1. Podcast
  2. NEWS

Digital assets in danger: How to guard against hackers

Hosted by Neil Amato

Steve Ursillo, CPA/CITP, CGMA, is a partner in the Risk & Accounting Advisory Group at Cherry Bekaert and the firm's national leader of information assurance and cybersecurity. He explains much about digital assets and the threats that digital asset owners must guard against. Cyberattacks are on the rise, including attacks focused on digital assets

In this podcast episode, Ursillo explains the threat landscape and offers advice on the safeguards that organizations should have in place to prevent the theft of digital assets.

What you'll learn from this episode:

  • Ursillo's role with the firm Cherry Bekaert.
  • Why digital assets in particular are enticing to hackers.
  • The reputational effect of suffering a cyberattack.
  • Common attack vectors related to digital assets.
  • Ursillo's specific advice on the importance of protecting mobile phones.
  • An explanation of cold and hot wallets.
  • The importance of applying certain information security frameworks.

Play the episode below or read the edited transcript:

 

— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.

Jeff Drew: Welcome to a special edition of the Small Firm Philosophy podcast produced in partnership with the Journal of Accountancy podcast. I am SFP host Jeff Drew, a manager with the AICPA's Private Companies Practice Section. Today's episode features JofA podcast host Neil Amato discussing with guest Steve Ursillo Jr. the current state of cyber threats targeting digital assets and issues small firms may run into with clients.

Neil Amato: Steve Ursillo, welcome to the Journal of Accountancy podcast. We're glad to have you here. Why don't you give an introduction to the topic, and a little bit about you before we get into questions.

Steve Ursillo: Sounds good. Thanks, Neil. It's pleasure to be here. My name is Steve Ursillo. I'm a partner with Cherry Bekaert's Risk & Accounting Advisory group. I'm the national leader of information assurance and cybersecurity. Our team gets involved in services related to third-party risk information assurance, cybersecurity, privacy risk management, and data security measures.

Amato: We're going to talk today about digital asset security. First, what I'd like to ask is, what is the threat landscape out there for digital assets right now?

Ursillo: Cyber attacks are continuing to rise, and this trend coupled with additional elements of economic uncertainty has raised the attention to many business owners and investors. Let's face it, you can't browse a news media outlet without hearing something about a ransomware attack, business email compromise, corporate account takeover, distributed denial-of-service attack, to name just a few, in addition to other types of system compromises.

The adversaries that are out there are continuing to find new and innovative ways to monetize data, commit financial fraud, disrupt operations and service level commitments for many businesses. Unfortunately, no one's really immune to these types of attacks. It affects even some of the most mature organizations. That said, digital assets can be very attractive to attackers. Digital assets can include cryptocurrency, videos, images, documents, digital books. These assets can be managed in digital wallets or other digital asset management systems, depending on the type of the asset that it is.

These digital assets really become a ripe target for many attackers for several reasons. Many organizations struggle with some of the best practices to safeguard them. There's a lack of mature regulatory guidance, which creates a barrier for many entities, and there are a variety of entry points or opportunities for attackers to conduct fraudulent activity throughout the life cycle of a digital asset. From the end point to the exchanges, to those other systems and third parties that process along with those exchanges creates a tremendous amount of opportunity and risk footprint for attackers.

We can take a look at some recent events. There was a recent event related to FTX, crypto exchange that experienced the seizure of cryptoassets from the Bahamas regulators following a bankruptcy filing. In 2022, an exchange name crypto.com had 34 million stolen from an unknown attack. In 2021, an exchange name AscendEX had 80 million stolen from a hot wallet attack, and also in 2021 an exchange named BitMart had 150 million stolen from a hot wallet attack. That's just to name a few. There are several that have crept into the limelight over the last few years.

Some of these threats and risks and considerations related to these assets include the loss of any personal or business cryptocurrency or assets. Obviously, this affects the financial data, it effects the key assets that you have within your business on assets that you may use to transact business, so on and so forth.

The reputation of a business is at stake here if there is such an attack. Obviously, people will lose trust in working with that particular organization. This could also lead to financial and operational disruption. In many cases, because of the lack of maturity around being regulated, insurance and recourse becomes very difficult.

Your private keys that really control the distribution of the funds from your cryptocurrency accounts, if those are lost or stolen, the recovery can be difficult. Those keys can get compromised, which obviously would yield the theft of certain types of attacks against the funds that you may hold. In addition, there's system integration from some of the exchanges and other third parties that are out there, or maybe even your business systems that are working in collaboration with other third parties. Each of these different types of exchanges may have areas in which attackers can potentially exploit in order to gain access to, and/or circumvent controls to manipulate the digital asset transaction cycle.

