The rationale behind the creation of Bitcoin, the father of all cryptocurrencies, was to establish a digital medium of exchange that is borderless and not controlled by a central body (decentralized). Although, since the launch of Bitcoin in 2009 cryptocurrencies have witnessed an unprecedented surge in adoption. The quest for crypto to become mainstream is threatened by insecurity. Many have lost their funds and crypto assets in protocol/wallet hacks, exchange collapses, and entire blockchains imploding. Chainalysis, a crypto forensics firm that tracks illicit activities on blockchains, reported that from 2021 to 2022, a combined sum of $7.1 billion was stolen from crypto hacks, with $3.8 billion stolen in 2022 alone. DeFi protocols were the most hit targets by hackers and malicious actors.
To restore trust and increase users' confidence in crypto protocols/dApps, firms offering crypto services and products need to ensure that a robust security framework is guiding their systems. A major step in safeguarding their codes is to adopt CCSS (Cryptocurrency Security Standard).
The Cryptocurrency Security Standard (CCSS) is a comprehensive security framework designed to safeguard cryptocurrency assets and operations.
It offers guidelines and best practices to protect against external cybersecurity threats and internal fraud.
CCSS establishes requirements applicable to all information systems utilizing cryptocurrencies, ranging from exchanges, crypto marketplaces and web applications to cryptocurrency storage solutions.
By standardizing techniques and methodologies globally, CCSS empowers end-users to make informed decisions about choosing products and services and aligning with trustworthy companies.
However, CCSS was not designed to be a stand-alone standard but to complement existing ICT security frameworks such as ISO 27001 and PCI DSS by introducing guidance for security best practices for cryptocurrencies.
The CryptoCurrency Security Standard was developed by the CryptoCurrency Certification Consortium (C4) and the security standard is maintained by the CCSS Steering Committee whose mission is to ensure that the standard continues to remain up-to-date with industry best practices and remain neutral.
CCSS identifies three brackets of cryptocurrency systems they are:
These are systems that do not have control over customer funds and they have sole control of the private keys that control that entity’s own funds.
A CCSS Qualified Service Provider system meets many of the requirements for CCSS certification with the exception of the few requirements that another system has control over.
That is a subset of custody services is facilitated by other systems and therefore is only required to meet certain requirements.
This means that if a system uses a QSP, the audit focus is only on the few remaining requirements to become certified.
This is a system that meets all applicable CCSS requirements in totality.
Now an entity can have multiple types of systems and it is important to note that entities are not certified, but rather systems are certified.
There are 3 levels of certification, systems can be certified as CCSS Level I, II, or III with increased security as the levels increase.
Project/Entities have the flexibility to seek certification levels that closely align with the value of the digital assets their systems manage, the operational complexity of the system, and its associated risk profile.
This is the foundational level of CCSS certification, it indicates that the systems of entities with this level of certification have met all the basic safety requirements and essential security standards required to support cryptocurrencies around industry best practices ensuring the entity is safe for its users.
Systems that achieve Level II certification have demonstrated through an audit that they have implemented a set of security controls that exceed the requirements of CCSS Level I by including enhanced security measures designed specifically for decentralized systems.
This the highest and most advanced level of CCS certification, it builds upon the requirements for Levels I and II by incorporating more stringent security controls, advanced risk management practices, regular security audits, and continuous monitoring.
Hence an information system that achieves Level III security protects from both known and emerging crypto threats.
The CCSS framework covers two primary categories: cryptographic asset management and cryptocurrency operations.
Cryptographic Asset Management
This category focuses on securing and managing the cryptographic keys that control access to a user’s cryptocurrency funds.
It provides guidelines and best practices for implementing security controls that address:
CCSS mandates entities to implement a multi-signature configuration, necessitating a minimum of two signatures for any fund withdrawal from the wallet.
Additionally, CCSS stipulates the inclusion of a redundant key to facilitate wallet recovery in the event of irregularities.
CCSS ensures that cryptographic keys and/or seeds must be stored with the use of strong encryption and are backed up.
They also separate the wallet’s keys across multiple locations to avoid the risks associated with localized disruptions to business (such as, fire, flood, earthquake, break-ins) making sure this does not affect the entity's ability to spend funds.
The CCSSA(CryptoCurrency Security Standard Auditor) implements this as well as other industry best practices.
This aspect covers authentication of key usage and verification of fund destinations and amounts.
Organizations need to be ready to address a scenario in which a private key may have been, or is potentially, exposed or compromised.
This encompasses having a policy in place that outlines the necessary steps if a cryptographic key/seed or its operator/holder is suspected of being compromised.
CCSS ensures that entities have a Key Compromise Policy (KCP).
This covers the event of staff with access to keys leaving the company or onboarding new staff that will have access to private keys.
