This is a work in progress and not a release. We're looking for volunteers. See Issues to know how to collaborate.

Introduction to the Frameworks

tag: [SEAL/Initiative]

Welcome to the Security Frameworks by Security Alliance (SEAL), a curated resource for those seeking knowledge in the realm of blockchain security. Our organization, a collective of dedicated security specialists, is on a mission to spread awareness and educate the community about best practices and potential pitfalls in Web3 security.

Why We Created This Resource

We have noticed a growing need to address the various challenges and issues facing our field, some of which include security threats not specifically aimed at Web3 infrastructure. Recognizing that information is abundant but not always easily accessible, we've compiled and organized existing resources from around the internet and generated new content specifically with this purpose in mind.

Who Can Benefit

Regardless of your background—whether in Web2, Web3, or beyond—these guidelines are open to all who seek to learn and contribute. We aim to establish a comprehensive, high-level security framework for Web3 projects, providing best practices to development teams throughout the lifecycle of their projects. Consider this a one-stop shop for everything related to Web3 security.

How to Contribute

Read our Contribution Guide to learn how you can contribute to this project.

Who We Are

SEAL is a not-for-profit organization committed to enhancing security awareness, education, and specialized work as a public good for the Web3 ecosystem, its supporting technologies, and communities. Our efforts are driven by a shared desire to foster a safer, more informed digital landscape. We do this by designing innovative projects, engaging elite technologists, and coordinating on the social layer to ensure meaningful adoption.

What Is It

This resource is a collection of best practices written in an abstract or general fashion to be applicable regardless of the specific technology. It serves as a comprehensive guide to help you secure various aspects of your Web3 projects and build resilience against potential threats.

This guide aims to centralize existing information, so you might not see novel features but rather a well-organized compilation of security-related topics, from simpler ones to more complex ones. The goal is to provide a comprehensive resource that brings together diverse security insights and practices into one accessible place.

Our hope is that these resources will help expand your security skill set.

What It Isn't

This resource isn't just a compilation of existing information. While it may initially seem like a collection of curated content, its primary focus is on providing in-depth, practical guidance.

Unlike other curations, compilations, or blog posts that often focus on the latest technologies, this guide delves into underlying concepts and technical aspects essential for securing Web3 projects. It’s not meant to be read like a "story" but rather used as a reference to enhance your understanding and application of security practices.

The content may not always follow the latest state-of-the-art technologies, as its focus is on fundamental security principles that are broadly applicable. Our aim is to provide valuable insights and practical advice to help you secure your projects effectively.

This guide is not intended to be offensive, though it might include strong examples to illustrate particular points. Our goal is to ensure clarity and effectiveness in conveying security best practices.

How to Navigate the Website

Navigating the Security Frameworks by SEAL will be designed to be intuitive and user-friendly. We plan on allowing users to filter contents by role, but we're not quite there yet. Any feedback on how to improve the usage of frameworks in the future is appreciated.

Categories

The content is organized into different categories, each focusing on a specific aspect of security. Currently, we are under the introduction section, but you can explore the broader category of "Frameworks" below. Each framework is categorized to help you find relevant information quickly.

Filtering by Profile

This is currently being implemented, and we're currently looking for volunteers and collaborators for this specific task. The main objective will be to allow users to filter the content by profile to focus on information relevant to their role within the organization. This feature allows them to bypass unnecessary reading and concentrate on what matters most.

Example roles:

  • Developer
  • Executive
  • Security
  • Finance
  • Crypto
  • Management
  • Community
  • Non-Technical

This targeted approach will ensure you get the most relevant information efficiently.

Overview of Each Framework

This document provides an overview of the various frameworks covered in the Security Frameworks by SEAL. Each framework addresses a specific aspect of Web3 security, providing best practices and guidelines to help secure your projects.

Infrastructure

This section covers the fundamental aspects of securing the underlying infrastructure of Web3 projects, including protection against attacks, system security, and network management.

Monitoring

This framework discusses the importance of continuous monitoring in Web3 projects, focusing on setting up effective monitoring systems and defining appropriate thresholds for alerts.

Front-End/Web App

This section addresses security considerations specific to the user-facing components of Web3 projects, including both web and mobile application security.

Community Management

This framework explores best practices for securing and managing online communities associated with Web3 projects, particularly on platforms like Discord and Twitter.

Key Management

This section delves into the crucial aspect of managing cryptographic keys in Web3 projects, discussing various wallet types and signing schemes.

Encryption

This framework covers various encryption methods and their applications in protecting data at rest and in transit for Web3 projects.

Incident Management

This section outlines protocols for handling security incidents, including detection, response, and post-incident analysis.

Operational Security

This framework addresses day-to-day security practices for Web3 teams, covering a wide range of topics from personal device security to insider threat mitigation.

DevSecOps

This section focuses on integrating security practices into the development and operations processes of Web3 projects.

Privacy

This framework explores tools and practices for maintaining privacy in the Web3 ecosystem, both for projects and individuals.

Vulnerability Disclosure

This section discusses best practices for handling and disclosing vulnerabilities in Web3 projects.

Supply Chain

This framework addresses the security implications of dependencies and third-party components in Web3 projects.

Awareness

This section covers strategies for fostering security awareness among team members and users of Web3 projects.

External Security Reviews

This framework provides guidance on conducting and preparing for external security audits and reviews.

Governance

This section addresses risk management, regulatory compliance, and security metrics for Web3 projects.

Security Automation

This framework explores ways to automate security processes in Web3 projects, including threat detection and compliance checks.

Threat Modeling

This section provides guidance on identifying and mitigating potential threats to Web3 projects.

IAM (Identity and Access Management)

This framework covers best practices for managing user identities and access control in Web3 projects.

Secure Software Development

This section focuses on integrating security practices throughout the software development lifecycle for Web3 projects.

Security Testing

This framework explores various methods of testing Web3 projects for security vulnerabilities.

User (Team) Security

This section addresses security practices and awareness for the team members working on Web3 projects.

tag: [Operations & Strategy, Security Specialist]

Infrastructure

tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE]

Infrastructure can often be overlooked in web3, but it's often a very important area given that most front-end web applications are running on centralized infrastructure. This section focuses on Infrastructure Security, encompassing critical aspects such as cloud infrastructure, DNS providers, domain registrars, and DDoS (Distributed Denial of Service) protection.

When designing your architecture, it may be worth considering how many different providers you rely on. Are you going to use different providers for infrastructure, DDoS protection, domain registration, and DNS, or will you choose a provider that provides all of these? On one hand, putting all eggs in one basket means a failure on said service would cause downtime, however by using a single service and ensuring it’s following all best practices with regards to security measures means a lower risk surface.

Contents

  1. Asset Inventory
  2. Cloud Infrastructure
  3. DDoS Protection
  4. DNS and Domain Registration
  5. Network Security
  6. Operating System Security
  7. Zero-Trust Principles

Cloud Infrastructure

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE]

Securing your cloud infrastructure could be considered as important as securing your decentralized application, as a lot of users will be interacting with your dapp through the cloud provider. Some best practices to consider are:

  1. Implement strict access controls and identity management to ensure that only authorized individuals can interact with cloud resources. Use role-based access control (RBAC) and multi-factor authentication (MFA).
  2. Encrypt data both in transit and at rest. Use managed encryption keys or bring your own keys (BYOK) for enhanced security.
  3. Configure virtual private clouds (VPCs), implement firewalls, and monitor network traffic to protect against unauthorized access and threats.
  4. Set up comprehensive logging, monitoring, and threat detection systems to identify and respond to security incidents in real-time. Use services like AWS CloudTrail, Azure Monitor, and Google Cloud Logging.
  5. Implement high availability, data backup, and disaster recovery plans to protect against service disruptions. Use automated fail-over and replication strategies.
  6. Ensure compliance with regulatory requirements (e.g., GDPR, MiCA).

Cloud Provider Hardening Guides

All cloud providers have hardening guides that provide step-by-step instructions and best practices for securing cloud infrastructure:

Open Source Tools

To aid with vulnerability detection and compliance, you could consider using the following open-source tools:

DDoS Protection

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE]

Distributed Denial of Service (DDoS) attacks are a pervasive threat that can disrupt your services by overwhelming them with excessive traffic.

Best Practices

  • Use Cloud Provider Solutions: Utilize DDoS protection services offered by your cloud provider:

    AWS

    • AWS Shield Standard and Advanced:
      • Shield Standard: Basic DDoS protection at no extra cost.
      • Shield Advanced: Enhanced protection with real-time visibility and access to AWS DDoS Response Team (DRT).
    • Amazon CloudFront and AWS WAF:
      • CloudFront: Distributes traffic globally to mitigate DDoS attacks.
      • AWS WAF: Protects against application layer attacks.

    Azure

    • Azure DDoS Protection Basic and Standard:
      • DDoS Protection Basic: Automatic protection against common attacks.
      • DDoS Protection Standard: Advanced protection with real-time monitoring.
    • Azure Front Door and Azure Application Gateway with WAF:
      • Front Door: Global application delivery with DDoS mitigation.
      • Application Gateway with WAF: Protects against various attacks.

    GCP

    • Google Cloud Armor: Provides DDoS protection and WAF capabilities.
    • Load Balancing: Distributes traffic to mitigate DDoS attacks.
    • VPC Flow Logs and Stackdriver Logging: Monitors and logs traffic patterns for effective response.

External DDoS Protection Providers

In addition to cloud provider solutions, consider external DDoS protection services:

  • Cloudflare: Offers comprehensive DDoS protection and mitigation services.
  • Akamai: Provides scalable DDoS protection solutions.
  • Imperva: Specializes in DDoS protection and mitigation.

DNS and Domain Registration

tag: [Engineer/Developer, Security Specialist, Operations & Strategy]

DNS (Domain Name System) is the backbone of the internet, translating domain names into IP addresses. Choosing a secure and trusted Domain Registrar is important, as if someone is able to obtain access to your domain registrar they could change DNS servers and more.

DNS Security

  1. Implement DNSSEC to digitally sign DNS records, ensuring data integrity and authenticity.
  2. Evaluate and choose DNS hosting providers based on their performance, security, and reliability.

