Table of Contents

Cryptocurrency Security Standard: All You Need To Know About CCSS

The rationale behind the creation of Bitcoin, the father of all cryptocurrencies, was to establish a digital medium of exchange that is borderless and not controlled by a central body (decentralized). Although, since the launch of Bitcoin in 2009 cryptocurrencies have witnessed an unprecedented surge in adoption. The quest for crypto to become mainstream is threatened by insecurity. Many have lost their funds and crypto assets in protocol/wallet hacks, exchange collapses, and entire blockchains imploding. Chainalysis, a crypto forensics firm that tracks illicit activities on blockchains, reported that from 2021 to 2022, a combined sum of $7.1 billion was stolen from crypto hacks, with $3.8 billion stolen in 2022 alone. DeFi protocols were the most hit targets by hackers and malicious actors.

 

Source: Chainalysis 

To restore trust and increase users’ confidence in crypto protocols/dApps, firms offering crypto services and products need to ensure that a robust security framework is guiding their systems. A major step in safeguarding their codes is to adopt CCSS (Cryptocurrency Security Standard).

What Is The CryptoCurrency Security Standard (CCSS)?  

The Cryptocurrency Security Standard (CCSS) is a comprehensive security framework designed to safeguard cryptocurrency assets and operations. 

It offers guidelines and best practices to protect against external cybersecurity threats and internal fraud.

CCSS establishes requirements applicable to all information systems utilizing cryptocurrencies, ranging from exchanges, crypto marketplaces and web applications to cryptocurrency storage solutions. 

By standardizing techniques and methodologies globally, CCSS empowers end-users to make informed decisions about choosing products and services and aligning with trustworthy companies.

However, CCSS was not designed to be a stand-alone standard but to complement existing ICT security frameworks such as ISO 27001 and  PCI DSS by introducing guidance for security best practices for cryptocurrencies. 

The CryptoCurrency Security Standard was developed by the CryptoCurrency Certification Consortium (C4) and the security standard is maintained by the CCSS Steering Committee whose mission is to ensure that the standard continues to remain up-to-date with industry best practices and remain neutral.

CryptoCurrency Security Standard Certification

CCSS identifies three brackets of cryptocurrency systems they are: 

  • Self-Custody 
    These are systems that do not have control over customer funds and they have sole control of the private keys that control that entity’s own funds. 
  • Qualified Service Provider (QSP)
    A CCSS Qualified Service Provider system meets many of the requirements for CCSS certification with the exception of the few requirements that another system has control over.
    That is a subset of custody services is facilitated by other systems and therefore is only required to meet certain requirements. 
    This means that if a system uses a QSP, the audit focus is only on the few remaining requirements to become certified.
  • Full System
    This is a system that meets all applicable CCSS requirements in totality. 
    Now an entity can have multiple types of systems and it is important to note that entities are not certified, but rather systems are certified.
    There are 3 levels of certification, systems can be certified as CCSS Level I, II, or III with increased security as the levels increase. 
    Project/Entities have the flexibility to seek certification levels that closely align with the value of the digital assets their systems manage, the operational complexity of the system, and its associated risk profile. 
  • Level I Certification 
    This is the foundational level of CCSS certification, it indicates that the systems of entities with this level of certification have met all the basic safety requirements and essential security standards required to support  cryptocurrencies around industry best practices ensuring the entity is safe for its users.
  • Level II Certification
    Systems that achieve Level II certification have demonstrated through an audit that they have implemented a  set of security controls that  exceed the requirements of CCSS Level I by including enhanced security measures designed specifically for decentralized systems.
  • Level III Certification
    This the highest and most advanced level of CCS certification, it builds upon the requirements for Levels I and II by incorporating more stringent security controls, advanced risk management practices, regular security audits, and continuous monitoring. 

Hence an information system that achieves Level III security protects from both known and emerging crypto threats. 

Source:cryptoconsortium  

The CCSS framework covers two primary categories: cryptographic asset management and cryptocurrency operations. 

Cryptographic Asset Management  

This category focuses on securing and managing the cryptographic keys that control access to a user’s cryptocurrency funds. 