The CCSSA gets creative in coming up with a method of grant/revoking their access efficiently in such a way that the system is not exposed.
This category focuses on how transactions are created, signed, and broadcast to the network, how cryptocurrency systems are updated, and how security incidents are identified and dealt with. It provides guidelines and best practices for implementing security controls that address:
This covers third-party reviews of the security systems, technical controls, and policies that protect the information system from all forms of risk as well as vulnerability and penetration tests designed to identify paths around existing control
This aspect covers the removal of cryptographic keys and proper sanitization of digital media ensuring the proper removal of all keys, eliminating the risk of information leakage from decommissioned devices like servers, hard disk drives, and removable storage.
All in all, CCSS audits evaluate the people, processes and technology that support cryptocurrency functions. In total, certified CCSS Systems are independently evaluated and audited against 31 aspect controls of the CryptoCurrency Security Standard, they are:
CryptoCurrency Security Standard Auditor is an expert in CCSS, they are security engineers who passed the CryptoCurrency Security Standard exam.
CCSSA are able to apply CCSS standard to any information system that uses cryptocurrencies and calculate the grade for the system according to the CCSS.
They know how to audit and grade crypto asset management systems with the 31 aspect security controls that CCSS has laid down.
CCSS will list auditors on a leaderboard once they have passed the exam from which entities can approach such an auditor on CCSS.
CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.
Although anyone from any career path can apply to be a CCSSA the program is more suitable for individuals with backgrounds in blockchain engineering, cybersecurity and software engineering or related fields.
CCSS-PR (CryptoCurrency Security Standard Peer Reviewer) are also CCSSAs but they are not the CCSSA selected by an entity instead they join the selected auditor to review the documentation and the most-befitting certification path for the company.
Both the company and auditor must negotiate the fees of the CCSS-PR. The C4 is not involved in it.
To become a CCSS auditor one must pay an exam fee of $500 USD and the exam is only given in English a passing grade of 70% is required out of a total of 100 questions to apply for certification.
The certification fee itself is $1000 USD, both the exam and certification fees must be paid for in Bitcoin or another acceptable cryptocurrency.
Before we dive into the CCSS audit flow let's get familiar with some terms:
CCSSA:- CryptoCurrency Security Standard Auditor
CCSSA-PR:- CryptoCurrency Security Standard Auditor - Peer Reviewer
Intent to Audit form: This form shows that an auditor is interested in auditing a project, the form is on the C4 website and it shows that both parties i.e. auditor and entity are ready to proceed to the next level of audit.
(RoC)Report on Compliance: Auditors submit their report to the CCSSA-PR to check whether the company should be verified.
The CCSSA-PR then checks the method of collecting evidence and the overall CCSS-worthiness of the company.
SRoC: Summary Report on Compliance
CoC: Certificate of Compliance
(PROL)Peer Reviewer Options List: This is a list of other CCSSAs who are eligible to be CCSSA-PR
Appendix-1 form: The form is a caveat that C4 is not involved in the auditing and as result, only the auditor is liable in case of any legal issue.
CCSS Audit Flow
Step 1: Entity selects and contacts CCSSA
Step 2: CCSSA and Entity determine scope and negotiate agreement
Step 3: CCSSA fills out Intent to Audit form
Step 4: C4 sends PROL to CCSSA.
Step 5: CCSSA contacts CCSSA-PR, parties negotiate, and sign Appendix 1 form.
Step 6: CCSSA performs audit
Step 7: CCSSA-PR reviews Redacted RoC, provides feedback to CCSSA.
Step 8: CCSSA sends SRoC, Appendix 1, and listing info to C4.
Step 9: C4 reviews SRoC and signs Appendix 1.
Step 10: C4 sends CCSSA Listing Fee Invoice.
Step 11: CCSSA pays Listing Fee.
Step 12: C4 sends CoC and badge to CCSSA and CoC is listed on C4’s website
Step 13: Entity receives CoC badge from CCSSA.
It is very important for crypto/web3 firms to check for vulnerabilities and exposures in their systems to prevent hacks and exploitation, thus safeguarding themselves and their users.
Therefore complementing their security framework by adopting CCSS is a step in the right direction in ensuring that the security framework protecting their system is inline with industry best practices.
To this regard the role of auditing in the crypto space can not be overemphasized as it not only secures the systems but also tells users that the firm/protocol is doing their due diligence when it comes to security.
Crypto projects, protocols, DApps and founders can start strengthening their systems today by requesting an audit with Hashlock Australia's leading blockchain security and smart contract auditing firm.
[Author’s Note: This article does not represent financial advice, everything written here is strictly for educational and informational purposes. Please do your own research before investing.]
Author: Godwin Okhaifo