Domain Registrar Security

  1. Select a registrar with a strong security posture and a history of reliability.
  2. Follow best practices for securing your domain registrar account, including strong authentication methods.
  3. Enable domain transfer locks and two-factor authentication to prevent unauthorized domain transfers.
  4. Use WHOIS privacy services to protect your domain registration information from public exposure.
  5. Implement processes to ensure your domains do not inadvertently expire, potentially causing disruptions.

DNS Monitoring and Incident Response

  1. Create alerts to be notified of DNS route changes and ensure those changes are expected and authorized.
  2. Develop an incident response plan specific to DNS and Domain Registrar security breaches, including steps for investigation and mitigation.

Operating System Security

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, SRE]

This document outlines some general best practices one should follow with regards to operating system security, however if you're interested in a much more comprehensive guide you could look at NIST 800-123.

Best Practices

  1. Keep your operating systems updated with the latest security patches and updates.
  2. Block the remote shell port from all but required IPs.
  3. Block all ports except absolutely required ones from public.
  4. Use tools such as fail2ban to protect against attacks.
  5. Enforce personal account and SSH key login
  6. Enable multi factor authentication.
  7. Implement strict access controls to limit administrative privileges and use role-based access control (RBAC).
  8. Use antivirus and anti-malware software to detect and prevent malicious activities on systems where relevant
  9. Configure host-based firewalls to control incoming and outgoing network traffic.
  10. Implement host-based intrusion detection and prevention systems (HIDS/HIPS).
  11. Follow secure configuration guides, such as the NIST 800-123 guidelines, to harden your operating systems.

Asset Inventory

tag: [Engineer/Developer, Security Specialist, Devops, SRE]

An asset inventory means having information about everything related to your project, meaning for example contracts, hardware, software, cloud providers, dependencies and network components. This is important, as if you don't have awareness of your assets then how are you going to be able to protect them?

You should at the very least document as much as you can with regards to your assets, and update this on a regular basis. It is highly recommended to also assign ownership of each asset, so that someone ensures the safety of this asset. Classifying them based on their criticality and sensitivity also helps you prioritize them with regards to security measures.

Identity and Access Management

tag: [Engineer/Developer, Security Specialist]

Right now, this subsection has an entire category of its own. Please refer to Incident and Access Management (IAM)

Zero-Trust Principles

tag: [Engineer/Developer, Security Specialist, Operations & Strategy]

The Zero-Trust security model assumes that threats can exist both inside and outside the network. It requires strict verification for every user and device attempting to access resources, regardless of their location.

Key Principles

  1. Always authenticate and authorize based on all available data points, including user identity, location, device health, and service or workload.
  2. Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection.
  3. Segment networks and use encryption to limit the potential impact of a breach.

Implementation Strategies

  1. Implement strong IAM practices, including multi-factor authentication (MFA) and conditional access policies.
  2. Use micro-segmentation to create secure zones in data centers and cloud environments.
  3. Ensure all endpoints (e.g., devices, servers) comply with security policies before granting access.
  4. Implement continuous monitoring and analytics to detect and respond to anomalies in real-time.
  5. Use automation to enforce security policies consistently across the network.

Network Security

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE]

Network security is a very wide subject, and the steps you take are significantly dependent on if you're managing your own network, if you're utilizing a cloud provider, or if you're using a service provider. With that said, there are some general best practices to consider:

Best Practices

  1. Infrastructure should deny all incoming traffic by default. When opening ports, consideration should be made as to which ports and incoming IPs are needed. SSH, RDP, and Database ports should not be open to the entire Internet.
  2. Divide your network into segments to limit the impact of a potential breach.
  3. Implement firewalls to control and monitor incoming and outgoing network traffic based on predetermined security rules.
  4. Use IDPS to detect and prevent potential security breaches.
  5. Use VPNs to provide secure remote access to your network.
  6. Encrypt sensitive data in transit using secure protocols.
  7. Use ACLs to define and control which systems or users can access network resources.
  8. Conduct regular network security audits to identify and address vulnerabilities.
  9. Keep any potential network devices and software updated with the latest security patches.

Monitoring

tag: [Engineer/Developer, Security Specialist]

Monitoring is a crucial aspect of maintaining the security and integrity of a blockchain project. Effective monitoring allows you to detect anomalies and potential security breaches in real-time, enabling prompt response and mitigation. This section focuses on monitoring the on-chain security of a project, including guidelines for setting up monitoring systems, defining thresholds for alerts, and utilizing existing on-chain monitoring tools.

Guidelines for On-Chain Monitoring

tag: [Engineer/Developer, Security Specialist]

Effective on-chain monitoring is complex, and involves setting up systems and processes to continuously observe blockchain activities and detect any anomalies.

Best Practices

Define Monitoring Objectives

  1. Determine the critical metrics to monitor, such as large fund transfers, token minting events, and changes in contract ownership.

Implement Monitoring Tools

  1. Use automated monitoring tools that can continuously track blockchain activities and generate alerts for anomalies.
  2. Supplement automated tools with periodic manual reviews.

Establish Alerting Mechanisms

  1. Set up real-time alerts to notify relevant project members of any suspicious activities or threshold breaches.
  2. Use multiple channels for alerts, such as email, SMS, and messaging apps where available, to ensure timely response.

Regular Reviews and Updates

  1. Conduct regular reviews of your monitoring systems to ensure they are functioning correctly and covering all necessary metrics.
  2. Regularly update thresholds and alert configurations to reflect your current needs.

Incident Response

  1. Develop and maintain an incident response plan to handle alerts and anomalies as soon as possible.

Defining Thresholds for On-Chain Monitoring

tag: [Engineer/Developer, Security Specialist]

Setting appropriate thresholds for on-chain monitoring is hard when taking into account you want to detect unusual activities, without generating excessive false positives. Here are some guidelines for defining and configuring thresholds.

Generic Guidelines

Understand Normal Activity Patterns

  1. Establish baseline metrics for normal activities, such as average transaction volumes and typical token minting rates (if any).
  2. Use historical data to understand activity patterns and identify deviations from the norm.

Set Thresholds for Alerts

  1. Define thresholds for large fund transfers from project wallets, considering both absolute amounts and relative percentages.
  2. Set thresholds for token minting events, including the number of tokens minted and the frequency of minting.
  3. Establish thresholds for changes in contract ownership or significant modifications to contract code.

Adjust Thresholds Over Time

  1. Implement adaptive thresholds that can adjust based on changing activity patterns and emerging threats.
  2. Periodically review and update thresholds to ensure they remain relevant and effective.

Multi-Layered Thresholds

  1. Use primary thresholds for critical alerts and secondary thresholds for less urgent notifications.
  2. Define thresholds based on a combination of metrics to reduce false positives and improve accuracy.

Anomaly Detection

It is hard, if not impossible, to predict every type of alert one should setup for their project. As such, implementing an anomaly detection system can be of great value as it will monitor the project and its transactions in real time, and compare it to its previous behavior. If for example it is common that 4% of tokens change owner each day and there's a day with 20% of tokens changing owner in the past 10 minutes, then that could be detected as an anomaly cause for investigation.

Front-End Web Application Security Best Practices

tag: [Engineer/Developer, Security Specialist, Devops]

Often an overlooked area, but ensuring the security of your front-end web and potential mobile applications is crucial for protecting your users. If the front-end web application is compromised, it could have severe effects on your users as they for example could start interacting with a malicious contract instead of your official contract.

Contents

  1. Web Application Security
  2. Mobile Application Security
  3. Common Vulnerabilities
  4. Security Tools and Resources

Web Application Security

tag: [Engineer/Developer, Security Specialist]

Providing a secure front-end (web application) for users to interact with your web3 protocol is often essential. Web application vulnerabilities have however been exploited in the past to steal user funds, and as such it's important to take web application security into consideration for your project.

Best Practices

  1. Utilize popular and well-maintained web application frameworks when developing your application.
  2. Familiarize yourself with common web application vulnerabilities that may affect your decentralized application such as Cross-Site Scripting (XSS). Refer to the OWASP Top 10 for a comprehensive list.
  3. Minimize the introduction of custom components in your framework. Ensure that any custom code undergoes thorough internal and external security testing.
  4. Refer to the Infrastructure/DDoS Protection section for insights on ensuring high availability of your protocol’s front-end.
  5. Lock down access to associated back-end services, such as S3 buckets, to prevent unauthorized access.
  6. Consider deploying additional versions of your front-end on IPFS to ensure availability and resilience.

Mobile Application Security

tag: [Engineer/Developer, Security Specialist]

Mobile applications are increasingly used as front-ends for web3 protocols. As more projects are using mobile applications, it also becomes an increasing target for threat actors. Below, you can find some suggestions to help protect your mobile application:

Best Practices

  1. Follow secure coding practices to prevent common vulnerabilities such as:

    • Insecure Data Storage
    • Insufficient Transport Layer Protection
    • Insecure Authentication
    • Insecure Authorization
  2. Use the trusted execution environment available in the device for secret management.

  3. Ensure that APIs used by the mobile application are secure and follow best practices for authentication and authorization by implementing certificate pinning to help prevent man-in-the-middle attacks.

  4. Encrypt sensitive data stored on the device and during transmission.

  5. Keep the mobile application and its dependencies updated to protect against known vulnerabilities.

  6. Leverage security libraries and frameworks designed for mobile application security, such as OWASP Mobile Security Project.

