Article written by Marc Krisjanous, Senior Security Consultant at Confide – BlockchainNZ member
The CryptoCurrency Security Standard (CCSS) is an information security management standard that provides a set of security controls for cryptocurrencies.
After reading the above you may consider CCSS redundant for your blockchain project if it does not require a token to transact or use a cryptocurrency wallet. However, CCSS provides important security controls such as key management requirements and requirements around cryptographic modules/functions, referencing industry recognised standards which are of benefit to any project using blockchain technology.
In this post I will cover the security controls provided by CCSS and provide reasons why, at the very least, you should be considering using CCSS and other information security management standards to strengthen your project’s security posture.
But firstly – why is there a need for CCSS?
For someone experiencing the world of “crypto” for the first time the words “scam” and “hacked” will appear more than any other words. A review of a month’s worth of crypto news will contain a high percentage of articles covering the latest scams and breaches. Sites like https://rekt.news/ delight in keeping an up-to-date record of all scams and breaches that have occurred. All this bad press understandably leads many to believe that the world of crypto is the wild west, where developers don’t have a clue about secure coding techniques or just don’t care, where project members hide behind anonymous accounts on Discord and Telegram, and most projects are scams.
When a sector receives such bad press, a few within the sector decide to draft a set of guidelines that people and organisations can adhere to and show that they are behaving themselves. This adherence to guidelines or standards is sometimes referred to as “compliance”. #1
The CCSS is just such a standard – authored by the CryptoCurrency Certification Consortium (C4) and maintained by the CCSS Steering Committee who have some very influential and prominent committee members and advisors both former and current (anyone know who Vitalik Buterin is?) – the standard was written by blockchain and cryptocurrency technology experts. #2
I believe any organization implementing cryptocurrency services will need to be compliant with some form of cryptographic-based security management standard in the next couple of years and right now CCSS provides a solid set of security controls for cryptocurrencies and blockchains.
The CCSS is broken down into 10 core “aspects” which are similar to the concept of “requirements” or “controls” in other standards. There are two primary categories in the CCSS: Cryptographic Asset Management which contains six of these aspects, and Operations which contains the remaining four aspects. Cryptographic Asset Management covers processes such as seed/key creation, wallet creation, key storage, protocols for key compromise, and key holder grant/revoke processes. Operations covers security auditing, pen testing, data sanitization processes, proof of reserve, and log management. Each of these areas is further broken down into more detail where individual requirements/controls can be looked at. An example of this is the DRBG requirements.
The CCSS committee makes great efforts to ensure people understand that CCSS is not a replacement for the baseline information security management standards such as PCI DSS and ISO27001. The standard just focuses on specific security controls that are effective for cryptocurrency. Another prominent message from the CCSS committee is that if an organization only implements CCSS without also implementing a baseline security management standard, the organisation will still be greatly at risk of a breach and it will dramatically weaken the CCSS-based controls effectiveness.
The 6 aspects defined in “Cryptographic Asset Management” within CCSS can basically be categorized as key management best practices. Since cryptography is the core foundation that makes blockchain work, effective key management controls should be a consideration for all blockchain projects and the CCSS shines in this area. Any project which just implements the security controls in the “Cryptographic Asset Management”, in my opinion, will significantly reduce the risk of a breach and user mistakes related to transactions.
The 6 key management focused aspects are broken down further into:
- Key/Seed Generation
- Operator-created Key / Seed
- Creation methodology is validated
- DRBG Compliance
- Entropy Pool
- Wallet Creation
- Unique address per transaction
- Multiple keys for signing
- Redundant key for recovery
- Deterministic wallets
- Geographic distribution of keys
- Organizational distribution of keys
- Key Storage
- Primary keys are stored encrypted
- Backup key exists
- Backup key has environmental protection
- Backup key is access-controlled
- Backup key has tamper-evident seal
- Backup key is encrypted
- Key Usage
- Key access requires user/pass/nth factor
- Keys are only used in a trusted environment
- Operator reference checks
- Operator ID checks
- Operator background checks
- Spends are verified before signing
- No two keys are used on one device
- DRBG Compliance
- Key Compromise Protocol
- KCP Exists
- KCP Training + Rehearsals
- Keyholder Grant/Revoke Policies and Procedures
- Grant/Revoke Procedures/Checklist
- Requests made via Authenticated Communication Channel
- Grant/Revoke Audit Trail
PCI DSS and ISO27001 both have in-depth requirements and security controls covering key management and other requirements such as encryption at rest and in transit, use of only strong cryptography modules and functions. CCSS however, also covers multi-sig wallets, deterministic wallets, unique address per transaction and other concepts that don’t fit well into the baseline information security management standards. Therefore, there is a strong recommendation that a baseline information security management standard is implemented first to address the basic cryptography controls then a refinement is added via CCSS to cover the more cryptocurrency/blockchain designed components.