It provides guidelines and best practices for implementing security controls that address: 

  • Key/Seed Generation
    This focuses on the secure creation of cryptographic keys and seeds, requiring that  newly created keys or seeds are not read/copied by an unintended party and that nondeterministic and unpredictable numbers are required to ensure the newly created key cannot be guessed or determined by an unintended party. 
  • Wallet Creation
    CCSS mandates entities to implement a multi-signature configuration, necessitating a minimum of two signatures for any fund withdrawal from the wallet. 
    Additionally, CCSS stipulates the inclusion of a redundant key to facilitate wallet recovery in the event of irregularities. 
  • Key Storage
    CCSS ensures that cryptographic keys and/or seeds must be stored with the use of strong encryption and are backed up. 
    They also separate the wallet’s keys across multiple locations to avoid the risks associated with localized disruptions to business (such as, fire, flood, earthquake, break-ins) making sure this does not affect the entity’s ability to spend funds.
    The CCSSA(CryptoCurrency Security Standard Auditor) implements this as well as other industry best practices.
  • Key Usage
    This aspect covers authentication of key usage and verification of fund destinations and amounts.
    For CCSS Levels 1 and 3, a minimum of 2 or 3 authentications is mandated, utilizing methods such as username, email, and other specified details. While level 2 and above requires verification of fund destinations and amounts to be performed via approved communication channels prior to key/seed use.
    Additionally, the auditor is responsible for performing background checks on individuals entrusted with holding keys for an organization, with a focus on assessing their character and personal profile.
  • Key Compromise Policy
    Organizations need to be ready to address a scenario in which a private key may have been, or is potentially, exposed or compromised. 
    This encompasses having a policy in place that outlines the necessary steps if a cryptographic key/seed or its operator/holder is suspected of being compromised. 
    CCSS ensures that entities have a Key Compromise Policy (KCP).
  • Keyholder Grant/Revoke Policies & Procedures
    This covers the event of staff with access to  keys leaving the company or onboarding new staff that will have access to private keys.
    The CCSSA gets creative in coming up with a method of grant/revoking their access  efficiently in such a way that the system is not exposed.

Operations

This category focuses on how transactions are created, signed, and broadcast to the network, how cryptocurrency systems are updated, and how security incidents are identified and dealt with. It provides guidelines and best practices for implementing security controls that address: 

  • Security Tests/ Audits
    This  covers third-party reviews of the security systems, technical controls, and policies that protect the information system from all forms of risk as well as vulnerability and penetration tests designed to identify paths around existing control
  • Data Sanitization Policy
    This aspect covers the removal of cryptographic keys and proper sanitization of digital media ensuring the proper removal of all keys, eliminating the risk of information leakage from decommissioned devices like servers, hard disk drives, and removable storage.
  •  Audit Logs
    This covers the system’s maintenance of audit logs that provide a record of all changes to information throughout the system. In the event of unexpected behavior or security incidents, audit logs are a valuable tool that can help investigators understand how the unexpected symptoms occurred and how to resolve the inconsistencies to return the information system to a consistent state.

All in all, CCSS audits evaluate the people, processes and technology that support cryptocurrency functions. In total, certified CCSS Systems are independently evaluated and audited against 31 aspect controls of the CryptoCurrency Security Standard, they are:

  • Key/Seed Generation
  • Key/Seed Storage
  • Key/Seed Usage
  • Wallet Creation
  • Wallet Backup
  • Wallet Access Control
  • Wallet Transfers
  • Transaction Signing
  • Transaction Verification
  • Transaction Privacy
  • Blockchain Access Control
  • Blockchain Monitoring
  • Blockchain Fork Management
  • Blockchain Software Updates
  • Hardware Security Module (HSM) Usage
  • Physical Security
  • Network Security
  • Application Security
  • Operational Security
  • Risk Management
  • Incident Response
  • Auditing
  • Compliance
  • Training
  • Communication
  • Vendor Management
  • Business Continuity
  • Disaster Recovery
  • Third-Party Risk Management
  • Proof of Reserve
  • Key Compromise Policy

Who Is A CCSSA And A CCSSA-PR

CryptoCurrency Security Standard Auditor is an expert in  CCSS, they are  security engineers who passed the CryptoCurrency Security Standard exam.   