Community Management

tag: [Community & Marketing]

Historically, there has been quite a few compromised communities where the threat actor then transformed it into a phishing platform with users ending up losing funds as a consequence. In order to protect your users, as well as your own brand, you should ensure that you secure your communities. Each community platform has its own set of best practices, and below you can find some general approaches to securing your community

  • Strong Passwords and Two-Factor Authentication (2FA):

    • Use unique, complex passwords for each service, managed through a password vault.
    • Enable 2FA. Avoid SMS-based 2FA due to its vulnerability to SIM-swapping attacks. Use hardware-based tokens like Yubikey or a mobile application. Do not use your password manager to generate 2FA codes; separate passwords and 2FA codes.
    • For 2FA apps like Authy, encrypt your passcodes with a password to prevent unauthorized access through SIM-swapping.
    • Secure the email account associated with your community accounts with unique passwords and 2FA (preferably hardware-based).
    • Encourage community members to adopt these security practices.
  • Phishing Awareness:

    • Inform community members about scams and how to recognize them.
    • Remind them that your team will never initiate a chat first, as that is a common tactic utilized by threat actors.
  • Operational Security:

    • Be aware of the risk of your computer or phone being compromised, which could lead to your community services being compromised. Take steps to minimize this risk.
  • Emergency Response Plan:

    • Prepare an emergency response plan for security breaches or unexpected incidents. Having a compromised community account could lead to severe consequences as many users could end up falling for scams.
    • Be prepared. Consider the saying: “It’s not a question of if you’ll have a breach, but when”. Planning ahead help mitigate chaos.

Discord Security

tag: [Community & Marketing, Security Specialist]

Discord has a large set of security settings to take into consideration, as well as some potential pitfalls where a server moderator could for example fall victim to a phishing attempt by having their account hijacked through a QR code. Below, you can find some hardening suggestions when setting up a Discord server.

Discord Server Hardening

Server Settings

a) Enable 2FA Requirement for Moderation

  • Go to Server Settings > Safety Setup > Moderation
  • Toggle on "Require 2FA for moderation"
  • This ensures all moderators have an extra layer of security

b) Set Appropriate Verification Level

  • Go to Server Settings > Safety Setup > Verification Level
  • Choose from: None, Low, Medium, High, Highest
  • Recommended: "Moderate" for public servers (Must be registered on discord for longer then 5 minutes)
  • Higher levels protect against spammers and raids

c) Enable Explicit Content Filter

  • Go to Server Settings > Safety Setup > Content Filter
  • Set to "Scan messages from all members"
  • This automatically blocks messages containing explicit images in non-age-restricted channels
  • Age-restricted channels are exempt from this filter

d) Raid Protection and CAPTCHA

Discord’s Raid Protection system utilizes machine learning to detect and prevent join-raids, where bot armies attempt to overwhelm your server. Activate Raid Protection alerts to receive notifications when a raid is detected. Upon detection, automated actions are taken, including sending alerts to a designated channel and implementing CAPTCHA verification for new joiners within the following hour to deter raiders. To enable these features, navigate to Server Settings > Safety Setup > Raid Protection and Captcha, and activate all relevant settings to prompt users for CAPTCHA verification when performing actions as new users.

Roles and Permissions

a) Implement Role Hierarchy

  • Go to Server Settings > Roles
  • Create roles like: Cold Admin, Team, Moderator, & Verified
  • Drag to reorder; higher roles override lower roles
  • Restructure the role hierarchy by dragging roles higher or lower in the roles list: Cold Admin Team Moderator Verified

b) Restrict Administrative Permissions

  • For each role, carefully review the 32 available permissions
  • Key permissions to restrict: Administrator, Manage Webhooks, Manage Server, Manage Roles, Manage Channels
  • Never give Admin or Kick permissions to anyone you don't fully trust
  • Good permissions for moderators: View Audit Log, Manage Messages, Kick Members, Timeout Members, & Ban Members
  • Good permissions for members: View Channels, Create Invite, Send Messages, Read Message History, Connect, Speak & Use Voice Activity

c) Use Channel-Specific Permissions

  • Right-click on a channel > Edit Channel > Permissions
  • Set custom permissions for roles or members in specific channels

d) Use the "View Server as Role" Feature

  • Go to Server Settings > Roles > Select a role > View Server as Role
  • This allows you to see what members with a certain role can see and access

Moderation

a) Set Up Auto-Moderation Rules

  • Go to Server Settings > AutoMod
  • Set up rules for: Spam, Harmful Links, Mention Spam, Inappropriate Words
  • Configure custom keyword filters and exempted roles
  • Customize the response to spam, like blocking the message, sending an alert, or timing out the member
  • Add keywords like Admin, Support, Bot, Tech, Helpdesk, etc. in the audotmod rule to block in a users name
  • Allow certain roles to bypass the spam filter if needed

b) Configure Timeout Duration

  • Go to Server Settings > Safety Setup > Timeout
  • Set default duration (e.g., 60 minutes)
  • Educate moderators on using timeouts effectively

c) Establish Clear Server Rules

  • Create a #rules channel
  • Use Discord's built-in rules screening feature
  • Include sections on: Behavior, Content, Moderation Actions, Appeals Process

Bots

a) Audit Bot Permissions

  • Go to Server Settings > Integrations
  • Review each bot's permissions
  • Remove unnecessary permissions
  • Bots will typically suggest Admin or other permissions that aren't needed, use least privilege with permissions at the role level and channel level

b) Remove Unnecessary Bots

  • Uninstall any bots that aren't actively used or needed

c) Implement Security/Moderation Bots

  • Set up security Bots Various third-party Discord bots offer valuable security and protection features, facilitating automated moderation for your server. In the sections below, we’ll explore different categories of security bots and highlight popular options for each category.

Anti-Impersonation Bots: Set up custom rules to prevent other users from joining using the same username and PFP to impersonate you or other important members of the server. A popular bot in this category is Wick Bot.

Anti-Raid Bots: to prevent spam bots from joining your server all at once, an attack known as raiding, you can also set up bots with particular rules. Beemo is a good example of a bot in this category.

Anti-Nuke Bots: This is a monitoring system to observe and note any changes (spontaneous or planned) that take place in your discord server. Some key observation markers are channel and role creation/deletions, banning or kicking members, and webhook creation/deletion.

Moderation & Link Whitelisting Bots: Only allows approved links to be used in the discord server. A popular bot in this category is Goodknight Bot.

The bots above are not all-inclusive but rather a recommended list of bots to help protect your Discord server in these categories.

Channels

a) Organize Channels Logically

  • Use categories to group related channels
  • Suggested categories: Information, General, Voice Channels, Topic-Specific

b) Set Slow Mode Where Needed

  • Channel Settings > Overview > Slow Mode
  • Set appropriate cooldown (e.g., 5-30 seconds) for busy channels

c) Use Age-Restricted Channels Appropriately

  • Channel Settings > Overview > Age-Restricted Channel
  • Enable for channels with mature content

Invites

a) Disable Permanent Invites

  • Server Settings > Invites
  • Un-check "Allow anyone with administrative permissions to create invites"

b) Set Invite Expiration and Usage Limits

  • When creating an invite: Set "Expire After" and "Max Number of Uses"
  • Recommended: 24 hours expiration, 50-100 uses

c) Regularly Audit Active Invites

  • Server Settings > Invites
  • Review and delete unnecessary or old invites

Member Screening

a) Enable Membership Screening

  • Server Settings > Safety Setup > Membership Screening
  • Toggle on "Enable Membership Screening"

b) Set Up Screening Questionnaire

  • Add questions about server rules, age verification, etc.
  • Require members to agree to rules before joining

c) Set Up Membership Requirements

  • Require users to react to a message or post an introduction
  • This helps filter out bots and spam accounts from joining

d) Verficiation

  • Implement a verification bot like Wick
  • This verification bot should also screen for users joining based on parameters such as account age, completing captcha in a certian time period, etc.
  • When captcha is completed it should grant users with "verified" role which gives the user access to the server

Logging

a) Enable Audit Logs

  • Ensure admin/mod roles have "View Audit Log" permission

b) Set Up a Private Logging Channel

  • Create a private channel visible only to admins/mods
  • Use a logging bot like Logger or Dyno to send detailed logs

Regular Reviews

a) Conduct Periodic Permission Audits

  • Monthly: Review all role permissions
  • Use a spreadsheet to track changes and justifications

b) Review and Update Server Rules

  • Quarterly: Assess if rules need updating
  • Announce any changes in a dedicated announcements channel

c) Check for Unused Channels/Roles

  • Bi-annually: Delete or archive inactive channels
  • Remove roles that are no longer needed

Cold Admin Accounts

a) Set Up a "Cold" Admin Account

  • Create a new account on a separate device never used for chatting or clicking links
  • This account is highly resistant to phishing and provides an extra layer of security for the server owner

b) Secure the Cold Account

  • Create a new email account for the cold account
  • Factory reset the device used for this account

c) Use the Cold Account for Critical Actions

  • Manage bots, modify server settings, and respond to compromises
  • Never use this account for regular server activities

Additional Security Measures

a) Verification Systems

  • Implement a verification bot like Wick or Captcha.bot
  • Require users to complete a captcha or react to a message before accessing the server

b) Raid Protection

  • Use anti-raid bots like Wick or Dyno
  • Configure automatic lock-down settings for suspicious activity

c) Privacy Settings

  • Server Settings > Privacy Settings
  • Disable "Allow direct messages from server members"

d) Integration Whitelisting

  • Server Settings > Integrations > Allow new integrations to be added by:
  • Set to "Only Administrators" to prevent unauthorized bot additions

e) Server Insights

  • Enable Server Insights for detailed analytics
  • Use this data to inform moderation strategies and server improvements

f) Backup Systems

  • Use a bot like ServerBackup to regularly backup your server configuration
  • Store backups securely off-platform

Additional Resources

Twitter Security

tag: [Community & Marketing]

Having your twitter account compromised can cause a lot of damage not only to you but to the entire ecosystem. Securing your Twitter account is not particularly hard or time consuming, so consider following the best practices below:

Remove your phone number

There are no good reasons to keep a phone number attached to your account, and it’s the easiest way for a hacker to get into your account after SIM swapping you. Getting verified requires you to add a phone number, but you can remove it afterward.

  1. Go to https://twitter.com/settings/phone
  2. If a phone number exists, remove it with “Delete phone number”
  3. After removing your phone number, it's crucial to navigate to Settings > Security and Account Access > Security > Two-Factor Authentication > Backup Codes. Store these codes offline, just like your seed phrase. Anyone with these codes can bypass your 2FA, so it's extremely important to write them down and keep them secure. Remember, when you change your password, new backup codes are generated.

Configure 2FA

Two-factor authentication is extremely useful to protect against hackers, but not if you’re using SMS 2FA and the hackers have access to your phone number. You should almost always prefer using an authenticator app or security key. Make sure you’ve stored your backup codes somewhere secure, preferably printed on a paper rather than being stored on your device.

