Cybersecurity Best Practices for Crypto Exchanges

14 April 2023

The downfall of FTX is truly a gift¹ that keeps on giving 🎁! FTX's cybersecurity practices are a showcase of how not to secure your crypto business.

An alternate title for this post could have been: "Cybersecurity worst practices for crypto exchanges, a master class brought to you by FTX". But I digress. Let us dive into today's topic: cybersecurity best practices for crypto exchanges.

Learn from the mistakes others make FTX made

There is no better way to learn than to learn from mistakes. Mistakes that ideally others make. FTX in our case. So, in order to get to our security best practices, we can start by identifying worst practices and then avoid them like the plague 😷.

A damning report

FTX debtors released a new report detailing numerous security failures they have encountered. I urge everyone to read through the full report to get a feel of how awful the state of security affairs were. This is worse than gross negligence if you ask me.

In an internal communication, Bankman-Fried described Alameda as “hilariously beyond any threshold of any auditor being able to even get partially through an
audit,” adding: "Alameda is unauditable. I don’t mean this in the sense of “a major accounting firm will have reservations about auditing it”; I mean this in the sense of “we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.” We sometimes find $50m of assets lying around that we lost track of; such is life.

Not a pretty sight

Looking at the table of contents, we see where this is going...🍿

REVIEW OF CONTROL FAILURES
A. Lack of Management and Governance Controls
1. FTX Group Management and Governance
2. Debtors’ Management and Governance
B. Lack of Financial and Accounting Controls
1. Lack of Key Personnel, Departments, and Policies
2. Lack of Appropriate Accounting Systems
3. Inadequate Reporting and Documentation
4. Trading Records from Other Exchanges
5. Intercompany Transactions
6. Extraordinary Privileges Granted to Alameda
C. Lack of Digital Asset Management, Information Security & Cybersecurity Controls
1. Lack of Key Personnel, Departments, and Policies
2. Crypto Asset Management and Security
3. Identity and Access Management
4. Cloud and Infrastructure Security
5. Application and Code Security
6. Debtors’ Work to Identify and Secure Crypto Assets in the Computing Environment

The examples included in the report supporting some findings are often so batshit insane that they are comical. They are beyond comprehension from a professional perspective...

Bad, worse, worst practices 🤦‍♂️

I cannot list all findings from the report, but here is a selection of failures contending for the gold medal🏅 of largest security fuck-up in crypto exchange history:

You might not directly relate some of these failures to cybersecurity, but you should understand that a security function does not operate in a vacuum. In order to properly manage cyber/information/IT security risk, there is much interaction with other corporate functions such as compliance, non-financial risk, (IT) audit, executive & board levels, ...

FTX Group lacked independent or experienced finance, accounting, human resources, information security, or cybersecurity personnel or leadership, and lacked any internal audit function whatsoever. Board oversight, moreover, was also effectively non-existent.
Key executive functions, including those of Chief Financial Officer, Chief Risk Officer, Global Controller and Chief Internal Auditor, were missing at some or all critical entities.
FTX Group configured the codebase of FTX.com and associated customer databases to grant Alameda an effectively limitless ability to trade and withdraw assets from the exchange regardless of the size of Alameda’s account balance, and to exempt Alameda from the auto-liquidation process that applied to other customers.
The FTX Group had no independent Chief Information Security Officer, no employee with appropriate training or experience tasked with fulfilling the responsibilities of such a role, and no established processes for assessing cyber risk, implementing security controls, or responding to cyber incidents in real time.
In short, as with critical controls in other areas, the FTX Group grossly deprioritized and ignored cybersecurity controls, a remarkable fact given that, in essence, the FTX Group’s entire business—its assets, infrastructure, and intellectual property—consisted of computer code and technology.
The FTX Group failed to implement basic, widely accepted security controls to
protect crypto assets:
- First, the FTX Group kept virtually all crypto assets in hot wallets.
- Second, the FTX Group failed to employ multi-signature capabilities or Multi-Party Computation (“MPC”) controls (together, “multi-signature/MPC controls”) that are widely used throughout the crypto industry to protect crypto assets.
- Third, the FTX Group failed to manage or implement any appropriate system to attempt to manage private keys.
- Fourth, the FTX Group failed to appropriately implement controls to manage “wallet nodes,” which are software programs that operate on servers running the software of the blockchain network.
The FTX Group failed to implement in an appropriate fashion even the most widely accepted controls relating to Identity and Access Management (“IAM”)—often the first line of defense in preventing an unauthorized system compromise
- First, the FTX Group failed to adhere to the basic security principle of “least privilege”.
- Second, the FTX Group failed to effectively enforce the use of multi-factor authentication (“MFA”) among its own personnel and corporate infrastructure
- Third, the FTX Group generally did not use Single Sign-On (“SSO”), an authentication scheme used by companies worldwide to manage user access centrally.
The FTX Group also failed to implement appropriate controls with respect to cloud and infrastructure security—that is, controls to protect its cloud services, networks, servers, and “user endpoints” such as desktops and laptops.
- First, the FTX Group generally shared computer infrastructure and IT services among FTX.com, FTX.US, and Alameda.
- Second, while crypto exchanges are notoriously targeted by hackers, the FTX Group had poor or, in some cases, no “visibility” controls to detect and respond to cybersecurity threats.
- Third, the FTX Group did not implement controls sufficient to protect its network endpoints, such as laptops and desktops, from potential security threats.
- Fourth, the FTX Group had no comprehensive record from which it could even identify critical assets and services, including employee workstations, software application servers, business data, and third-party cloud and other services it relied upon, leaving it with little to no visibility into what it needed to secure, let alone how to best secure it.
The FTX Group did not implement controls sufficient to protect sensitive data
relating to its applications, including its application code, from vulnerabilities and attacks:
- First, while it is widely recognized that sensitive data should be protected through encryption and appropriate access controls, the FTX Group failed to adopt these basic controls to secure its “application secrets,” that is, the highly sensitive data such as passwords, API keys, and private keys used by its applications.
- Second, the FTX Group failed to adopt certain standard controls in order to ensure the integrity of its code.

Conclusion

I hope you learned as much as I did from the FTX debtor's report! If you made it this far and expected a short list of security best practices for your next CEX start-up, then let me disappoint you. Here are some other resources that might help you on your endeavours:

^[1] The FTX collapse is terrible for everyone involved. My heart goes out to everyone that lost their funds, and who are suffering the dire consequences.

Photo by Devin Avery on Unsplash

Obligatory "this is fine" meme: