SOC2 Audit Planning

Apr28
by Shahid Sharif on April 28, 2018 at 3:45 pm
Posted In: Audit, Compliance, Risk Management

 SOC2AuditPlanningTitleGraphic

Introduction

When planning a SOC2 audit you have to ensure that all stakeholders are in agreement with participating in this audit.  Then you can start planning the audit.  You have two choices:

  • Hire the audit firm to create the control framework and also conduct the audit.
  • Your internal team creates the control framework and the audit firm conducts the audit against those controls.

In my eyes, the second option saves a lot of money and control owner fatigue, provided you have internal staff capable of undertaking these activities.

Planning

It is highly recommended that SOC2 Audit Planning team considers following areas below.

Trust Services Criteria

Previously called Trust Services Principles & Criteria, the new name is Trust Services Criteria.

Decide on which Trust Services Criteria to include

  • Security: The system is protected against unauthorized access, use, or modification
  • Availability: The system is available for operation and use as committed or agreed
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
  • Confidentiality: Information designated as confidential is protected as committed or agreed
  • Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA

Key Business Areas

To ensure the success of this audit, ensure following stakeholders are in agreement with participating in this audit.

  • Business line VP
  • Product managers
  • Human resources
  • Change management
  • Corporate security
  • Incident Management(both technical and security)
  • Network Support
  • Server Support
  • Database Support
  • Storage Support

 

Audit Artifacts

Once you have identified all the stakeholders and you have their buying following items should be completed.

  • System description should be created by the product managers as it should outline what the system being audited does. The information should be enough to describe the system to the external party who is consuming the service and aligns with whatever service you are offering.
  • Control framework should be designed with input from the control owners. Controls owners must be informed that this audit focus is on Design and Operating effectiveness of the controls.  Hence the controls must be designed in such a manner that they can also be operated without any issues addressing the requirement. Once the controls are designed, the operational documentation will need to be created and team members trained to operate the control as documented.  This whole activity of control design and implementation can take upwards of six months in a large organization.

 

Conclusion

It is crucial that the control framework and system description are key to the success of your audit if you can ensure these are done correctly, half of the battle is already been won. Since this is going to be the year one of the audit, a SOC2 Type 1 will be conducted, where design effectiveness of the controls is required. To avoid year two becoming a challenge ensure that the teams start operating the controls as soon as they are designed.

└ Tags: , , , , , , ,
Comments Off on SOC2 Audit Planning

Blockchain Security Tools

Apr22
by Shahid Sharif on April 22, 2018 at 9:22 pm
Posted In: Blockchain, Security, Smartcontracts

Season 2 Episode 4: Blockhain Security Tools

Introduction

Basic blockchain architecture as it pertains to block creation and consensus mechanisms is very sound.  The algorithms used to accomplish the cryptographic functions might be questionable. Hence special consideration should be given to key management, key length, hashing algorithms, and the environment that activity is conducted in.  To date, none of the block chains have been hacked or maliciously modified, hence from that aspect we are safe. If you consider blockchain mechanisms to be the foundation, which is unhackable at this point, the next few layers above is where the problems start. In this show, I talk about various blockchain security tools currently available.

 

Basic Blockchain Ecosystem

The illustration below depicts the different layers that in my opinion comprise a blockchain ecosystem.

Blockchain Security Depicted in Layers

 

Layer 1: Consensus and Cryptographic functions.

Layer 2: Virtual processor executing code that executes smart contracts.  For Ethereum this would be Ethereum Virtual Machine(EVM) executing compiled solidity code. For bitcoin blockchain, this would be Virtual Processor executing script code.

Layer 3: Application Programming Interface(API) this performs multiple functions such as:

  • Converting smart contract code to bytecode
  • Wallet requests for transaction processing
  • Exposing blockchain explorer capability

Layer4: This is where outside world interacts with Layers 3, 2, and 1.

Weakest Link

The weakest link is Layer 4.  This is where all the problems start.