  1. Go to https://twitter.com/settings/account/login_verification
  2. Make sure “Text message” is disabled
  3. Make sure either “Authentication app” or “Security key” is enabled
    1. If you choose an authentication app, you can store your TOTP secret in Authy or Google Authenticator (but make sure to disable sync)
    2. If you choose security keys, you’ll probably want two at minimum in case one of them stop functioning. Yubico provide multiple hardware keys which have stood the test of time.
  4. Select “Backup codes”, then generate a new backup code to store in a safe place, preferably printed rather than on your computer as compromising one device should not mean the threat actor has access to everything.

Revoke access from delegated accounts

Twitter allows you to delegate access to your account to other accounts. If your account was previously compromised, this is a sneaky way for attackers to maintain access to your account even after you recover control.

  1. Go to https://twitter.com/settings/delegate/members
  2. For every account, if you don’t recognize it, click “Remove from group”

Enable password reset protect

Twitter offers an option to require users to enter the email or phone number (or both) associated with an account before being able to request a password reset. This means hackers need to know your email instead of being given a hint.

Password reset protect is disabled

Password reset protect is disabled

Password reset protect is enabled

Password reset protect is enabled

  1. Go to https://twitter.com/settings/security
  2. Make sure “Password reset protect” is enabled

Additional Security Settings

  1. Go to Settings & Privacy > Privacy and Safety > Discoverability and Contacts > Recommend to turn both email and phone discoverability off
  2. Go to Settings & Privacy > Security and Account Access > Security > Setup your Security Key. Also enable/check box ‘password reset protection’
  3. Go to Settings & Privacy > Security and Account Access > Apps and Sessions

Connected Apps, log out of apps Sessions, log out of old sessions

Revoke access from unnecessary apps

You might’ve connected Twitter with various apps, and some of these apps may have too many permissions assigned to them. To verify what permissions these apps have, follow these steps:

  1. Go to https://twitter.com/settings/connected_apps
  2. For each app, check the permissions that it has. If it can act on your behalf, consider removing it with “Revoke app permissions”

De-authorize inactive or unrecognized sessions

You may have logged into Twitter from places outside your normal devices - perhaps you at some point used a friend’s phone to send a quick tweet. Check which sessions you have active, and consider logging out of the ones you don't need.

  1. Go to https://twitter.com/settings/sessions
  2. For every session under “Log out of other sessions”, see if you recognize the device and if it’s been active recently. If not, click the device and click “Log out of the device shown”

Ensure you’re using an up-to-date email

Did you change emails since you made your Twitter account? That old email could be an easy target for threat actors. Make sure you’re using your current email so you see any potential security alerts.

  1. Go to https://twitter.com/settings/email
  2. If the email being used is not an up-to-date email, update it

Update your password

If you are not using a unique password for Twitter, then it's time to create one.

  1. Go to https://twitter.com/settings/password
  2. Change your password

X Emails

  • Be cautious if you receieve an email about any password, delegate, content moderation; email. Always go to the source, do not click links in phishing emails and enter X account login info.
  • Always check the "from" of the email and verify if its from "@x.com"

Telegram Security

tag: [Community & Marketing]

Telegram, in its default mode, is actually not providing end-to-end encryption between users. If it's important to have end-to-end encryption, using a messenger such has Signal should be used instead. With that said, Telegram is popular in the crypto ecosystem, and as such you can find some best practices below when it comes to securing Telegram.

Standard Security

Configure 2FA

Telegram might require you to sign up using a phone number, but you can also set up 2FA in the form of an additional password. This is probably the most important thing you could do, and is the only thing that will keep your Telegram account safe if you get SIM swapped. Just make sure you don’t reuse this password!

Logging in with 2FA enabled

Logging in with 2FA enabled

  1. Go to Settings > Privacy and Security > Two-Step Verification
  2. Select a password and recovery email (and save it in your password manager)

Hide your phone number

Don’t make it easy for threat actors to collect your personal information. Having your phone number publicly visible, or even to people you have added to your contacts, is often completely unnecessary. To disable this, change the following:

  1. Go to Settings > Privacy and Security > Phone Number
  2. Under “Who can see my phone number”, select “Nobody”
  3. Under “Who can find me by my number”, select “My contacts”

Disable P2P calling

Telegram allows for peer-to-peer calls, which means that calls will connect you directly with the other user instead of via Telegram’s servers. If you’re not using E2EE for your chats, you probably prefer hiding your IP over potential surveillance by Telegram.

  1. Go to Settings > Privacy and Security > Calls
  2. Under “Use peer-to-peer with”, select “Nobody”

Manage inactive sessions

Telegram allows you to automatically terminate inactive sessions, but you should also verify that all your active sessions are legitimate.

  1. Go to Settings > Privacy and Security > Active sessions
  2. Review your active sessions. Delete any sessions you don’t recognize
  3. Set Telegram to terminate inactive sessions after one month

Extended Security

Consider using a different phone number

If you’ve followed the guide above, you should be safe using your primary number for Telegram. However, there are some legitimate reasons why you might still want to use a different number, such as: not wanting your contacts to find out that you use Telegram, or not wanting to accidentally leak your number if you show your Telegram profile to someone. If this is the case, you have two options.

Using a VoIP number

Telegram doesn’t really like it when you do this and blocks a lot of VoIP providers, but there are services out there that you can use to purchase a burner number to use exclusively with Telegram. Google Voice or Burner might work here.

Using an anonymous number

As of December 2022, Telegram added support for anonymous numbers purchased on their blockchain. You can also use Fragment.

Turn on auto-delete messages

Remember that picture you sent your friend 8 months ago? You might not, but if an attacker manages to hijack your account, they’ll certainly appreciate all the breadcrumbs you’ve left behind for them.

  1. Go to Settings > Privacy and Security > Auto-Delete Messages
  2. Set to “After 1 week” or a time which matches your risk appetite.

Devices Settings > Devices: The default for automatically terminating old sessions is set to 6 months. I highly recommend changing this setting to a shorter period—1 month or even 1 week—depending on how frequently you use TG

Passcode Lock Settings > Privacy and Security > Passcode Lock: This feature adds a passcode to access your Telegram app after a period of inactivity. The default setting is "away for 1 hour." Don't lose this passcode—store it offline if needed. However, ensure it's different from your phone's unlock passcode.

Privacy and Security Settings > Privacy and Security > Two-Step Verification: Keep in mind that Telegram doesn't have a login by default. However, you can set up a password that acts as a "second" 2FA method when logging in from a new device. While they send a code via SMS (which is not secure) and offer email recovery (which is better), they don't provide options for authenticator apps or hardware keys. If you lose this password, you'll be in trouble, so make sure to write it down offline and don't lose it.

Privacy

Consider adjusting the following settings in this section based on your country, usage, and purpose for using Telegram:

Settings > Privacy and Security > Phone Number: Nobody Last Seen & Online: Nobody Profile Picture: Everybody (stops scammers impersonating your PFP) Bio: Nobody (Depending on use of TG) Date of Birth: Nobody Forwarded Messages: Nobody Calls: Nobody or Contacts Only (Depending on use of TG) Voice Messages: Contacts Only (Depending on use of TG) Messages: Everybody or Contacts Only (Depending on use of TG) Invites: Contacts Only or Nobody (I wouldn't put ‘Everyone’ so you don't get added to a random group that impersonates another group and ends up getting you scammed)

Settings > Privacy and Security > Data Settings: Sync Contacts: Disable (Depending on use of TG) Suggest Frequent Contacts: Disable (Depending on use of TG)

Tips to use Telegram safely:

  • Do you want to message someone? Create a 'secret' chat so the communication is encrypted (1:1 chats)
  • Triple-check all group invites, so it's not an imposter group sharing bad links
  • Never trust a DM from anyone sending links or acting as "support", "exchanges", or "team"
  • Use the block function, don't just delete chats, report, and block spammers/scammers
  • This is an advanced tip, but you can setup a proxy (VPN) to hide your IP at all times via TG app.
  • Do not just use any "mini app", do not login or put any information if it redirects outside of telegram, triple check the username of the mini app to ensure its the real one as telegram does not use any bot verification system. Never download anything and run any commands on your device from telegram.
  • Be aware of telegram ads in channels as anyone can post an ad (99% scam ads).

Google Security

tag: [Community & Marketing, Security Specialist]

Google provides a wide range of services including email, file storage, search, and more. Protecting your Google account is one of the most crucial things to do, and Google offers multiple ways to enhance your account security. Here are five simple steps you can take right now to secure your Google account.

Standard Security

Configure 2FA

Properly configuring your two-factor authentication (2FA) settings is one of the most important steps you can take. Disable SMS 2FA and enable either an authenticator app or a hardware security key (preferred).

  1. Go to Google 2-Step Verification
  2. If “Voice or text message” is enabled, disable it
  3. If you don’t have an Android device, configure an “Authenticator app” or “Security Key”. If you do, you can continue to use “Google prompts”
  4. Store your backup codes in a safe place

Remove Recovery Methods

Google uses heuristics for account recovery, but having your phone number as a recovery method can make it easier for attackers to steal your account after cloning your phone number. Email can also be a weak point if it is not properly secured.

  1. Go to Google Recovery Phone
  2. If a recovery phone is present, remove it
  3. If this Google account is your primary account and you are confident you will not need to perform account recovery:
    1. Go to Google Recovery Email
    2. If a recovery email is present, remove it

Hide Personal Information

Ensure your personal information is not publicly visible, reducing the risk of attackers using it to impersonate you.

  1. Go to Google Profile
  2. For each item in your profile, check if it’s set to “Anyone”. Consider whether the information can be used by an attacker to impersonate you.
    • Set your birthday to private if it isn’t already

Manage Active Sessions

Review your active sessions to ensure you’re not logged in anywhere unexpectedly.

  1. Go to Google Device Activity
  2. If there are any sessions you don’t recognize, terminate them

Manage OAuth Applications

OAuth connections can sometimes request extensive permissions, such as full access to your inbox or files. Review and manage these applications.

