The evolving landscape of digital assets comes with a plethora of cyber threats that directly challenge the safety and integrity of these assets. As custodians of these digital properties, digital asset trustees are compelled to bolster their security mechanisms and establish strong technical controls to counter cyber risks. This article will delve into the pivotal role technical controls play in cyber risk management for a digital asset trustee.
Technical controls in the cyber realm refer to the safeguards that are engineered into IT systems to protect the integrity, confidentiality, and availability of data [1]. For digital asset trustees, the uniqueness of the assets they safeguard necessitates the need for an advanced array of technical controls, designed to mitigate a broad spectrum of cyber risks - ranging from external hacking threats to internal data breaches.
Aligning with the technical control recommendations of international standards like ISO 27005 and ISO 31000, we propose an approach for digital asset trustees to augment their cybersecurity frameworks:
-
Access Controls: This involves the deployment of systems and processes that restrict unauthorized access and validate user identity. Examples include multi-factor authentication, role-based access control, and biometric verification. The goal is to ensure only verified personnel have access to sensitive data [2]. All transactions must be based on 4-eyes or maker/checker to ensure that no transaction can be executed without check and balance.
-
Network Security: This involves implementing measures like firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and control incoming and outgoing network traffic based on predetermined security policies [3]. Frontend shall not be open to general public - using specialised network tunnels such as VPN to ensure no bruteforcing or attempts against the critical public facing systems are limited. Use of xDR is a must, coupled with a Security Operations Center based 24x7 monitoring to alert any suspicious activities. Activities monitored include both cyber and transactional.
-
Encryption and Key Management: To secure data transmission, storage, and retrieval, encryption is a critical control. However, effective key management practices must also be in place to avoid unauthorized access [4]. Assets stored by the trustee will be in the trustee's wallet. The use of multiple split keys (n + 1) is necessary to ensure no single party is able to perform any transaction individually. Use of HSM can help in ensuring that primary key used for long term storage is protected at both hardware and implementation level.
-
Secure Asset Storage: Given the nature of digital assets, secure asset storage becomes a priority. This involves the use of secure servers, hardware security modules (HSMs), and offline "cold" storage for assets not immediately needed [5]. Primary keys should be offline, split using hardware (some instances uses hardware token or smartcards) and stored at different locations using Class III vaults.
-
Incident Response Plan: Finally, a swift response to any security incident is crucial. Hence, an Incident Response Plan (IRP) that outlines the steps to be taken in the event of a security breach can minimize the damage [6]. Trustee needs to establish communication process/channel to notify customer/regulator within 7 days after discovery of any breach.
-
Audit and Management: Regular periodic audit - SOC 1/2 Type 2 which happens periodically. SOC1 for financial soundness and SOC 2 for system soundness.
Vulnerability Assessment/Penetration Testing/Red Team is institutionalised.
ISO 27001 audit and certification Each of these technical controls brings a set of benefits and potential drawbacks. For instance, while encryption provides a robust level of data security, it also necessitates a high degree of management complexity, particularly in the area of key management.
-
Service Assurance: Insurance policy coverage with mininal to no exclusions on the event a breach or loss happens, ensuring customer assets are replaced or returned, covering the aspects of third party compromise, insider theft and but not limiteLoss/compromise of private key.
Moreover, it is noteworthy to mention that cyber risk management is a critical subset of the broader enterprise risk management (ERM). Both disciplines are intrinsically interwoven, thus integrating technical controls for cyber risk management into the ERM framework allows for a holistic and efficient approach to risk management [7].
In conclusion, the rapidly evolving digital asset landscape necessitates stringent cybersecurity measures. As custodians of digital assets, trustees are mandated to bolster their security and risk management systems continually, prioritizing the implementation of effective technical controls. With cyber threats advancing in sophistication, investing in cutting-edge technology and controls is not just a good-to-have, but an imperative for the sound management of digital assets.
References:
-
ISO 27005 (2022). Information technology - Security techniques - Information security risk management. International Organization for Standardization.
-
Garfinkel, S. L., & Spafford, G. (2002). Web security, privacy & commerce (2nd ed.). O'Reilly Media, Inc.
-
Scarfone, K., & Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems (IDPS). Computer Security Resource Center, National Institute of Standards and Technology.
-
Barker, E. (2016). Recommendation for Key Management, Part 1: General (Revision 4)