With many of these challenges, we talked about the fact that recourse becomes difficult. That means organizations really have to focus on prevention and making sure that they're doing the right thing as it pertains to safeguarding these digital assets and cryptocurrencies and things along those lines along the way. There's a number of different types of targeted attacks against exchanges — blockchain bridges, the DeFi protocols in and of itself, and again, those third-party integrators that we spoke to earlier.

Amato: That's a really good overview of the variety of threats that are out there. You talked about how these are happening in different ways. What are some of the commonly used attack vectors?

Ursillo: Well, there are certainly a variety of attacks and scams designed to take advantage of both individuals and the businesses. These attacks can come in the form of physical attacks, so no different than if you're trying to secure any data on a mobile device or your phone, people stealing the devices, shoulder surfing, trying to slave the device to get information off of those types of things.

You really want to pay particular attention to safeguarding your mobile devices, your phones, your laptops, anything that you're going to be conducting these types of transactions with. In addition, attackers are constantly looking to steal credentials. There's a number of different types of credential attacks out there where the attackers will get credentials that were compromised and listed out in the public domain, and then reuse those credentials for well-known exchanges or other types of sites. If you don't have multifactor or other types of safeguards enabled, you can potentially become a victim to that.

There is targeted malware where the malware will reside on your computer. If you go to activate a particular type of cryptocurrency transaction, when you go to paste the actual address into where you want to send the transaction, the malware will automatically inject another address in there. You want to be real careful in making sure that those mobile devices and any devices that you're transacting with have proper anti-malware endpoint protection and things like that.

Ransomware is an additional consideration because, obviously, if your wallets and key assets are on particular systems that get ransomed, then you're going to have a hard time recovering that, so you have to have the right measures, prevention and response measures in there to combat any type of ransomware attack.

There's a number of different types of fake applications where you maybe think that you're using a legitimate software wallet and it's actually a fake wallet that is designed to actually steal your crypto once you start utilizing it. Vulnerable applications becomes something you have to be aware of. There's other types of attacks directly against the websites and the businesses that are conducting these transactions, whether it's through the direct web applications being compromised and or application programming interface attacks or API attacks.

There's well-known attacks against transports or man-in-the-middle attacks. The list is really endless, but a lot of it comes down to social engineering. Sometimes, what you have is just different types of scams out there where it may not even involve circumventing some technology but people getting tricked into either giving up their private key or giving up the seed that they use to reestablish their keys in order to safeguard them.

There's a number of different types of scams that are really orchestrated based on particular types of phishes or spearphishes that, again, are leading people down that rabbit hole. We're seeing opportunistic attackers that are doing SIM swaps where they're actually contacting a victim's telecom provider and posing as them and getting the SIM swapped out of their phone into a new phone so that they're taking the identity of their phone for any multifactor authentication or anything like that for device authentication. Similar to a port-out scan, where if you're having your phone number ported to a different provider, those types of things that are happening out there.

Then there's some inherent vulnerabilities related as it pertains to the blockchain itself, like the 51% vulnerability if you have a group of miners that control more than 50% of the network mining hashes. Another one is related to digital spending, to a potential flow over the digital cash protocol in which a single digital token can be spent more than once, so making sure that the proper safeguards are there to prevent any type of excess spending.

Similarly, in a case like that, you have what's called a reentrancy attack, predominantly to smart contracts, where between a vulnerable contract and a malicious contract, you may have a recursive process where funds are completely drained out of the smart contract process from recursive attempts to make these withdrawals.

There's a number of different types of attacks out there that are very specific to digital currency, digital transactions, smart contracts. Then you have, obviously, several of the commonly used attack vectors that don't really discriminate on the type of asset which is targeted for. Blockchain and digital currencies, or digital assets is just another element of which they use to circumvent and/or steal that data.

Amato: You use that word safeguard, you talked about a wallet, and we'll get into wallets specifically in a little bit. But, what are some of the specific ways that organizations can make sure they're safeguarding their systems that process these digital transactions?

Ursillo: I'll start with really talking about some of the best practice concepts that are used in securing any asset. Then as we start to dive into some of your more targeted questions, it will unpack some depth there. Much like securing any asset, organizations need to inventory and identify what they own in digital assets, the types of digital currencies that they have, where it's stored, how they're using it, how they're transacting.