  1. Go to Google Connections
  2. For each app or service, click on it to review its permissions. If you’re not using it or the permissions are excessive, remove its access to your Google account

Extended Security

Login to Gmail, and in the top right click your account profile picture and go to "Manage Your Google Account":

1.) Go to the security tab on the left-hand side and then scroll down until you see "Your connect to third-party apps & Services". From here, revoke all applications that should not be connected. 2.) Go to Security on the left-hand side > scroll down > ‘Log out of all unknown devices’ and then right below that, turn off “skip password when possible” 3.) Still on Security, go to “How you sign in with Google” and setup your 2FA or Security Key in this section 4.) Ensure you do not have a recovery phone setup. No SMS 2FA or phone number on your account at all.

Once these steps are completed, please change your password. (remember to note down your backup codes)

If using Google Authenticator as a 2FA authenticator app on your phone, disconnect it from the cloud, as backup codes are then stored in the google cloud associated to email. Use it without an account and ensure backup codes are written down offline.

Advanced Protection Program

If you’re a public figure or influencer, you may want to enroll in the Advanced Protection Program for enhanced security measures. This program enforces the use of security keys, blocks unverified apps, and makes account recovery more difficult.

  1. Go to Google Advanced Protection Program
  2. Complete the steps to enroll in the program

Key Management

tag: [Engineer/Developer, Security Specialist]

Cryptocurrency relies on cryptographic keys to secure transactions and manage ownership of digital assets. Proper key management is essential to protect these assets from theft, loss, and unauthorized access. This guide covers the fundamental aspects of key management, offering insights into different types of wallets, signing schemes, and best practices to ensure a high level of security.

In this section you can:

  • Learn the differences between cold and hot wallets, their use cases, and how to choose the right one for your needs.
  • Understand the pros and cons of custodial and non-custodial wallets, and which type suits your security preferences.
  • Explore popular hardware wallets, their characteristics, and the importance of using them for secure key storage.
  • Get insights into different signing schemes such as EOAs, Multisig, Smart Contract Wallets, and more, including their use cases and security implications.
  • Discover various software wallets, their features, and how they can be used securely to manage cryptocurrency assets.

Effective key management is the cornerstone of cryptocurrency security, including taking physical attacks such as the wrench attack into consideration.

security

xkcd

Custodial vs. Non-Custodial Wallets

tag: [Engineer/Developer, Security Specialist]

Custodial Wallets

What Are They?

Custodial wallets are managed by a third party, such as an exchange or a wallet service provider. The third party holds and manages the private keys on behalf of the user.

Characteristics

  • Managed Private Keys: The third party has control over the private keys.
  • Recovery Options: Easier to recover access if credentials are lost, as the third party can assist.
  • Security Dependence: Security depends on the third party’s practices and infrastructure.

Use Cases

  • New Users: Suitable for users who are new to cryptocurrency and prefer a simpler, managed solution.
  • Convenience: Ideal for users who prioritize convenience and ease of use over full control.

Non-Custodial Wallets

What Are They?

Non-custodial wallets are managed by the user, who has full control over their private keys. The user is responsible for the security and management of their keys.

Characteristics

  • User-Controlled Private Keys: The user has full control over their private keys.
  • Higher Security: Greater security and privacy, as only the user has access to the keys.
  • Responsibility: The user is solely responsible for backing up and securing their keys.

Use Cases

  • Experienced Users: Suitable for users who have a good understanding of cryptocurrency and key management.
  • Security Prioritization: Ideal for users who prioritize security and control over convenience.

Comparison

FeatureCustodial WalletsNon-Custodial Wallets
Private Key ControlThird PartyUser
SecurityDependent on Third PartyHigh
ConvenienceHighModerate to Low
Recovery OptionsEasyUser Responsibility
Use CaseNew Users, ConvenienceExperienced Users, Security

Signing schemes

tag: [Engineer/Developer, Security Specialist]

Different signing schemes provide varying levels of security, control, and use cases for managing cryptocurrency assets. Here’s an overview of common signing schemes, their analogies, use cases, and security implications.

Externally Owned Accounts (EOA)

  • Analogy: Traditional bank account with a single owner.
  • Control: Single private key controls the account.
  • Use: Basic transactions and smart contract interactions.
  • Security: Single point of failure if the single key is compromised.

Multisignature (Multisig)

  • Analogy: Joint bank account requiring multiple signatures.
  • Control: Multiple private keys are needed to authorize transactions.
  • Use: Common in organizational settings for shared control.
  • Security: High security, reduces risk of single point of failure.

Smart Contract Wallets (Safes)

  • Analogy: Digital safe with programmable access controls.
  • Control: Controlled by smart contracts with defined rules.
  • Use: Advanced use cases, including DeFi and automated transactions.
  • Security: Generally seen as High, but depends on the smart contract’s security and configuration.

Threshold Signatures

  • Analogy: Similar to a multi-lock safe that requires a subset of keys from authorized staff.
  • Control: Requires a minimum number of signatures out of a predefined set.
  • Use: Efficient and private alternative to multisig.
  • Security: Reduces risk while maintaining group control.

Social Recovery Wallets

  • Analogy: Trusted friends helping to recover a lost key.
  • Control: Designated trusted contacts can help recover the account.
  • Use: Individual use with recovery options.
  • Security: High, balances security with ease of recovery from its community-based security model.

Delegated Signing/Proxy Contracts

  • Analogy: Authorized bank agent signing on behalf of the account owner.
  • Control: Transactions are signed by a proxy on behalf of the user.
  • Use: Delegating transaction signing to trusted services.
  • Security: Moderate, relies on the security of the proxy.

Account Abstraction (AA)

  • Analogy: Like a shape-shifting lock, where the way it opens can change over time.
  • Control: User accounts as smart contracts.
  • Use: User-friendly wallets, customizable security policies, complex rules and operations for transactions.
  • Security: High, but depends on implementation.

Comparison

SchemeAnalogyControlUse CaseSecurity
Externally Owned AccountsTraditional bank accountSingle private keyIndividual useHigh risk if compromised
MultisignatureJoint bank accountMultiple private keysTeam/organization funds managementHigh security
Smart Contract WalletsDigital safeSmart contractsDeFi, automated transactionsHigh, depends on contract
Threshold SignaturesMulti-lock safeSubset of keysDecentralized organizationsHigh security
Social Recovery WalletsTrusted friends for recoveryGuardiansIndividual use with recovery optionsHigh security
Delegated SigningAuthorized agentProxyDelegated transaction signingModerate security
Account AbstractionAbstracting account managementSmart contractsUser-friendly walletsHigh, depends on implementation

Software Wallets

tag: [Engineer/Developer, Security Specialist]

Software wallets are applications designed to manage cryptocurrency assets. They are often convenient and offer a range of features for different use cases, often provide easy access to DeFi applications, supports hardware wallets and has built in features such as token swapping, staking and more.

A list of wallets can be found on the ethereum.org website.

For a comprehensive comparison of different software wallets, you can visit walletcompare.xyz. This website provides detailed comparisons of various wallets based on features, security, user experience, and more.

Additionally, for in-depth scrutiny and reviews of software wallets, you can refer to Wallet Scrutiny. This platform evaluates wallets for transparency, security, and overall reliability, helping users make informed decisions about which wallet to use.

Hardware Wallets

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Finance]

Hardware wallets are physical devices designed to securely store private keys offline. They are one of the most secure options for managing cryptocurrency. It is strongly advised to only purchase hardware wallets directly from the creator or one of their approved vendors, as there has been cases of people falling victim of stolen assets after purchasing hardware wallets on amazon market place, ebay, and other places.

Ledger Nano X

  • Description: A hardware wallet that supports multiple cryptocurrencies and features.
  • Features: Secure Element chip, mobile compatibility (certain versions), large storage capacity for apps.
  • Incidents: None reported for the device itself, but Ledger experienced a data breach affecting customer information.
  • Note: Ledger Nano X has bluetooth, so depending on your security requirements you may want to look at their non-bluetooth wallet options.

Trezor Model T

  • Description: A touch-screen hardware wallet supporting a wide range of cryptocurrencies.
  • Features: Open-source firmware, password manager, Shamir backup.
  • Incidents: Phishing attacks targeting Trezor users through fake websites.

KeepKey

  • Description: A hardware wallet with a large screen for easy transaction verification.
  • Features: Aimed to be user-friendly.
  • Incidents: None reported.

BitBox02

  • Description: A compact hardware wallet with a focus on security and privacy.
  • Features: Dual-chip architecture, native support for Bitcoin and Ethereum, microSD card backup.
  • Incidents: None reported.

Importance of Hardware Wallets

  • Offline Security: Private keys are stored offline, significantly reducing the risk of online attacks.
  • Physical Protection: Hardware wallets are designed to be tamper-resistant and provide a secure environment for key storage.
  • Backup and Recovery: Most hardware wallets offer robust backup and recovery options to protect against loss or theft.

Comparison

WalletFeaturesSecurity LevelSupported CryptocurrenciesIncident History
Ledger Nano XBluetooth, Secure ElementHigh1000+Customer data breach (2020)
Trezor Model TTouch screen, Shamir backupHigh1000+Phishing attacks
KeepKeyLarge screen, ShapeShift integrationHigh40+None reported
BitBox02Dual-chip, microSD backupHighBitcoin, EthereumNone reported

Cold vs. Hot Wallets

tag: [Engineer/Developer, Security Specialist]

Cold Wallets

What Are They?

Cold wallets are offline storage solutions for cryptocurrencies. They are not connected to the internet, which makes them highly secure against online attacks.

Types of Cold Wallets

  • Hardware Wallets: Physical devices that store private keys offline.
  • Paper Wallets: Physical printouts or handwritten notes of private keys and QR codes.
  • Air-Gapped Computers: Computers that are never connected to the internet.

Use Cases

  • Long-Term Storage: Ideal for storing large amounts of cryptocurrency for extended periods.
  • High Security Needs: Suitable for users who prioritize security over convenience.

Hot Wallets

What Are They?

Hot wallets are online storage solutions for cryptocurrencies. They are connected to the internet, making them more convenient but less secure than cold wallets.