First, the wallets, if the owner does not protect the private key and passphrase or they are exposed, all the crypto held in that wallet can be lost.

Second, the smart contracts, if the smart contract code is not written properly then the inherent compiled bytecode that lives on the blockchain will have vulnerabilities.  If someone is able to exploit this particular vulnerability the impacts can be very damaging.  Just like the DAO hack which leads to over $60m getting stolen.

Some solutions

Since a smart contract is just code, it has to follow secure coding practices.  Although there are a lot of secure coding methodologies, and tools available for conventional programming languages such as C, C++, C#, Java, JavaScript, etc., there was nothing available for newly created smart contract languages such as solidity and script.  With the lack of secure coding practices & tools, coupled with inexperienced programmers in these new languages, it was a disaster waiting to happen.

Tools

Various organizations are now bringing out blockchain security tools to address this void.  Here is the list:

  • A platform should support conventional programming languages to ensure existing secure coding practices can be leveraged.
  • OpenZeppelin has created an open framework of reusable and secure smart contracts in the Solidity language.
  • Trailofbits has created following tools:
    • A repository that contains examples of common Ethereum smart contract vulnerabilities, including real code.
    • “Slither combines a set of proprietary static analyses on Solidity that detect common mistakes such as bugs in reentrancy, constructors, method access, and more. Run Slither as you develop, on every new check-in of code.”
    • Echidna applies next-generation smart fuzzing to EVM bytecode. Write Echidna tests for your code after you complete new features. It provides simple, high coverage unit tests that discover security bugs. Until your app has 80+% coverage with Echidna, don’t consider it complete”.
    • Manticore uses symbolic execution to simulate complex multi-contract and multi-transaction attacks against EVM bytecode. Once your app is functional, write Manticore tests to discover hidden, unexpected, or dangerous states that it can enter. Manticore enumerates the execution states of your contract and verifies critical functionality”.
    • They have also created some reversing tools just like Porosity below which converts bytecode to solidity code.
  • NCC Group had compiled a DASP (Decentralized Application Security Project) Top10 list
  • Porosity, a decompiler and smart contract auditing tool for Ethereum smart-contracts.

Other approaches

These are some of the attempts to address security in blockchains.

  • Ivy is a declarative language to provide Bitcoin Script developers “a high-level language that adds instructions to support additional functionality, including loops, state transitions (through transaction introspection), and program evaluation”.
  • Simplicity has been released by Blockstream. It is a “typed, combinator-based, functional language without loops and recursion, designed to be used for crypto-currencies and blockchain applications. It aims to improve upon existing crypto-currency languages, such as Bitcoin Script and Ethereum’s EVM, while avoiding some of the problems they face. Simplicity comes with formal denotational semantics defined in Coq, a popular, general purpose software proof assistant. Simplicity also includes operational semantics that are defined with an abstract machine that we call the Bit Machine. The Bit Machine is used as a tool for measuring the computational space and time resources needed to evaluate Simplicity programs. Owing to its Turing incompleteness, Simplicity is amenable to static analysis that can be used to derive upper bounds on the computational resources needed, prior to execution. While Turing incomplete, Simplicity can express any finitary function, which we believe is enough to build useful “smart contracts” for blockchain applications.”
  • DAML(Digital Asset Modeling Language) by Elevence, is a financial service industry focused smart contract language.
  • Microsoft Coco is a framework which allows “arbitrary blockchain networks to be integrated with it to achieve its benefits”.
└ Tags: , , , , , , , , , , , , , ,
Comments Off on Blockchain Security Tools

What is a stable coin?

Apr15
by Shahid Sharif on April 15, 2018 at 3:34 pm
Posted In: Anonimity, Stable coins

WhatIsAStableCoinIntroduction

Although crypto currencies are all the rage these days, one of the issues they all share is the stability.   Where fiat currencies vary by a few percentage, the price variations in crypto currencies can be quite large, this makes them very unstable from monetary perspective.  Just like the issue of privacy & fungibility is being addressed by privacy coins, stable coins are trying to address the issue of stability.

