By Turner Lehmbecker – Information Security Researcher – Intrinium
With the increasing popularity and value in Bitcoin and other cryptocurrencies like it, many people have become interested in exploring the use of cryptocurrency as potential investments and sources of income. However, due to the lucrative nature of cryptocurrencies and the increasing threat of losing coins to fraud or theft—which in the first quarter of 2019 alone amounted to $1.2 billion in lost funds – many new investors wonder what if anything can be done to secure their digital assets.
Since most losses due to theft and fraud are from online cryptocurrency exchanges, many people suggest that users store their coins and wallet keys in an offline, dedicated hardware wallet. While a dedicated hardware wallet is generally the safest place for one’s assets, for those that conduct frequent transactions, a dedicated trading computer may also be needed. Although most recommend that such a computer be air-gapped (meaning disconnected from any networks) and powered off except when performing transactions, doing so can present an inconvenience to high-frequency traders or those who require constant access to online exchanges and trading APIs. Fortunately, building a reasonably secure computer for cryptocurrency trading is not a difficult task and follows many of the same steps one would take to create a privileged access workstation.
Restrict User Privileges and Access
One of the first steps when configuring a computer for use in cryptocurrency trading is configuring the proper privileges and access for users of the computer. In general, you will want to restrict the privileges of standard users as much as possible to prevent inadvertent compromise of the machine, or in the worst case, an insider threat leveraging their access to steal cryptocurrency. In general, standard users should not have the ability to make configuration changes to the machine such as installing new software or making changes to group policy objects (if on a Windows machine). Additionally, standard users should not be able to elevate their privileges (such as when prompted for administrator credentials when attempting to perform some action) or browse through folders other than their own.
Only local administrator accounts should have the privileges to make changes on the machine and no users should be members of other security groups with limited administrator privileges, such as the Backup Operators or Power Users groups found on Windows machines. If the machine will be used by a single person who will also be responsible for maintenance of the machine, separate administrator and standard user accounts should be set up for them. The administrator accounts should only be used when performing maintenance or upgrades on the machine with the standard user accounts used for conducting transactions. This should be done to minimize the risk of administrator accounts becoming compromised.
Lastly, the built-in, default administrator and guest accounts should not be used and should ideally be disabled entirely. Also, auditing and logging of authentication failures, with attention paid to default accounts should also be enabled.
Restrict Network Access
Considering that most threats to cryptocurrency assets originate on the internet, it is important that network access for the machine be as restricted as possible. Ideally, only the most basic network connectivity should be allowed, enough to allow basic web browsing and network traffic, but restrictive enough so that various apps are not communicating over the internet. This can be easily accomplished using a combination of a host-based or dedicated firewall, removing unnecessary applications, and disabling unnecessary services or features on the machine.
For the host-based firewall, all inbound traffic should be blocked by default with very few exceptions. This should prevent the machine from being accessed over the network. For outbound traffic, only allowed apps and certain services required for basic network functionality should be allowed to make outbound connections with everything else blocked by default. In practice, this means only apps such as web browsers and communication over TCP ports 80 and 443 and UDP port 53 should be allowed through the firewall. This can be even further restricted to allow communication only to certain IP addresses. In addition, the firewall should also log all dropped connections. However, such a restrictive firewall configuration can cause unintended issues with apps on the machine, so it is important to carefully determine which apps need to be allowed through the firewall and weigh the potential security risks against user experience and business need.
Another good way of reducing the network signature or footprint of the machine, and thereby reducing the potential attack surface of the machine, is to disable any and all unnecessary services and features present on the machine. This step can include removing any apps present on the machine by default as they are often not necessary for the machine to function and pose potential security risks. Additionally, any optional features that are enabled by default on the machine should be disabled or removed, If possible. Any features that allow for remote access of the machine, such as RDP or VNC, should be disabled along with any servers running on the machine.
Disabling certain services can also be done to reduce the network footprint of the machine, however, disabling the wrong services can cause the machine to not function correctly or not even boot at all. A good strategy to employ here is to disable any services that are not running immediately after the machine boots and the user is logged in. This should prevent any issues, however, any apps installed on the machine should be run after this is done to ensure that none of the disabled services prevent necessary programs from functioning correctly.
Enable Application Whitelisting and Software Restrictions
The primary goal of application whitelisting is to prevent potentially malicious software from running on the machine, so it’s a good idea to enable it on the machine as malware can not only make a machine unusable, but can also steal cryptocurrency, or least the secrets necessary to access someone’s wallet. The policy employed by the application whitelisting solution, whether built-in or third party, should by default deny-all execution from untrusted and non-whitelisted apps. However, explicit blacklisting should also be employed for apps or folders that are frequently used by malware. Caution should be exercised not to prevent the execution of necessary apps for the operating system, so when developing an effective application whitelisting policy it should be done in audit mode, if possible.