Types of Hot Wallets

  • Mobile Wallets: Apps installed on smartphones.
  • Desktop Wallets: Software installed on computers.
  • Web Wallets: Online services accessible via web browsers.

Use Cases

  • Daily Transactions: Ideal for users who need quick access to their funds for transactions.
  • Small Balances: Suitable for storing smaller amounts of cryptocurrency that are used regularly.

Comparison

FeatureCold WalletsHot Wallets
SecurityHighModerate to Low
ConvenienceLowHigh
Internet ExposureNoneConstant
Use CaseLong-term storageDaily transactions
1

https://www.gemini.com/cryptopedia/crypto-wallets-hot-cold

Encryption

tag: [Engineer/Developer, Security Specialist, Devops, Cloud]

Encryption is a fundamental aspect of securing data, ensuring that sensitive information remains confidential and protected from unauthorized access. This section covers various types of encryption and best practices for implementing them effectively.

Contents

  1. Cloud Data Encryption
  2. Communication Encryption
  3. Encryption in Transit
  4. Database Encryption
  5. Email Encryption
  6. File Encryption
  7. Full Disk Encryption
  8. Hardware Encryption

File Encryption

tag: [Engineer/Developer, Security Specialist]

File encryption protects sensitive information stored in files.

Use strong encryption algorithms to encrypt sensitive files stored on local and network drives. There are multiple tools available for file encryption, use one that is regarded as trusted.

Volume Encryption

tag: [Engineer/Developer, Security Specialist]

What is Volume Encryption?

Volume encryption is the process of encrypting a specific storage volume or partition to protect the data it contains. Unlike full disk encryption, which encrypts the entire disk, volume encryption allows for selective encryption of specific volumes, providing flexibility in managing encrypted and un-encrypted data on the same device.

Importance of Volume Encryption

Volume encryption is essential for protecting sensitive information from unauthorized access, especially in environments where different types of data coexist on the same device. It helps prevent data breaches in case of unauthorized access to specific volumes and ensures compliance with data protection regulations.

Uses of Volume Encryption

  • Protecting Sensitive Data: Ensures that sensitive information stored on specific volumes is secure.
  • Compliance: Helps organizations meet regulatory requirements for data protection.
  • Data Breach Prevention: Reduces the risk of data breaches in case of unauthorized access to specific volumes.
  • Secure Decommissioning: Ensures that data on encrypted volumes is not recoverable when storage devices are decommissioned or repurposed.

Examples of Volume Encryption

  • Partition Encryption: Encrypts specific partitions or volumes on a disk, allowing for selective encryption of sensitive data.
  • Virtual Encrypted Disks: Creates virtual encrypted disks within files, providing an additional layer of security for sensitive data.

Known Technologies for Volume Encryption

  • BitLocker: A volume encryption feature included with Microsoft Windows that provides encryption for specific volumes.
  • LUKS (Linux Unified Key Setup): A disk encryption specification for Linux that provides a standard for volume encryption.
  • VeraCrypt: An open-source disk encryption software that can create virtual encrypted disks within a file or encrypt specific partitions.

Best Practices for Volume Encryption

  1. Use Strong Encryption Algorithms: Ensure that the encryption algorithms used are strong and up-to-date, such as AES-256.
  2. Enable Encryption on Sensitive Volumes: Apply volume encryption to all volumes that store sensitive information.
  3. Regularly Update Encryption Software: Keep encryption software and tools updated to protect against vulnerabilities.
  4. Implement Access Controls: Use strong authentication methods, such as multi-factor authentication (MFA), to control access to encrypted volumes.
  5. Backup Encryption Keys: Securely backup encryption keys to prevent data loss in case of key corruption or loss.
  6. Monitor and Audit: Regularly monitor and audit encryption settings and access logs to ensure compliance and detect any unauthorized access attempts.

By following these best practices and using reliable volume encryption technologies, organizations can significantly enhance the security of their data and protect against unauthorized access and data breaches. $$

Full Disk Encryption

tag: [Engineer/Developer, Security Specialist]

Full disk encryption protects all data stored on a device in the event that it's stolen or lost. Today, all major Operating Systems for workstations, servers and mobile phones have full disk encryption capabilities built in, and sometimes enabled by default. Check which full disk encryption is built into your operating system, and enable it if not enabled by default.

Best Practices

  1. Ensure that full disk encryption uses strong industry-standard algorithms.
  2. Enable full disk encryption by default on all devices, including laptops, desktops, and mobile devices.
  3. Implement secure boot to ensure that only trusted software can be loaded during the boot process.

Partition Encryption

tag: [Engineer/Developer, Security Specialist]

What is Partition Encryption?

Partition encryption is the process of encrypting specific partitions on a storage device. This allows for selective encryption of data, providing flexibility in managing encrypted and un-encrypted data on the same device. Unlike full disk encryption, which encrypts the entire disk, partition encryption targets specific areas, making it ideal for protecting sensitive data without impacting the entire storage system.

Importance of Partition Encryption

Partition encryption is crucial for protecting sensitive information from unauthorized access, especially in environments where different types of data coexist on the same device. It helps prevent data breaches in case of unauthorized access to specific partitions and ensures compliance with data protection regulations.

Uses of Partition Encryption

  • Protecting Sensitive Data: Ensures that sensitive information stored on specific partitions is secure.
  • Compliance: Helps organizations meet regulatory requirements for data protection.
  • Data Breach Prevention: Reduces the risk of data breaches in case of unauthorized access to specific partitions.
  • Secure Decommissioning: Ensures that data on encrypted partitions is not recoverable when storage devices are decommissioned or repurposed.

Examples of Partition Encryption

  • BitLocker: A partition encryption feature included with Microsoft Windows that provides encryption for specific partitions. Learn how to use BitLocker
  • LUKS (Linux Unified Key Setup): A disk encryption specification for Linux that provides a standard for partition encryption. Learn how to use LUKS
  • VeraCrypt: An open-source disk encryption software that can encrypt specific partitions. Learn how to use VeraCrypt

Best Practices for Partition Encryption

  1. Use Strong Encryption Algorithms: Ensure that the encryption algorithms used are strong and up-to-date, such as AES-256.
  2. Enable Encryption on Sensitive Partitions: Apply partition encryption to all partitions that store sensitive information.
  3. Regularly Update Encryption Software: Keep encryption software and tools updated to protect against vulnerabilities.
  4. Implement Access Controls: Use strong authentication methods, such as multi-factor authentication (MFA), to control access to encrypted partitions.
  5. Backup Encryption Keys: Securely backup encryption keys to prevent data loss in case of key corruption or loss.
  6. Monitor and Audit: Regularly monitor and audit encryption settings and access logs to ensure compliance and detect any unauthorized access attempts.

By following these best practices and using reliable partition encryption technologies, organizations can significantly enhance the security of their data and protect against unauthorized access and data breaches.

Cloud Data Encryption

tag: [Engineer/Developer, Security Specialist, Devops, Cloud]

You should consider using the best practices below, in order to ensure that data stored in the cloud is protected from unauthorized access:

Best Practices

  1. Use strong encryption algorithms.

    • Example: Use AES-256 for data at rest and TLS 1.2 or higher for data in transit.
    • Ensure that encryption libraries and tools are up-to-date to avoid vulnerabilities.
  2. Ensure data is encrypted in transit and at rest.

    • Example: In AWS, enable S3 bucket encryption and use AWS KMS for key management.
    • Example: In Azure, use Azure Storage Service Encryption and Azure Key Vault for key management.
    • Example: In Google Cloud, enable encryption for Cloud Storage and use Cloud KMS for key management.
  3. Use cloud provider-managed keys or even better bring your own keys (BYOK) for enhanced control over encryption keys.

    • Example: In Google Cloud, use Cloud KMS for managing encryption keys and consider using Customer-Supplied Encryption Keys (CSEK) for BYOK.
    • Regularly rotate encryption keys to minimize the risk of key compromise.
  4. Implement strict access controls and monitoring to prevent unauthorized access to encrypted data.

    • Example: Use IAM roles and policies in AWS to restrict access to sensitive data.
    • Example: Enable Azure Security Center to monitor and alert on unauthorized access attempts.
    • Example: In Google Cloud, use IAM policies and Cloud Audit Logs to monitor access.
  5. Continually review that the encryption best practices are being followed everywhere it's relevant.

    • Example: Regularly audit your encryption settings and access controls using tools like AWS Config or Azure Policy.
    • Example: Use automated compliance checks in Google Cloud Security Command Center.
  6. Enable logging and monitoring for encryption activities.

    • Example: In AWS, enable CloudTrail to log all API calls related to encryption.
    • Example: In Azure, use Azure Monitor to track encryption-related activities.
    • Example: In Google Cloud, use Cloud Logging to monitor encryption key usage.
  7. Implement automated backups and ensure they are encrypted.

    • Example: In AWS, use AWS Backup to automate backups and ensure they are encrypted.
    • Example: In Azure, use Azure Backup to automate and encrypt backups.
    • Example: In Google Cloud, use Cloud Storage for backup and ensure encryption is enabled.
  8. Educate and train your team on encryption best practices.

    • Conduct regular training sessions on the importance of encryption and how to implement it correctly.
    • Provide documentation and resources for team members to reference.
  9. Use multi-factor authentication (MFA) for accessing encryption keys and management consoles.

    • Example: In AWS, enable MFA for IAM users and roles.
    • Example: In Azure, enable MFA for Azure AD users.
    • Example: In Google Cloud, enable MFA for Google Cloud accounts.
  10. Regularly update and patch your encryption tools and libraries.

    • Ensure that all encryption-related software is kept up-to-date with the latest security patches.
    • Monitor for vulnerabilities in encryption libraries and apply patches promptly.

By following these best practices and utilizing the recommended tools, you can significantly enhance the security of your data stored in the cloud.