Fiat currencies usually vary 2% or so, but crypto currencies are totally unpredictable. Hence one cannot rely on existing crypto currencies to use them for every day purchases and transfers like they do with fiat.

This article will answer the question What is a stable coin?

History

The first concept of stable coins was introduced in Second Life in 2003, it was called Linden Dollars. It is currently a $600 to $700 million economy.  The current conversion rate is 265 Linden Dollars to USD

Then in 2014 Bitshares introduced the concept of cryptocurrency and what we see now is its evolution, where multiple parties are proposing their solutions in terms of implementation.

Basic Ingredients

A stable coin should be:

  • Fungible: Untraceable, and value remains the same no matter who has used it.
  • Decentralized: Not controlled by a central body
  • Stable value: Value does not fluctuate more than 1-2%
  • Scalable: Transfer between parties is instant

 

Categories

Collateral can be of following types:

  • Fiat: Tether, USDT which is pegged to USD
  • Cryptocurrency: Dai which is pegged to Ether
  • Other assets: Petro which is pegged to oil

Implementations

  • Collateralized Centralized, for example Tether from Tether Limited. Collateral is stored with one single entity, which is risky.
  • Collateralized De-centralized – Dai from MakerDAO. Collateral is stored in a smart contract with master nodes having ability to vote on outcome of decisions.
  • Non collateralized de-centralized – Basecoin

 

Some stable coins

  • Basecoin
  • Digix
  • Dai
  • Havven
  • Nubits
  • Petro
  • Tether
  • Truecoin
  • WorldFree
└ Tags: , , , , , , , , , ,
Comments Off on What is a stable coin?

Blockchain Security

Apr07
by Shahid Sharif on April 7, 2018 at 5:27 pm
Posted In: Blockchain, Cryptocurrencies, Distributed Ledgers, Encryption, Hacking, ICO, Security

Introduction

Blockchain has been the most searched term in 2017 and to date it still is.  In spite of the fact that blockchain technology has been around since 2009, with the first implementation being Bitcoin, there have not been any corporate-wide deployments yet.  There are three blockchain deployment models:

  • Public
  • Private
  • Hybrid

All the major deployments have been public, such as Bitcoin, Ethereum, Litecoin, etc.

There has not been a major uptake of the private deployment by the enterprises.

Use cases

The blockchain is not a solution to every problem.  In the current hype cycle, blockchain is being touted a solution to every problem on earth.

Before anyone embraces blockchain technology they should be clear on the requirements first and then look for solutions, and blockchain might well be the solution.  It should not be the other way around where we have a hammer in form of a blockchain, hence everything looks like a nail, thereby a solution looking for a problem.

Blockchain x.0

Of all the blockchains solutions currently available today, they are trying to address a specific vertical.  Now we are in blockchain 3.0 phase.  The evolution of Blockchain technology as I see it is as shown below(This is not an exhaustive list):

Blockchain 1.0 Blockchain  1.5 Blockhain 2.0 Blockchain 3.0 Blockchain 4.0
Bitcoin Monero Ethereum EoS Polkadot
Litecoin Zcash Corda NEO DFINITY
Dogecoin Zcoin HyperLedger Tezos

 

Smart Contracts

In 2015, Ethereum was released and it introduced the idea of smart contracts, which have nothing to do with legal contracts, hence smart contract ? legal contract. The term smart contract got coined when Ethereum Founder, Vitalik Buterin, was working on a project and that needed a level of automation, and they decided to call it smart contract. A smart contract is just an ability to programmatically execute decisions based on certain inputs. Blockchain 2.0 platforms introduced the concept of smart contracts and a distributed world computer where you could deploy a conditional code that would execute as soon as it was called on the nearest full node.

