCSS requires entities to have a multi-sig configuration. There must be at least two signatures before anyone can spend funds from the wallet. They also demand a redundant key to help recover the wallet in case of irregularities.
There must be efficient authentication to secure key usage. CCSS requires at least 2 or 3 authentications for levels 1 and 3. The authentication modes include username, email, and any other detail. The auditor must also conduct a background check on the persons to hold the keys on behalf of an organization. The background checks should be more on their character and personal profile.
The foremost cryptocurrency storage requirement for key storage is a strong encryption method. The CCSSA must assess the encryption mechanism of the entity and assess if they meet the best practices. There must also be backup keys in case of key or seed loss.
Crypto wallets can be breached despite passing many checks. CCSS often expects entities to prepare themselves for these possible scenarios. Entities must have a Key Compromise Protocol (KCP) for proper highly-secure private conversations. They will need the KCP proper communication and the movement of funds in case of cyber attacks.
Some staff with access to the keys might want to leave the company. There must be a method of offboarding them efficiently. The company must design a reliable way of revoking their access to the keys. Keyholder revocation is not a one-way thing. It depends on the nature and structure of each organization. This is where the work of the CCSSA gets more creative and practical.
The cybersecurity industry encourages having a third-party test code security before deployment. An independent reviewer must assess the protocol to detect possible weaknesses.
Pentesting is essential to ensure the entity implements security best practices. In addition, a full-blown security audit is crucial.
Data sanitization policy deals with permanently deleting sensitive data, so they do not become public. Once keys are deleted from a device, they can remain in the removable storage or server.
Proof of Reserves
Crypto companies, especially exchanges, should have reserves. Reserves testify that a crypto company has as many funds as they claim in real-time. The CCSSA conducts the Proof of Reserves audit. Ascertaining assets gives customers an avenue to make better financial decisions.
The past operations of a company can give insights during a security investigation. This is where audit logs come in. Audit logs contain key informational changes that happened within a year. It can also include track records of deposits and withdrawals over time.
CCSS has three different tiers of security. Each requirement also has either two or all of these tiers. The idea behind the three-tier structure is to ensure a battle-tested security system.
CCSS Level 1 has basic safety requirements around industry best practices. It certifies that the entity is safe enough for its users. Under the key storage standard, the level 1 requirement is strong encryption, backup, and confidentiality.
CCSS Level 2 incorporates tighter security controls for the management of crypto assets. For instance, the level 2 requirements under wallet creation include
CCSS Level 3 is the strongest security tier. It includes advanced authentication mechanisms, data distribution, and multiple actors. Level 3 of security tests includes thorough penetration testing and security audits. An audit trail is also part of the level 3 security controls for processes such as data sensitization policy.
A CryptoCurrency Security Standard Auditor is a security engineer who passed the CryptoCurrency Security Standard exam. By virtue of the exam, a CCSSA is familiar with the grading system of CCSS.
They know how to audit and grade crypto asset management systems with the 34 aspect security controls that CCSS has laid down. CCSS will list auditors on a leaderboard once they have passed the exam. After that, entities can approach such an auditor on CCSS.
Anyone from any career path can apply to be a CCSSA. However, the program is more suitable for individuals with backgrounds in blockchain engineering, cybersecurity, software engineering, and similar fields.
You can become a CCSSA by creating an account on the CCSS website and applying for the exam. However, note that the exam requires a compulsory registration fee of $500. You also have an option of taking some preps before the actual exam. If an applicant fails the exam, they must pay again and have a re-sit.
It is also crucial to clarify that the registration fee differs from the certification fee. Applicants must pay a separate fee of $1k to get their certifications.
A major bottleneck holding back many people is the ecosystem’s instability and lack of standards. There have been tales of those who lost their savings from crypto hacks and scams. This urgent need for tighter standards birthed the CryptoCurrency Security Standard. CCSS provides a complementary framework for crypto companies to have a more battle-tested asset management system.
We are also proud to mention that Hacken currently has the most CCSSAs among all blockchain security auditors. So go ahead and book your CCSS security audit today!
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
10 min read
Discover
13 min read
Discover
13 min read
Discover