They need to understand the system boundaries that are used to store and process the transmission of these digital assets and all these digital transactions. They need to design and maintain proper system security plans, and the proper safeguards to protect the assets. Typically, you're expecting them to perform proper risk management tactics, risk assessments specifically designed to identify the threats and risks that we talked about above, and making sure that they've designed and implemented the proper controls to safeguard these assets against those threats.

Then, of course, you want to monitor the effectiveness of this. This is not something where you set and forget, you should have regular monitoring program to make sure that these controls are carrying out appropriately. If there is an attack, you can detect, respond, and recover appropriately within a pretty quick time frame, but the management of these programs becomes very significant here. Like I said, once you design an adequate program and you're evaluating the effectiveness of it, you want to make sure that you're continuing to monitor it for the latest threats and, of course, the latest changes in the system and how it interoperates.

Amato: We said the word "wallet" a while ago. We're going to talk about wallet security, but I think before we dive into best practices for that, maybe we should define for the listeners what is exactly a digital wallet?

Ursillo: That's actually a great question. Digital wallets are used to really authorize a digital currency transaction on the blockchain. The underlying structure is based on what's called public key infrastructure technology, where you have a private and a public key. The private key is really the one you want to make sure you're securing. This is the key that you would use to distribute funds out of the wallet or authorize the distribution of funds out of the wallet. The public key is one that you would share if you wanted somebody to transfer funds to you in essence into your wallet.

Now keep in mind that, obviously, this is all stored on a blockchain, but wallet's really used to authorize these transactions. These wallets can be hot or cold. A hot wallet may be one that's online. The private key is hosted online so that you're able to conduct transactions in a timely fashion. Offline wallets typically are exactly that. They're offline. They're cold wallets. There something that you have that's not necessarily online, so there's an added element of security which I'm sure we'll talk to you a little bit, in coming questions.

Amato: Securing those wallets, whether they are hot or cold, what are some of the best practices?

Ursillo: Well, both individuals and organizations can have digital wallets, digital assets for cryptocurrency, and they definitely need to be secured. A few items to think about here is really around key management. Just making sure that the wallets that you have established and the functions that they carry out have been designed in such a way where they're safeguarded, making sure that the keys are protected.

Your wallets that, obviously, you're using to store a bulk of your funds that you're not necessarily transacting with daily are things that you may want to store offline or safeguarded in a cold wallet fashion and then having your hot wallets available for any type of transactions that you need to conduct on a regular basis, making sure that you're securing your recovery seeds, any pass phrases or anything, and making sure that you're not giving that up. That could potentially give an attacker access to the particular elements of the wallet and the keys of the wallet.

Of course, any system that you're using to conduct these transactions, you're going to want to make sure that they're properly safeguarded and encrypted. When you think about how you're actually utilizing cryptocurrency, it's a good way to think about it is, I don't know too many people that walk around with their life savings in their pocket or accessible from their phone two clicks of a button.

Typically, you're going to have a process by which, once again, you're going to segregate a savings or a bulk of your assets where you're not able to get to those very quickly or you're accounting for any risk of your device being compromised to get to those assets. Typically, once again, in an offline wallet, and then again having a certain amount that you would conduct that minimizes your risk that might be available in a hot wallet so that you can fluidly conduct transactions.

Now that said, you still need to make sure that those hot wallets are secured. There's a number of different ways to look at addressing that. We did talk about making sure that your phones and mobile devices are protected and how you're using that to conduct these transactions, just making sure that that's all taken care of. Then there's application protection, just making sure that first of all, you're using legitimate wallets. You're not downloading a fake wallet. Any applications or things that you do use to conduct these transactions or store these digital assets is from a trusted source, making sure that the application is legitimate.

Maybe doing some hash checks on the original folks that have developed the application for use and the reputation of that group. Also, obviously, any other systems that are designed to conduct those transactions. Making sure you have anti-malware and next-gen malware and endpoint detection response software to prevent any type of malicious activity or really cutting-edge threats against those assets. You can also have controls in for transaction and balanced monitoring just to make sure that you're aware of what's available in these different types of accounts, even without exposing those private keys.

Any assets that you use to conduct these transactions should be accounted for in inventory. All the technical depth around that make, model, serial number, any device IDs, things like that. Of course, anytime you are going to be conducting transactions, make sure you choose a reputable exchange or a blockchain bridge or anything like that that's involved in that life cycle so that you're properly vetting those that are really carrying out each of these transactions. Third-party risk management for many organizations becomes a key consideration there and evaluating the third parties throughout that life cycle.