Email Encryption

tag: [Engineer/Developer, Security Specialist]

Email is insecure and un-encrypted by default, but can become more secure by following best practices:

Best Practices

  1. Implement S/MIME or PGP:

    • S/MIME: Secure/Multipurpose Internet Mail Extensions (S/MIME) is a widely accepted protocol for sending digitally signed and encrypted messages. It requires a certificate from a trusted Certificate Authority (CA). Popular email clients like Microsoft Outlook and Apple Mail support S/MIME.
      • Example:
        1. Obtain an S/MIME certificate from a trusted CA (e.g., Comodo, Symantec).
        2. Install the certificate in your email client:
          • Outlook: Go to File > Options > Trust Center > Trust Center Settings > Email Security > Import/Export to import your certificate.
          • Apple Mail: Open Mail > Preferences > Accounts > Advanced > Certificates to add your certificate.
        3. Compose a new email and select the option to sign/encrypt the email.
    • PGP: Pretty Good Privacy (PGP) is another method for encrypting emails. It uses a decentralized trust model and is supported by tools like GnuPG (GPG), which is an open-source implementation. Extensions like Enigmail for Thunderbird or FlowCrypt for Gmail can simplify the process.
      • Example:
        1. Install GnuPG (GPG) on your system.
        2. Generate a key pair using the command: gpg --gen-key.
        3. Share your public key with your contacts.
        4. Install an email client extension:
          • Thunderbird: Install Enigmail from the Thunderbird add-on store.
          • Gmail: Install FlowCrypt from the Chrome Web Store.
        5. Configure the extension with your GPG key.
        6. Compose a new email and use the extension to encrypt/sign the email.
  2. Train Project Members: Conduct regular training sessions to ensure all team members understand how to use email encryption tools effectively. Provide step-by-step guides and resources for troubleshooting common issues.

  3. Use Trusted Email Gateways: Ensure that your email service provider uses secure and trusted gateways to protect both incoming and outgoing communications. Verify that the provider complies with industry standards and regulations.

  4. Transmit Emails Over TLS: Ensure that all emails are transmitted over TLS-encrypted connections. This can be configured in your email server settings. TLS (Transport Layer Security) helps protect the data in transit from eavesdropping and tampering.

  5. Open Source Alternatives:

    • GnuPG (GPG): An open-source implementation of PGP, widely used for encrypting and signing data and communications.
    • Mailvelope: A browser extension that integrates PGP encryption into web-mail services like Gmail, Outlook, and Yahoo Mail.
    • ProtonMail: A secure email service that offers end-to-end encryption and is open-source. It provides an easy-to-use interface and strong privacy protections.

By following these best practices and utilizing the recommended tools, you can significantly enhance the security of your email communications.

Secure Messaging Systems

tag: [Engineer/Developer, Security Specialist]

Using secure messaging systems is crucial for protecting the privacy and integrity of your communications. Here are some popular messaging systems that offer end-to-end encryption and those that do not by default.

End-to-End Encrypted Messaging Systems

  1. Signal

    • Offers strong end-to-end encryption for messages, voice calls, and video calls.
    • Open source and highly recommended for secure communication.
    • Signal
  2. Matrix/Element

    • An open standard for decentralized communication with end-to-end encryption.
    • Element is a popular client for the Matrix protocol.
    • Matrix / Element
  3. WhatsApp

    • Provides end-to-end encryption for messages, voice calls, and video calls by default.
    • Owned by Meta (Facebook).
    • WhatsApp
  4. Wire

    • End-to-end encryption for messages and calls
    • Open source with a strong focus on privacy.
    • Wire

Messaging Systems Without Default End-to-End Encryption

These messaging systems supposedly provides encryption for data in transit and at rest, but not end-to-end encryption for messages.

  1. Telegram

    • Offers end-to-end encryption only for "Secret Chats".
    • Telegram
  2. Discord

    • Does not offer end-to-end encryption for messages.
    • Discord
  3. Zoom

    • End-to-end encryption for calls, but must be manually enabled.
    • Zoom
  4. Slack

    • Does not offer end-to-end encryption for messages.
    • Slack
  5. Microsoft Teams

For secure communication, it is recommended to use messaging systems that offer end-to-end encryption by default.

Database Encryption

tag: [Engineer/Developer, Security Specialist]

Often, databases contains information that should not be publicly available. In order to protect your database, you may consider implementing the following best practices:

Best Practices

  1. Use strong encryption algorithms to encrypt database files and backups.
  2. Encrypt sensitive columns within the database, such as those containing personally identifiable information (PII).
  3. Use Transparent Data Encryption (TDE) to automatically encrypt and decrypt data stored in the database.
  4. Implement robust key management practices, including the use of HSMs and regular key rotation depending on your use case.
  5. Enforce strict access controls to prevent unauthorized access to encrypted data.

Hardware Encryption

tag: [Engineer/Developer, Security Specialist]

Hardware encryption, such as HSM, uses dedicated hardware to encrypt data, providing robust security. Utilizing a HSM is a fairly specialized thing, but consumers are for example often using TPM.

Best Practices

  1. Enable TPM when available on your computer to enhance the security of hardware-based encryption.
  2. Consider using self-encrypting drives (SEDs) for storage to ensure data is encrypted at the hardware level.
  3. If relevant for your use case, use HSMs to securely generate, store, and manage encryption keys.

Incident Management

tag: [Security Specialist, Operations & Strategy, Devops, SRE]

Incident management involves preparing for, detecting, responding to, and recovering from security incidents. By thinking about incident management prior to actually experiencing an incident, you can help increase the likelihood of a timely recovery.

Contents

  1. Communication Strategies
  2. Incident Detection and Response
  3. Lessons Learned
  4. Playbooks
  5. SEAL 911 War Room Guidelines

SEAL 911

tag: [Security Specialist, Operations & Strategy]

SEAL 911 is a project designed to give users, developers, and even other security researchers an accessible method to contact a small group of highly trusted security researchers. The group can be reached via the Telegram bot.

Members of SEAL 911 follow a strict CODE OF CONDUCT.

When interacting with SEAL 911, ensure that you give as much information as possible in order to avoid double work by the security researchers.


Crisis Handbook - Smart Contract Hack | Google Doc

Actions Checklist

Perform Immediately

  • Notify SEAL 911 Bot of the incident. Use this message template to get started.
  • Create a War Room with audio and share the invite link with trusted individuals.
  • Duplicate this document to allow collaboration and share the link in the War Room.
  • Review the Advice to Keep in Mind section.

Perform in Parallel by Role

  1. Assign Key Roles to War Room Members:

    • Assign members to specific roles.
  2. Analysis:

    • Scope the impact of the attack.
    • Gather Transactions Involved.
    • Gather Affected Addresses.
    • Record Funds Movement.
    • Gather Attacker Information.
    • Investigate the issue and update the Issue Description.
    • Propose workable solutions.
  3. Protocol actions:

    • Take immediate corrective/preventative actions to prevent further loss of funds.
    • Pause contracts if possible.
    • Execute pre-made defensive scripts.
    • Prioritize proposed solutions.
    • Validate and execute the solution.
    • Prepare monitoring alerts for situations that require future actions.
  4. Web actions:

    • Disable deposits and/or withdrawals as needed in the web UI.
    • Enable front-end IP or Address blacklisting.
    • Create front-end for any user actions necessary (approval revoking, fund migrating, etc.).
  5. Communications:

    • Identify social platforms that communications on the incident must be sent to.
    • Prepare messages for incident communication internally and externally.
    • Gather security contacts for any potentially affected downstream protocols (bridges, lending protocols).
    • Notify block explorers (like Etherscan) for attacker address labeling.
    • Continuously monitor social media for users providing additional information that aids whitehat efforts.
    • Monitor War Room efforts and maintain the Event Timeline.

After all of the above is complete, consider Post Incident Actions

Information Gathering

Information will primarily be shared and acted upon in the War Room. As time allows, consolidate intel in the below section to achieve the following:

  • Accurately scope the incident impact.
  • Inform new War Room members and third parties efficiently.
  • Aid external communication.

This is the chief duty of the Scribe.

Issue Description

The issue involves an unauthorized transfer of funds from the protocol's treasury contract due to a vulnerability in the contract's access control mechanism. The attacker exploited this vulnerability to initiate multiple transfers, siphoning funds to an external wallet.

Events Timeline

Record events to construct an overall timeline of the incident. Events worth recording:

  • First notice of the incident
  • War room creation
  • External communications
  • Attack transactions
  • Transactions performed by the team

Record times in UTC. Use a UTC Time Converter.

Date-Time (UTC)Event DescriptionNotes
2024-08-23 12:45First notice of the unauthorized transferAlert received via monitoring system
2024-08-23 12:50War room createdInitial members invited
2024-08-23 13:05Notified SEAL 911 BotIncident report submitted
2024-08-23 13:15Attack transaction identifiedTransaction hash: 0x123456789abc
2024-08-23 13:20Contracts pausedPrevented further fund transfers
2024-08-23 13:30External communication initiatedFirst update sent via Twitter

Transactions Involved

Record all transactions related to the incident.

Transaction LinkNotes
0x123456789abcdef...Initial exploit transaction
0xabcdef123456789...Attacker moving funds to mixer
0xfedcba987654321...Defensive move by the team

Affected Addresses

Record affected addresses related to the incident (protocol contracts, bridges, users, etc.).

Address LinkStatusNotes
0x1111222233334444...At RiskUser wallet, interacted with exploit
0x5555666677778888...ImpactedProtocol treasury address
0x99990000aaaabbbb...PausedLending protocol contract
0xaaaabbbbccccdddd...SavedBridge contract, funds secured
0xddddeeeeffff0000...Needs ReviewUser wallet, unusual activity noted
0x2222333344445555...UncertainUser wallet, pending analysis

Funds Movement

Record funds movement to gather the impact of the incident and organize recovery efforts.

  • Original address that held the funds
  • Transaction that moved the funds
  • Assets and amounts the funds are comprised of
  • Destination the funds moved to (Contract, CEX, Bridge, Mixer)
  • Recovery Status of the funds

Use Phalcon Tx Explorer to aid in recording funds movement.

OriginTransaction LinkAmount / AssetDestinationRecovery StatusNotes
0x5555666677778888...0xabcdef123456789...1000 ETHMixer addressNeeds ReviewFunds moved to Tornado Cash
0x99990000aaaabbbb...0x9876543210fedcba...500,000 DAICEX addressIn ProgressFunds transferred to centralized exchange
0xaaaabbbbccccdddd...0x123456789abcdef...200 BTCContract addressRecoveredFunds recovered via multisig
0xddddeeeeffff0000...0xfedcba987654321...50,000 USDCBridge addressUncertainFunds possibly moved cross-chain

Attacker Information

Gather attacker information to aid legal efforts and fund recovery.

