CIS Logo
tagline: Confidence in the Connected World

Security Primer – CryptoCurrency

As cryptocurrency sees increased adoption, state, local, tribal, and territorial (SLTT) governments are encountering malware designed to steal or mine cryptocurrency or their systems are held for ransom payable only via cryptocurrency. Bitcoin (BTC), the first cryptocurrency to see widespread use, emerged in 2009. Today, there are hundreds of alternatives to Bitcoin. Popular alternatives include Litecoin (LTC), Ethereum (ETH), Bitcoin Cash (BCH), and Monero (XMR). Most cryptocurrencies are decentralized, operating without the oversight of a trusted authority, and instead relying upon the security of cryptographic algorithms and ledger distribution commonly achieved through blockchain technology. These independence grants companies and individuals the freedom to transfer funds directly to one another. Some cryptocurrencies, such as Monero, emphasize anonymity, which makes those currencies both difficult to track and ideal for cyber threat actors (CTAs) involved in illicit activities. However, not all cryptocurrency transactions are anonymous as, in some cases, identities are revealed through transactional records.

As cryptocurrency sees increased use, SLTT governments may be required to purchase cryptocurrency. Cryptocurrencies are purchased through exchanges, which operate similarly to a stock exchange: buyers and sellers are paired together and the exchange acts as an intermediary. Some exchanges are designed to be user-friendly at the cost of moderately higher fees and transaction wait times. Exchanges are regulated by law, which means not all exchanges can operate in all jurisdictions.

Cryptocurrency itself is not stored or held onto by any individual party, but ownership is rather recorded on the currency’s distributed ledger of transactions, with ownership related to owners’ unique public keys. Sending cryptocurrency requires that a transaction be digitally signed using the owner’s private key, and directed to a recipient’s public key, both of which are stored in wallets. There are multiple types of wallets: software wallets (stored locally), web wallets (hosted by a third party), mobile wallets (stored on an app), hardware wallets (stored on a device), and cold storage wallets (stored offline). Protection of these keys is essential as CTAs often target unsecured wallets and exchanges to steal funds. You should think of your private key as the keys to your bank account, if someone has that key, they have full access to your account. However, if that key is lost, access to the funds is also lost forever.

Recommendations

  • Consult with your legal department prior to accepting or purchasing cryptocurrencies as laws and regulations may make it difficult for government entities to own cryptocurrency.
  • When buying cryptocurrency pay close attention to the market price and fees as prices vary from exchange to exchange.
  • Be wary of scams – some online tutorials are ploys to steal cryptocurrency.
  • When purchasing cryptocurrency, it is important to consider how you will keep it secure. If using a third party, perform a review of the provider to verify that they are reputable.
  • Never store your private key on a shared network such as those at your organization or other public venues and secure wallets and private keys with unique, complex passwords.
The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24x7 cybersecurity assistance is available at 866-787-4722, SOC@cisecurity.org. The MS-ISAC is interested in your comments - an anonymous feedback survey is available.