Cybersecurity Best Practices for Crypto Exchanges

The downfall of FTX is truly a gift1 that keeps on giving đ! FTX's cybersecurity practices are a showcase of how not to secure your crypto business.
An alternate title for this post could have been: "Cybersecurity worst practices for crypto exchanges, a master class brought to you by FTX". But I digress. Let us dive into today's topic: cybersecurity best practices for crypto exchanges.
Learn from the mistakes others make FTX made
There is no better way to learn than to learn from mistakes. Mistakes that ideally others make. FTX in our case. So, in order to get to our security best practices, we can start by identifying worst practices and then avoid them like the plague đˇ.
A damning report
FTX debtors released a new report detailing numerous security failures they have encountered. I urge everyone to read through the full report  to get a feel of how awful the state of security affairs were. This is worse than gross negligence if you ask me.
In an internal communication, Bankman-Fried described Alameda as âhilariously beyond any threshold of any auditor being able to even get partially through an
audit,â adding: "Alameda is unauditable. I donât mean this in the sense of âa major accounting firm will have reservations about auditing itâ; I mean this in the sense of âwe are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.â We sometimes find $50m of assets lying around that we lost track of; such is life.
Not a pretty sight
Looking at the table of contents, we see where this is going...đżÂ
REVIEW OF CONTROL FAILURES
A. Lack of Management and Governance Controls
1. FTX Group Management and Governance
2. Debtorsâ Management and Governance
B. Lack of Financial and Accounting Controls
1. Lack of Key Personnel, Departments, and Policies
2. Lack of Appropriate Accounting Systems
3. Inadequate Reporting and Documentation
4. Trading Records from Other Exchanges
5. Intercompany TransactionsÂ
6. Extraordinary Privileges Granted to AlamedaÂ
C. Lack of Digital Asset Management, Information Security & Cybersecurity Controls
1. Lack of Key Personnel, Departments, and Policies
2. Crypto Asset Management and Security
3. Identity and Access Management
4. Cloud and Infrastructure Security
5. Application and Code Security
6. Debtorsâ Work to Identify and Secure Crypto Assets in the Computing Environment
The examples included in the report supporting some findings are often so batshit insane that they are comical. They are beyond comprehension from a professional perspective...
Bad, worse, worst practices đ¤Śââď¸
I cannot list all findings from the report, but here is a selection of failures contending for the gold medalđ of largest security fuck-up in crypto exchange history:Â
You might not directly relate some of these failures to cybersecurity, but you should understand that a security function does not operate in a vacuum. In order to properly manage cyber/information/IT security risk, there is much interaction with other corporate functions such as compliance, non-financial risk, (IT) audit, executive & board levels, ...
- FTX Group lacked independent or experienced finance, accounting, human resources, information security, or cybersecurity personnel or leadership, and lacked any internal audit function whatsoever. Board oversight, moreover, was also effectively non-existent.
- Key executive functions, including those of Chief Financial Officer, Chief Risk Officer, Global Controller and Chief Internal Auditor, were missing at some or all critical entities.
- FTX Group configured the codebase of FTX.com and associated customer databases to grant Alameda an effectively limitless ability to trade and withdraw assets from the exchange regardless of the size of Alamedaâs account balance, and to exempt Alameda from the auto-liquidation process that applied to other customers.
- The FTX Group had no independent Chief Information Security Officer, no employee with appropriate training or experience tasked with fulfilling the responsibilities of such a role, and no established processes for assessing cyber risk, implementing security controls, or responding to cyber incidents in real time.
- In short, as with critical controls in other areas, the FTX Group grossly deprioritized and ignored cybersecurity controls, a remarkable fact given that, in essence, the FTX Groupâs entire businessâits assets, infrastructure, and intellectual propertyâconsisted of computer code and technology.
- The FTX Group failed to implement basic, widely accepted security controls to
protect crypto assets:- First, the FTX Group kept virtually all crypto assets in hot wallets.
- Second, the FTX Group failed to employ multi-signature capabilities or Multi-Party Computation (âMPCâ) controls (together, âmulti-signature/MPC controlsâ) that are widely used throughout the crypto industry to protect crypto assets.
- Third, the FTX Group failed to manage or implement any appropriate system to attempt to manage private keys.
- Fourth, the FTX Group failed to appropriately implement controls to manage âwallet nodes,â which are software programs that operate on servers running the software of the blockchain network.
- The FTX Group failed to implement in an appropriate fashion even the most widely accepted controls relating to Identity and Access Management (âIAMâ)âoften the first line of defense in preventing an unauthorized system compromise
- First, the FTX Group failed to adhere to the basic security principle of âleast privilegeâ.
- Second, the FTX Group failed to effectively enforce the use of multi-factor authentication (âMFAâ) among its own personnel and corporate infrastructure
- Third, the FTX Group generally did not use Single Sign-On (âSSOâ), an authentication scheme used by companies worldwide to manage user access centrally.
- The FTX Group also failed to implement appropriate controls with respect to cloud and infrastructure securityâthat is, controls to protect its cloud services, networks, servers, and âuser endpointsâ such as desktops and laptops.
- First, the FTX Group generally shared computer infrastructure and IT services among FTX.com, FTX.US, and Alameda.
- Second, while crypto exchanges are notoriously targeted by hackers, the FTX Group had poor or, in some cases, no âvisibilityâ controls to detect and respond to cybersecurity threats.
- Third, the FTX Group did not implement controls sufficient to protect its network endpoints, such as laptops and desktops, from potential security threats.
- Fourth, the FTX Group had no comprehensive record from which it could even identify critical assets and services, including employee workstations, software application servers, business data, and third-party cloud and other services it relied upon, leaving it with little to no visibility into what it needed to secure, let alone how to best secure it.
- The FTX Group did not implement controls sufficient to protect sensitive data
relating to its applications, including its application code, from vulnerabilities and attacks:- First, while it is widely recognized that sensitive data should be protected through encryption and appropriate access controls, the FTX Group failed to adopt these basic controls to secure its âapplication secrets,â that is, the highly sensitive data such as passwords, API keys, and private keys used by its applications.
- Second, the FTX Group failed to adopt certain standard controls in order to ensure the integrity of its code.
Conclusion
I hope you learned as much as I did from the FTX debtor's report! If you made it this far and expected a short list of security best practices for your next CEX start-up, then let me disappoint you. Here are some other resources that might help you on your endeavours:
- Crypto-Asset Exchange Security Guidelines by Cloud Security Alliance
- Secure Distributed Ledger Technology Framework for Financial Institutes by Cloud Security Alliance
- 10 Ways Cryptocurrency Exchanges Can Improve Their Security by HalbornÂ
- How To Secure Your Crypto Exchange by Hacken
- Metamask Institutional
[1] The FTX collapse is terrible for everyone involved. My heart goes out to everyone that lost their funds, and who are suffering the dire consequences.
Photo by Devin Avery on Unsplash
Obligatory "this is fine" meme:
Â