This list of security incidents was created to get your attention and point you to security resources.
These will be your primary security concerns:
- Protect key material. Your servers will be accessed.
- Be defensive against application vulnerability. You will have bugs.
- Protect all authentication to your cloud infrastructure (2Fac, Strong + Unique Passwords). Your employees will re-use passwords and bad guys will get them.
- Limit the exposure of funds with cold storage, HSMs, and Multi-Signature transactions. This is because intrusions will happen anyway.
- Design for collusion whenever possible for sensitive or high value operations. Don’t allow a lone insider too much influence.
If this seems intimidating, here’s some further advice!
Bitcoin Specific Advice
These are practices that are unique to blockchain companies.
- Cold Storage can reduce the impact of a security breach from 100% to a configurable percentage. After this, reduce your risk of a large hot wallet even further with cryptographic hardware or multisignature transactions.
- After reducing the amount of funds you’d store in a “Hot Wallet”, use multisignature transactions to secure a hot wallet even further.
- Use an HSM that will protect key material and make it extremely hard to make a transaction that cannot be audited. It will also defend greatly against insider threats.
These are practices that are common at any company, not just a blockchain company.
Starting up Security is advice for company wide security.
- Investigating Account Takeover discusses the massive amounts of phishing, malware, and other attacks that will directly target and steal from your customers.
Preventing Account Takeover will discuss the automated ways you can prevent takeover of your customer accounts.
Red Teams will help you simulate a worst case incident scenario before it happens.
Security Breach 101 will help you understand the complex coordination of an incident in progress.
- Coinbase’s security should also act as a reference model for your own security program.
This started as
bitcoin_breaches.txt on my laptop and figured it would pair well with Starting Up Security for the BTC / ETH community. A much more broad list exists here at bitcointalk that includes scams and fraud.
Feel free to suggest additions to the graveyard or advice section in pull requests.