CCSSA are able to apply CCSS standard to any information system that uses cryptocurrencies and calculate the grade for the system according to the CCSS. 

They know how to audit and grade crypto asset management systems with the 31 aspect security controls that CCSS has laid down.

 CCSS will list auditors on a leaderboard once they have passed the exam from which entities can approach such an auditor on CCSS.

CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.

Although anyone from any career path can apply to be a CCSSA the program is more suitable for individuals with backgrounds in blockchain engineering, cybersecurity and  software engineering or related fields.

CCSS-PR (CryptoCurrency Security Standard Peer Reviewer) are also CCSSAs but they are not the CCSSA selected by an entity instead they join the selected auditor to review the documentation and the most-befitting certification path for the company. 

Both the company and auditor must negotiate the fees of the CCSS-PR. The C4 is not involved in it. 

To become a CCSS auditor one must pay an exam fee of $500 USD and the exam is only given in English a passing grade of 70% is required out of a total of 100 questions to apply for certification.

The certification fee itself is $1000 USD, both the exam and certification fees must be paid for in Bitcoin or another acceptable cryptocurrency.

The CCSS Audit Process 

Source: cryptoconsortium  

Before we dive into the CCSS audit flow let’s get familiar with some terms:  

CCSSA:- CryptoCurrency Security Standard Auditor

CCSSA-PR:- CryptoCurrency Security Standard Auditor – Peer Reviewer

Intent to Audit form:  This form shows that an auditor is interested in auditing a project, the form is on the C4 website and it shows that both parties i.e. auditor and entity are ready to proceed to the next level of audit.  

(RoC)Report on Compliance: Auditors submit their report to the CCSSA-PR to check whether the company should be verified. 

The CCSSA-PR then checks the method of collecting evidence and the overall CCSS-worthiness of the company.

SRoC: Summary Report on Compliance

CoC: Certificate of Compliance

(PROL)Peer Reviewer Options List: This is a list of other CCSSAs who are eligible to be CCSSA-PR

Appendix-1 form: The form is a caveat that C4 is not involved in the auditing and as result, only the auditor is liable in case of any legal issue. 

CCSS Audit Flow

Step 1: Entity selects and contacts CCSSA 

Step 2: CCSSA and Entity determine scope and negotiate agreement 

Step 3: CCSSA fills out Intent to Audit form 

Step 4: C4 sends PROL to CCSSA. 

Step 5: CCSSA contacts CCSSA-PR, parties negotiate, and sign Appendix 1 form.

Step 6: CCSSA performs audit 

Step 7: CCSSA-PR reviews Redacted RoC, provides feedback to CCSSA.

Step 8: CCSSA sends SRoC, Appendix 1, and listing info to C4. 

Step 9: C4 reviews SRoC and signs Appendix 1.

Step 10: C4 sends CCSSA Listing Fee Invoice. 

Step 11:  CCSSA pays Listing Fee. 

Step 12: C4 sends CoC and badge to CCSSA and CoC is listed on C4’s website 

Step 13: Entity receives CoC badge from CCSSA.

Closing Thoughts

It is very important for crypto/web3 firms to check for vulnerabilities and exposures in their systems to prevent hacks and exploitation, thus safeguarding themselves and their users. 

Therefore complementing their security framework by adopting CCSS is a step in the right direction in ensuring that the security framework protecting their system is inline with industry best practices.   

To this regard the role of auditing in the crypto space can not be overemphasized as it not only secures the systems but also tells users that the firm/protocol is doing their due diligence when it comes to security.  

Crypto projects, protocols, DApps and founders can start strengthening their systems today by requesting an audit with Hashlock Australia’s leading blockchain security and smart contract auditing firm. 

[Author’s Note: This article does not represent financial advice, everything written here is strictly for educational and informational purposes. Please do your own research before investing.]

Author: Godwin Okhaifo