Amato: How does all this relate to security related to blockchain considerations?

Ursillo: It's really important when you're thinking about any type of blockchain security for an organization, that a defense in-depth strategy becomes something that organizations need to really look at around the systems and the environment that surround these transactions. Typically, anything else you're leaning on your IT general controls, your logical access, change management, physical security, your backup in your operations, the typical general controls, mainly in and around ICFR controls over financial reporting. But then there's also obviously operational and compliance initiatives that you need to consider from an information security perspective.

You want to identify the right controls for the proper identification, protection, detection, response, and recovery around your assets. These are typically measured up best on different types of best practice frameworks out there, like the NIST Cybersecurity Framework or ISO or anything along those lines, trust service categories and the points of focus there could be another one that you use. We want to take a risk-based approach to the security and design of the transactions in the execution. All the risks that we've talked about here, thinking about how they play out in the course of protecting your assets and your organization.

Any of the data management considerations of privacy and regulatory considerations become a key consideration there where you're transacting these particular elements and what implication that has on your business risks. Security architecture and design become critical aspects of your system. How you segment and the boundaries that you draw and how you best protect those, implementation of zero trust approaches to security.

Making sure organizations are limiting access with the right authentication to the devices, individuals, and the systems that they're residing or they're using, securing third-party integrations and any of the applications that they use for continuity and resiliency. Access controls become a huge part of this, just making sure that proper identity and access management systems are considered a strong credential management multifactor authentication. Typically, you're looking at permissions and the right network access controls and security groups. You're looking at privileged access management.

Organizations making sure that they are maintaining the right access and any privilege access is accounted for and monitored and managed. When you talking about systems that interact and people interacting with those systems, you're talking about different tokens in API security, making sure that systems are designed properly with the right Web application security protocols taken into consideration including their API and tokens security, key management. We talked about PKI earlier and just making sure that you get sound key management structures in place and policies and procedures there.

When you're looking at the application and data, secure coding and designing becomes really important because, obviously, any flaws in the application that would allow for an attacker to circumvent and/or disrupt any type of transaction would obviously have an impact. If they're able to control certain elements of the transactions, that's going to have an impact on the organization, making sure that they're doing the right static and dynamic testing on those applications, and there's a properly implemented secure consensus mechanism, whether it's proof of stake or proof of work and how they're implementing those particular ones to combat any changes, forks, or adjusting entries in their transactions becomes important.

Once again, these transactions in balanced checks need to be implemented to make sure that any type of automated transaction that takes place has the proper checks and balances before future transactions take place for any type of double-spending or reentrancy attacks or anything along those lines.

Then, of course, like anything else when you're relying on third parties, you really want to make sure that the third-party vendor risk management process is tight. Putting those third parties through the scrutiny that, you're putting in your organization through to make sure that all of these elements and risks have been considered. If there is a potential problem, you have some recourse and way that you can interact with that company to get the information you need to report that breach and/or try to control the damage.

Amato: This has been a lot of great information in a short period of time. Steve, thank you. How would you like to maybe summarize what we talked about today?

Ursillo: Well, thanks, Neil. It's been a real pleasure. I would say some parting comments would be just reassure that organizations and people stay current on the digital asset threat landscape. The more you know, you'll be able to design the right controls to prevent those types of attacks. Implement and enforce strong wallet in security best practices based on some of the things that we talked about. Scrutinize all different types of investment opportunities and transactions that are out there. Just be really careful and be skeptical on certain types of things that are presented to you in the way of digital assets.

Just to make sure you're not walking into a trap, make sure you're maturing your third-party risk management programs when you're dealing with external sources, and along the same line, implement and mature your software development processes, if you're designing systems or incorporating systems utilizing the blockchain. Of course, utilizing different aspects of digital currency, make sure that those best practices have been put forth in addition to all the common best practices and security controls and protocols that you'd expect in any organization.

When you're thinking about blockchain specifically, once again, look at those risks and try to translate that back down to what the true business risk is to make sure that your organization has the right resources in order to combat those threats. User awareness training is always really important in the security field, regardless, but particularly around digital assets as well. Make sure users are aware of the different types of threats and they're scrutinizing any type of communication that would potentially yield to the loss of a digital asset.

Amato: Steve, thank you very much.

Ursillo: Thanks, Neil. It's a pleasure to be here.