Cool Heads and Hot Wallets – Here’s my take on the event’s key takeaways and how those in charge of protecting digital assets from cyber attackers must act now to re-evaluate their defences.
Why is Bitcoin so popular? [Cool Heads and Hot Wallets]
Rising inflation is devaluing cash reserves by the day, making cryptocurrency an increasingly appealing investment opportunity.
Traditional investors and financial institutions, which have long complained about being over-regulated, are concerned about the lack of regulation in the crypto space. There are no regulations, blueprints, or benchmarks for building a successful crypto business for institutional investors without the Financial Conduct Authority’s (FCA) oversight.
Some financial institutions are investigating the feasibility of making cash reserves in a bank liquid, based on the principle that cash does not physically move (as in traditional banking). Instead, as metadata is exchanged between banks, ‘ownership’ of those assets shifts.
When it comes to cyber security, the industry as a whole is still in its infancy, and far more thought needs to be given to the question of how to best protect crypto custodians and asset exchanges from attack. [Cool Heads and Hot Wallets]
The Infrastructure for Cryptocurrency
A crypto wallet is a device or application that stores the public and private keys for cryptocurrency transactions. Typically, transactions are carried out through a cryptocurrency exchange, where users can exchange cryptocurrencies for other cryptocurrencies or traditional fiat money (government-issued currency that is not backed by a commodity). Crypto custodians are organisations that act on behalf of others to store private keys and secure assets.
The wallet is by far the most likely Achilles heel in this infrastructure. A “cold” wallet, that is, one that is not connected to the Internet, is the safest from a technical standpoint. [Cool Heads and Hot Wallets]
However, the latency introduced when a customer’s private keys must be sent from the cold wallet to the exchange will almost certainly result in multiple second delays, which are unacceptable in a fast-moving industry like cryptocurrency, where prices can fluctuate dramatically on a second-by-second basis.
As a result, a ‘hot wallet’ is required, even if this means that the custodian or exchange must communicate regularly between the secure enclave where the private keys are stored and the untrustworthy Internet for transaction verification.
The challenge is determining how to best secure this communication channel while also protecting the wallet(s) from cyberattack. [Cool Heads and Hot Wallets]
Diodes for data
A data diode is a hardware-enforced one-way data flow. While it provides some reassurance, it fails to address the fundamental business requirement of a two-way flow of information in order to properly support a custodian or asset exchange.
Indeed, using a diode is relatively pointless in terms of security, as it would require two diodes adjacent to each other to handle the necessary bi-directional traffic.
There is native two-way communication at this point, and any attack involving application data (rather than the protocol) would be immune to the disruption caused by placing two diodes inbound and outbound. [Cool Heads and Hot Wallets]
The overhead of integrating between the insecure network and the secure enclave is also increased by deploying two diodes inbound and outbound. This is due to the fact that the application(s) can no longer ‘talk’ in native protocols like HTTP REST or TCP, but must now communicate in a protocol supported by the diode.
Gateways for XML and JSON
To secure the communication flow, XML or JSON Gateways can be combined with data diodes, but there are significant security concerns here as well. JSON and XML gateways are unable to defend themselves against attacks hidden within the data sent to them, which means that the software inside the gateway is vulnerable to attack and the attacker may compromise the machine itself.
Finally, these gateways are built on standard operating systems, creating an additional attack surface for compromise. [Cool Heads and Hot Wallets]
High-Speed Forcepoint Verifiers (HSVs)
Forcepoint’s secure data transfer appliances and High Speed Verifiers (HSVs) address all of the shortcomings of competing solutions because all inbound and outbound communication is routed through a custom designed and implemented FPGA (field programmable gate array).
The application sends an initial HTTP or TCP request to the Forcepoint secure data transfer appliance on the untrusted network. The request is ‘broken down’ into its essential components here (headers and content of the request itself). This is represented in Forcepoint-internal format, and a preliminary schema check is performed.
If the schema check is successful, the FPGA in the HSV verifies the internal format in hardware. This ensures that the data coming from the ‘untrusted’ network is safe and only contains the expected data in the correct format.
By introducing hardware logic, the FPGA provides an independent check on the data and can be trusted because, unlike vulnerable software implementations, it cannot be modified by an attacker. [Cool Heads and Hot Wallets]
The’simple format’ is then rebuilt in a secure data transfer appliance on the secure enclave network to a reliable, known good state before being transferred to the application for transaction validation. This process is completely transparent to the untrusted network application, which believes it has communicated directly with the server in the secure enclave.
The combination of Forcepoint secure data transfer appliances and HSVs provides all of the operational benefits of a hot wallet without the limitations and limited security introduced by a diode or gateway.
It also provides the highest levels of assurance that the communication channel between the untrusted network and the secure enclave cannot be used by a criminal.
Forcepoint actively collaborates with banks and financial institutions to protect their cryptocurrency infrastructure from cyberattack. If you’d like to learn more about how we can assist you, please contact us right away.