The “Operations” section in CCSS addresses auditing/pen-tests, data sanitization processes, proof of reserve and log management. Apart from the Proof of Reserve aspect, which I don’t consider a security control but more of a financial control, these operational controls are your stock-standard baseline information security management controls which are covered in much more detail in the baseline security management standards than CCSS covers. So, if you are compliant in a baseline information security management standard such as PCI DSS you will have already meet the CCSS applicable requirements in spades.
CCSS has a further layering of compliance by using “Levels” of compliance.
- Level 1 covers the baseline level all the controls provided by CCSS and should be considered the absolute minimum of security controls to implement.
- Level 2 offers a higher level of compliance by focusing on key controls and adding further rigor to each of the applicable controls.
- Level 3 adds even more detailed requirements to the applicable controls including directly referencing standards such as NIST SP 800-90A and ensuring conformance to these standards.
A start-up looking to be CCSS compliant can plan to become CCSS Level 1 compliant first, then the next year look at becoming CCSS Level 2 compliant then Level 3 in the future. This approach is a great idea for organisations because it helps avoid overwhelming the organisation and allows them to take baby steps into information security management. It also means that an organisation can reach compliance with a level that suits, rather than it being an all-or-nothing approach. For example, rather than stopping compliance altogether, an organisation could reach and maintain compliance with Level 2 across all of the CCSS without having to consider the additional challenges and controls in Level 3.
How can CCSS compliance be obtained?
The plan is that to become CCSS compliant an organisation must directly engage with a CCSSA (CryptoCurrency Security Standard Auditor). The CCSSA is a person who has passed the CCSS exam and has been accepted into the CryptoCurrency Certification Consortium’s auditors’ program. At the time of writing this post, neither the exam nor the auditor’s program is online. There is mention that the CCSS exam is currently in testing, so I expect it to be released soon. I would recommend contacting CryptoCurrency Certification Consortium (C4) directly to see if there is a Beta compliance program that one can join as Crypto.com is CCSS Level 3 compliant so there is a way to become compliant right now. #3
In summary I believe CCSS is a robust information security management standard that provides an organisation with an effective selection of cryptocurrency focused security controls that will help reduce the risks of a breach. The former and current CCSS committee members and advisors are some of the most well-known experts in the crypto sector which gives me confidence that the standard is here to stay and will grow and adapt with the crypto sector.
As crypto becomes more into the mainstream, the public and organisations keen to participate in crypto will look for assurance that the project they engage with has security first and foremost on their agenda – CCSS will help provide that assurance.
===== END =====
At Confide, we believe blockchain-based systems will play an important part in the future, positively impacting many aspects of everyday life. With over 13 years experience auditing complex information security management systems, we’ve worked across banking and finance, online commerce as well as with some of New Zealand’s largest retail chains. We have the skill and experience to ensure systems are as secure as possible. Our security consultants are not only certified in blockchain and cryptocurrency technology but also actively participate in the crypto community assisting teams who create global security standards for blockchain and crypto projects.
#1 There is of course government mandated regulatory compliance, but the maturity of the legislation is different in each country and with crypto there is no cohesive or mature government regulation currently.
#2 PCI DSS is another information security management standard where compliance is not mandated by any entity. The standard was created by the major credit card brands after they lost all hope that organizations would implement effective security controls to protect to their customers credit card data. Though PCI DSS is not mandated by any entity, public or private, an organization who is not PCI DSS compliant will find it very hard to find an acquiring bank who will provide merchant payment services to them unless they guarantee to become PCI DSS compliant in a very short period.