 

The Weakest Link

To date, all blockchains have been resilient to hack attacks due to the cryptographic mechanisms that have been implemented.

The most vulnerable are the public blockchains, which operate unprotected on the internet and the respective Proof of Work(PoW) and/or Proof of Stake(PoS) algorithms have provided that security.

All the hacks have been in the following areas:

  • Key management for the crypto wallets
  • Smart contract code being buggy, which allowed a threat actor to exploit the threat vector, a vulnerability in smart contract code, which caused the DAO hack in 2016. The hacker stole about $150M worth of Ether.

 

Security Considerations

As the blockchain platforms get more complex the number of threat vectors also increases exponentially.  For instance, following areas need special attention when building a blockchain platform and surprisingly most threat vectors are very similar to any application stack.

  • Cryptography: Key management, Encryption, Hashing
  • Consensus algorithm
  • Identity
  • Authentication
  • Authorization
  • Code review and testing development practices
  • Data integrity
  • Encryption mechanisms
  • Incident Response
└ Tags: , , , , , , , ,
Comments Off on Blockchain Security

Privacy By Design

Apr01
by Shahid Sharif on April 1, 2018 at 3:51 pm
Posted In: Compliance, Encryption, Passwords, Privacy, Security

 

Privacy by Design

The idea of “Privacy by Design” was first introduced in 1990’s by Ann Cavoukian the Information and Privacy Commissioner of Ontario from 1997 to 2014.

GDPR also has adopted it.

This is taking first principles approach.

Foundational Principles

The approach is based on seven foundational principles [http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/page-36#5] :

  • Proactive, not Reactive; Preventative not Remedial: The goal of privacy by design is to take preventative action by implementing measures to reduce the risk of privacy infractions.[198]
  • Privacy as the Default Setting: The default setting for all products and services should be to protect personal information so that an individual’s privacy is automatically protected without any action being required by the individual.[199]
  • Privacy Embedded into Design: The protection of personal information should be an integral part of information systems and business practices; it should not be an add?on.[200]
  • Full Functionality – Positive-Sum, not Zero-Sum: Privacy by design should be considered a benefit; there should be no trade?offs with other features to achieve this goal.[201]
  • End-to-End Security – Full Lifecycle Protection: The protection of personal information must extend throughout the system’s entire lifecycle.[202]
  • Visibility and Transparency – Keep it Open: Transparency is important to ensure that systems and practices are truly able to protect user privacy; independent verification must always be possible.[203]
  • Respect for User Privacy – Keep it User-Centric: Above all, privacy by design entails putting individuals’ interests first.[204]

Personal Data Types

  • IP Address
  • Email addresS
  • Address
  • Date of birth
  • Religion
  • Gender
  • Personal lifestyle/affiliations
  • Genetic
    • Race
    • Ethnicity
    • Health information
    • Etc.

Implementing “Privacy by Design”

The best way to implement “Privacy by Design” is to embed privacy requirements into your project delivery methodology. There are five phases of project delivery:

  • Initiation
  • Planning
  • Execution
  • Monitoring and Control
  • Closure

Initiation Phase

  • Identify soft and hard requirements
  • Identify teams to engage

Planning Phase

  • Purpose of data collection
  • Which data elements need to be captured?
  • Data classification
  • Data retention
  • Privacy Impact Assessment
  • Ensure a Configuration Management Database is updated to ensure inventory is accurate

Execution Phase

  • The inclusion of Data classification and Data retention into your data model
  • How is consent being collected, it should be explicit
  • Private data should be stored encrypted in transit and at rest
  • Data subjects must be able to request following actions on their data, update, delete, move( ability to export data in a readable format)
  • Data integrity is maintained all times
  • Strict authentication & authorization controls are implemented
  • In development code analysis is done to ensure code is secure
  • Before system goes live, ensure penetration testing of the application is completed and any issues remediated.
└ Tags: , , , , , , , , , , , ,
Comments Off on Privacy By Design