Introduction
Looking back at 2023, the digital asset industry witnessed a somewhat celebratory tone due to a reduction in the funds stolen through hacks and security breaches. The $1.5 billion stolen in 2023, although significant, was a sharp decline compared to the jaw-dropping $3.8 billion in 2022. However, with an average of at least one hack per week resulting in $1 million or greater in losses, it’s clear that hackers still have a substantial impact on the digital asset space.
The 2024 Digital Asset Threat Landscape
So far, 2024 has mirrored 2023, with cyber attackers zeroing in on crypto exchanges, Web3 apps, blockchain bridges, and smart contracts. Widespread phishing attacks and fake airdrops continue to plague the industry. Security remains a top issue preventing the digital asset and Web3 ecosystem from achieving mass adoption.
Combating Hacking: A Proactive Approach
Security must be a foundational consideration for any organization involved in digital assets. Addressing security after launching an MVP (Minimum Viable Product) is too late, as hackers move swiftly and scaling happens rapidly in this space. Organizations must assume they do not have the luxury of time to identify and patch vulnerabilities.
The Overlooked Vulnerable Fronts
Many focus solely on encryption protocols when considering digital asset security. However, there are several other vulnerable fronts that are often overlooked, which need attention.
Four Fundamental Security Pillars
1. Building Your Team with Trust
Digital asset companies can be compromised in two primary ways: hacking code and hacking people. The latter, although less discussed, is equally dangerous. High-profile examples, such as CoinsPaid, illustrate how hackers use social engineering to exploit team members.
Social Engineering Threats
Hackers use technologies like deep fakes to gain access to systems or even manipulate hiring processes to insert malicious developers into teams. To counter this, digital asset projects should thoroughly validate references, work experience, and backgrounds. Limiting the blast radius by establishing role-based permissions for financial and operational tasks is essential. For instance, your Head of Business Development should not have access to deploy code to your production system.
Multi-Factor Authentication and Security Keys
For anything not on-chain, multi-factor authentication or hybrid security keys are recommended. Establishing a primary security point of contact is also crucial. While security is a team effort, having one person constantly monitoring the threat landscape can significantly enhance your security posture.
2. System Design: Mapping and Monitoring External Infrastructure Dependencies
External infrastructure refers to anything not built internally, including parts of your tech stack developed by external actors. Key management is critical in this regard.
Choosing the Right Vendors
Work with vendors who have proven expertise, have undergone audits, and are battle-tested. The threat vectors in this area are too numerous and specialized to work with less proven vendors or to develop these capabilities internally.
Tracking Dependencies and Vulnerabilities
Keep a close track of dependencies and vulnerabilities, both on- and off-chain. Supply chain attacks, prevalent in traditional cybersecurity, are also common in the digital asset space.
3. Continuous Improvement: Building with Security in Mind
Digital asset projects typically have two phases: MVP and production. Both are vulnerable to attacks.
Testing and Documenting
Start with testing your team and code using available solutions. Define and document key invariants for modules and methods, which will facilitate more efficient and effective audits in the future.
Operational Security for CI/CD
Develop a bug bounty program or partner with someone who offers this service. Ensuring good operational security for Continuous Integration/Continuous Deployment (CI/CD) is vital when patch-gapping for open-source software. Test and document your invariants for every code commit and release to ensure you are not breaking key assumptions.
4. Red Teaming and Incident Preparedness
Even with flawless execution of the first three pillars, your business will likely be tested or breached at some point. An effective incident response plan is crucial.
Thinking Like a Hacker
Develop your incident response plan by thinking like a hacker. Test your systems from the ground up to identify gaps and potential vulnerabilities, document them, and create a plan to address these issues should they arise.
Continuous Monitoring and Testing
Assign someone on your team to focus on security trends, continuously test your systems, and implement changes as soon as vulnerabilities are found.
Conclusion
Building an effective security posture takes time, effort, and practice. Threat actors move quickly in this industry, and the Web2 mindset of “Move fast, break things, and fix it” does not apply from a security perspective. Adhering to the four fundamental pillars discussed is a significant step towards protecting your business, investors, and customers from both internal and external threats.
FAQs
1. What are the biggest threats to digital assets in 2024?
The biggest threats include hacking of crypto exchanges, Web3 apps, blockchain bridges, smart contracts, and widespread phishing attacks.
2. How can we build a trustworthy team for digital asset projects?
Thoroughly validate references, work experience, and backgrounds. Establish role-based permissions and use multi-factor authentication or hybrid security keys.
3. Why is key management important for digital asset security?
Key management is crucial because it handles sensitive data. Working with experienced, audited, and battle-tested vendors ensures the highest level of security.
4. What role does continuous improvement play in digital asset security?
Continuous improvement ensures that both MVP and production phases are secure. Testing, documenting, and developing bug bounty programs are vital aspects.
5. How can we prepare for potential breaches?
Develop an incident response plan by thinking like a hacker, continuously testing systems, and having someone dedicated to monitoring security trends and vulnerabilities.