CryptoConsortium / CCSS

The CryptoCurrency Security Standard
https://cryptoconsortium.github.io/CCSS/
138 stars 79 forks source link

Network Security #4

Closed ghost closed 9 years ago

ghost commented 9 years ago

I would consider adding a section about network and domain name security. A number of Bitcoin companies have been attacked through their hosting or domain names. Some have been hacked by tricking the hosting company into giving them KVM access. Others have been attached through insecurities in their domain name registration and whois records. There is a general lack of knowledge in this area with Bitcoin companies and attacking a web site through it hosting and domain names is one of the first things an attacker does.

mperklin commented 9 years ago

Milly,

Securing domain names is definitely a requirement for every website, whether it serves the cryptocurrency industry or not.

CCSS is designed to focus solely on the cryptocurrency component of a business, and not on the business as a whole. It's a compliment alongside ISO27001 and other standards that apply to businesses.

Domain name security is covered under the business side of things, but you bring up a good point - without proper validation of webservers, a MITM attack can be leveraged which can lead to the theft or loss of coins. A tweak to one of the 10 aspects may be able to cover this.

Thanks for the suggestion!

ghost commented 9 years ago

I think references some other applicable standards in this standard may cover it.

mperklin commented 9 years ago

Closing this issue since it's not cryptocurrency-specific. Accurate DNS information is covered by other information security practices and would be duplicated if it were added to CCSS.