Due to the hype at the end of 2017, most crypto startups, especially from the CIS and Asia, didn’t pay attention to security issues aspiring to launch their products as soon as possible. The Wild West with releases of projects without a real product and the protection of investor funds provoked a downturn in the market and the start of discussions on security, said Dmitry Budorin, CEO of Hacken and HackIT 4.0, the annual forum on cybersecurity held in Ukraine.
Today, companies are beginning to realize that it’s better to spend $ 15,000 on assessing security and implementing compensation measures than to lose reputation or even business in the future, Dmitry believes. At the same time, an independent audit by specialists is much preferable to self-testing when it at least comes about the application and infrastructure pen test, the social and technical testing of the development team. But ideally, those are going to launch their product have to use the bug bounty and vulnerability reward platform.
The most common types of attacks encountered by crypto projects are those directed to the user: gaining access to the user’s PC or spread of malicious software that allows a man-in-the-browser attack.
According to Ernst & Young’s report, in 2017, phishing attacks became the main way of stealing users’ money. The total losses amounted to one and a half million dollars a month. In general, hacker attacks “eat off” the ICO’s tenth of the collected funds, according to E&Y. The authors of the report also pointed to even more significant losses of crypto exchanges, which are deprived of two million dollars every month due to hacker attacks. And, unlike the banking system, the assets of users on such exchanges are not insured.
In 2018, the spread of crypto-miners added to the above types of attacks. According to Skybox Security report, in the first half of 2018, 32% of cyber attacks in the field of crypto referred to mining malicious programs, while attacks through ransomware amounted to 8% (after the dominant role in 2017).
According to Kaspersky Lab, the number of users affected by viruses-miners in 2017-2018, increased by 45% compared with 2016-2017. As stated in the same report, the number of users whose mobile devices were affected by miners increased by 10%.
However, the means to combat such viruses are quite simple – for example, plug-ins for disabling scripts on Internet pages and ignoring doubtful applications from torrents that often contain “payload,” Hacken team say.
Security assessment: what it consists of
The first stage involves collecting information: obtaining data from the client or other open resources. Then a threat model – a plan for entering the system – is created. Next, the manual and automatic analysis is performed to identify vulnerabilities, after which these ones are exploited to understand how the attackers can use them and whether they are able to damage the system and the company as a whole.
Consequently, a report should appear, where all actions at each stage are documented, as well as recommendations for eliminating the vulnerabilities.
Safety assessment standard
In the case of a decentralized application for receiving funds, the auditor must:
- validate the source code of the contract,
- confirm that it operates in accordance with the specified public specification,
- confirm that there are no errors and “backdoor” for the developer.
The other standards for applications and infrastructure migrate from the industry and are a mix of NIST, PCI DSS and ISO standards.
Is it worth to save on testing
“We always say: it’s better to spend 15,000 dollars today to assess security and implement compensation measures than to lose reputation, or even business in the future. This view is shared by many crypto projects, dealing with their security in the long term and ordering service packages. Such a project can already be considered half-valid,” Dmitry believes.
Networking and test hacks
At the annual HackIT 4.0 Forum, which will be held in Kiev, Ukraine, from October 8 to 11, participants will discuss the cyber-safety issues in the crypto industry, the protection of crypto exchanges, wallets and ICOs in particular. Within the forum’s agenda, there will be roundtables with representatives of crypto projects, and also a controlled hacking of their systems will take place.
“Hackers have already stolen millions, and now it’s time to change these statistics for a healthy growth of the industry,” Dmitry adds.