Securing Digital Exchanges

February 4th, 2018 | CoinHub| by The CoinHub Team

Crypto and Cyber… where is the synergy?

Whether you’ve finally given into the pressure of investing in digital currencies, or you’re a seasoned trader, one question still looms in light of all the hacks we have been witnessing in the media lately: Is my money secure on an exchange?

Although best practice dictates that you should never keep your money on an exchange, or allow someone else to hold your private keys, exchanges overall do try to meet certain criteria to ensure their customers are secure.

We view cyber security as a key component to any exchange in this industry, which is why we have built CoinHub from the ground up prioritizing safety and security of wallets at all costs. Industry standards have proven to be vulnerable over time, especially with the continued spike in user base and investor awareness.

Our cyber security partners are tasked with ensuring our security framework exceeds that of any traditional digital exchange offering round the clock assessments, and preemptive software scaling.

Here at CoinHub we see security as more than just a technological solution.

While technology plays a key role, we also focus on the people and processes as well. There is no ‘Silver Bullet’ … no one piece of technology can thwart attacks… if there was such a solution, there would be no hacks in the world. We work closely with our cyber security partners to ensure the latest tools, techniques and procedures used by cyber criminals are regularly assessed to keep us and our customers secure.

In terms of the triangle of People, Process, Technology, we can simplify the ongoing security practices implemented here:

1. Hot / Cold Wallets

90% of digital assets are kept offline in encrypted wallets that are inaccessible. Only 10% of digital assets are online and being traded limiting any exposure.

2. Web Application Penetration Testing

Every quarter, a web application penetration test is conducted against our pre-production environment. This allows the security assessment teams to test harder, using exploits which could break functionality or even lead to denial of service. Once the report is generated, our team implements the remediation actions, and regression testing is conducted.

3. Distributed Denial of Service (DDoS)

CoinHub has subscribed to a cloud provider, specializing in DDoS protection, to detect and manage denial of service based increases in traffic.

4. Firewalling

The team has deployed Enterprise-Grade PCI-Certified firewalls. These layer 7 firewalls come with the OWASP top 10 rule-set, in addition to custom rules applied where necessary to prevent web based attacks.

5. Infrastructure Assessments

In conjunction with the security firm we have partnered with, quarterly penetration tests are conducted against our infrastructure to ensure no vulnerable services are enabled or exposed.

6. Air-Gapped Systems

We use air gap networks, meaning, only specific systems are allowed to access the back-end of the exchange. Other services such as email, file uploads and KYC are handled on separate systems to reduce the impact of exploitation, and reduce the risk of compromising any digital assets stored on the
exchange.

7. Access Controls

Strict access controls are granted to system administrators, developers and other staff to ensure confidentiality, integrity and non-repudiation.

8. Sandboxing

We have deployed sandboxing internally to ensure that when customers upload their KYC / AML documents, they are not only scanned for malware, but they are executed in a sandboxed environment to ensure that any malicious payloads are detected and blocked, before touching any
of our corporate systems. Similar practice exists for handling of emails.

9. User Awareness

All staff go through regular security awareness training. This is done to detect phishing attempts, and to ensure that they know the procedures and playbooks to be used should an incident occur.

10. Incident Response

A collaborative effort with our security team developed use cases, playbooks and processes to detect, respond and contain security incidents.

11. Regulatory Framework and Compliance

Our staff undergo rigorous and continuous training on compliance matters in line with the guidelines set forth by the Monetary Authority of Singapore (MAS). This ensures that we are prepared and able to adapt to the complicated regulatory landscape of the cryptocurrency environment.

12. Multi-Factor Authentication

We have deployed multi-factor authentication on the login page, password reset page, and for withdrawals to prevent phishing attacks.

13. Best Practice

Following the guidance of NIST, OWASP and PCI, the team has focused on several key areas to increase its response readiness; Governance, Visibility and Communication.

Our Message

We’ve only scratched the surface of the security concerns related to digital exchanges. However, attacks are always evolving, attackers seem to always be one step ahead, which is why we also urge our community to be more aware of the threats they may face and engage with our team when need be.

We offer multiple forms of two-factor authentication and although we cannot force you to use these settings, we strongly urge you to do so, helping us in the process to ensure the integrity of your accounts.

CoinHub is always striving to secure the confidentiality, integrity and availability of your digital assets.

Be secure. Invest well.

The CoinHub Team