Address LinkFunded ByNotes
0xabcdefabcdefabcd...Tornado CashInitial funding from Tornado Cash mixer
0x123456789abcdef...CEXReceived funds from centralized exchange
0xfedcba987654321...UnknownNo prior activity, potentially new wallet

Post Incident Actions

  1. Confirm the incident has been resolved.
  2. Create monitoring alerts for situations requiring future actions.
  3. Prepare scripts to perform any actions related to monitoring events in the future.
  4. Consider creating additional defensive scripts (pause/upgrade) to use for future situations.
  5. Schedule a Post Mortem write-up.
  6. Post the write-up to relevant social media.

Appendix

Advice to Keep in Mind

  • Limit the War Room occupancy. Be careful not to invite too many people during the early stages. Sensitive information is being shared; be wary.
  • Make it clear to War Room members not to publicize information without the protocol’s consent.
  • Do not speak to the press/news/publications.

Key Roles

  • Operations: Initiates War Room, assigns roles, distributes tasks, herds multisig participants.
    • Person Responsible
  • Scribe: Consolidates gathered information for efficiency in knowledge-sharing.
    • Person Responsible
  • Strategy Lead: Prioritizes actions, considers trade-offs of decisions.
    • Person Responsible
  • Protocol Lead: Responsible for smart-contract actions (pausing, upgrading, etc.).
    • Person Responsible
  • Web/Infrastructure Lead: Responsible for updating the front-end, managing servers.
    • Person Responsible
  • External Communicator: Social media and user communications.
    • Person Responsible

Suggested Tools and Platforms

NameTypeNotes
DiscordPlatformA familiar platform for web3 collaboration. Spin up a server quickly using our recommended template. Tips: New users must be granted the approved role before they can view chats. Upon creation, grant yourself the approved role and share an invite link with trusted members.
TelegramPlatformA familiar platform for web3 collaboration. Tips: Upon New Group creation, enable chat history as visible to new members. To do this: Info -> Edit -> Chat History For New Members -> Visible
Google HangoutsPlatform
Phalcon Tx ExplorerTx Analysis
Openchain Trace ExplorerTx Analysis
Tenderly Tx ExplorerTx Analysis, DebuggingSome features require login.
Tenderly AlertsMonitoringMonitor addresses, on-chain actions, etc. Requires login.
MetaSleuthMonitoringMonitor fund movement. 50 address limit. Requires login (premium feature).
Github / GistCode SharingCreate a private repo or secret gists and share the link with War Room participants only.
CodeShareCode SharingSessions expire after 24 hours.
HackMDCode SharingPrivate notes become published after ~48 hours. Be very careful with sensitive information!

SEAL Message Template

Fill out with relevant information and send to SEAL 911 Bot.

Protocol: [Protocol Name]
Attack Tx(s): [Transaction Hash(es)]
Funds at Risk: [Estimated Amount in USD or Token]

[Brief Description of the incident]

Incident Detection and Response

tag: [Security Specialist, Operations & Strategy]

You don't want to be that project which has funds stolen, and then don't notice it for multiple days. Early detection and effective response to security incidents will help minimize damage.

Key Components of Incident Detection

  • Monitoring and Logging: Implement continuous monitoring and logging of on-chain activity for your project to understand when something is behaving out of the ordinary. Also implement monitoring of system events, and user behavior to detect anomalies and potential security incidents in non-on-chain systems such as web applications or cloud environments.

Key Components of Incident Response

  • Incident Response Team (IRT): Establish a dedicated IRT with clearly defined roles and responsibilities.
  • Incident Response Plan (IRP): Develop and maintain an IRP that outlines the procedures for detecting, responding to, and recovering from security incidents.
  • Containment: Implement strategies to contain the incident.
  • Recovery and Remediation: Ensure that everything is restored to normal operation and take steps to prevent future incidents.
  • Post-Incident Review: Conduct a thorough review of the incident to identify lessons learned and improve future response efforts.

Playbooks

tag: [Security Specialist, Operations & Strategy] Generally speaking, incident response playbooks aim to provide detailed, step-by-step procedures for handling specific types of security incidents. Obviously, it's not possible to have thought about every possible scenario ahead of time, but one could create documentation for the most likely or devastating scenarios.

Best Practices

  1. Define the type of incident the playbook addresses (e.g., stolen funds, data breach, DDoS attack).
  2. Outline the steps for detecting and analyzing the incident, including key indicators of compromise (IOCs) and tools to use.
  3. Describe immediate actions to contain the incident and prevent further damage.
  4. Provide detailed steps for eradicating the root cause of the incident.
  5. Outline procedures for restoring everything affected to normal operation.
  6. Detail the steps for conducting a lessons learned review.

Communication Strategies

tag: [Security Specialist, Operations & Strategy]

Communication during an incident can be very hard, as people are often scrambling to fix the issue at hand. Nonetheless, from aa team member, outsider or observer's point of view, communication is very important to be able to understand what's happening, and it also provide some time to reflect and think about what is going on. With that said, providing information before confirming that it's accurate, can often be very negative and cause uncertainty. It is recommended to have a person designated for communication during an incident, and that updates are sent out on a fixed schedule, and it can often be that the update is that there is currently no new information available.

Best Practices

  1. Define and establish secure communication channels for incident response teams. Use encrypted messaging apps
  2. Appoint primary and backup spokespersons to handle internal and external communications during an incident.
  3. Develop pre-approved templates for incident notifications, updates, and press releases to ensure consistency and speed.
  4. Provide regular updates to all stakeholders, including employees, customers, partners, and regulatory authorities, to keep them informed of the situation and response efforts.
  5. Maintain clear communication within the incident response team to ensure that everyone is aware of their roles and responsibilities.
  6. Be transparent with external stakeholders about the incident, the impact, and the steps being taken to address it. Avoid speculation and provide factual information.

Lessons Learned

tag: [Security Specialist, Operations & Strategy, Devops, SRE]

Conducting a post-incident review and identifying lessons learned will improve your project's incident response capabilities. By analyzing what went well and what could be improved, you can enhance your readiness for future incidents.

Best Practices

  1. Review the incident together with everybody involved in handling it shortly after the incident is resolved.
  2. Record details about the incident, including the timeline, root cause, impact, and response efforts.
  3. Assess the effectiveness of the incident response, highlighting areas where the team performed well and areas needing improvement.
  4. Create action plans to address identified weaknesses and enhance strengths. Assign responsibilities and deadlines for implementing improvements.
  5. Share the lessons learned with the ecosystem to promote awareness and improve overall security practices.
  6. Revise incident response policies and procedures based on the lessons learned to ensure continuous improvement.

Operational Security

tag: [Security Specialist, Operations & Strategy, Devops, SRE]

Operational security, often abbreviated as OpSec provides a range of practices and measures designed to safeguard an organization's sensitive information, assets, and operations from unauthorized access, espionage, disruption, or compromise.

Operational security is not just a concern for large corporations or government agencies; it is relevant to any project that handles sensitive information, including personal data or digital assets. The consequences of failing to implement robust OpSec measures can be severe, ranging from financial losses to reputational damage, and legal liabilities.

The level of Operational Security to apply will differ greatly depending on the risk appetite the team is willing to accept.

SIM Swapping

tag: [Security Specialist, Operations & Strategy]

SIM swapping occurs when a threat actor trick a mobile phone provider into transferring a victim's phone number to a SIM card that the criminals control. This allows the criminals to intercept the victim's text messages and phone calls, including any two-factor authentication codes. With access to the victim's phone number, the criminals can then gain unauthorized access to the victim's accounts.

Stop Using SMS-Based 2FA

This is by far the most important thing you can do to protect yourself against SIM swaps. Think about your most important online accounts and how valuable they are to an attacker:

  • They can read all the information available on that account. This includes emails, photos, private messages, or embarrassing details from years ago that you forgot you sent.
  • They can steal everything of value in that account, like money, crypto, important documents, or other personal information.
  • They can use it to impersonate you while scamming people you know, putting them at risk and putting you in a really tough spot.

If this thought scares you, you should go and make sure SMS 2FA is disabled for any account that you care about. Instead, consider using either an app like Google Authenticator (make sure to disable cloud sync!) or a security key (e.g., Yubico). Avoid using Authy, as it is tied to your phone number too.

Not sure where to start? Here’s a brief list of services to inspire you:

  • Email: Gmail, Yahoo
  • Social Media: Facebook, Twitter
  • Instant Messaging: Telegram, Discord
  • Crypto Exchanges: Coinbase, Gemini, Binance
  • Domain Registrars: GoDaddy, Squarespace
  • Banking: PayPal, Revolut

Switch to a High-Security Carrier

The next best thing you can do is to simply switch to a new carrier entirely. Generally speaking, there are two ways that an attacker can compromise your phone number:

  • Social engineer a support agent (easier)
  • Compromise an insider (harder)

By switching to a high-security carrier, you reduce or eliminate the risk from social engineering, but you’re still at risk of an insider attack. Unfortunately, there’s almost nothing you can do to defend against that.

USA

If you live in the USA, you get the option of one of the big three Mobile Network Operators: AT&T, Verizon, and T-Mobile. None is perfect, but AT&T and Verizon are slightly ahead in terms of security reputation, while T-Mobile has been compromised a handful of times.

Google Fi

Google Fi is an MVNO using T-Mobile’s network and only offers online support via your Google account. Given the seriousness that Google approaches security with, Google Fi is one of the most secure self-service carriers you can choose in the USA. This is even more so if you enable Advanced Protection on your Google account.

For an added bonus, you might consider creating a new Google account under a fake name and purchasing Google Fi from there. This will ensure that an insider at T-Mobile won’t be able to find your phone number by name.

Efani

Efani is an MVNO using AT&T’s and Verizon’s networks and is designed for high-risk individuals. Efani has negotiated agreements in which they are responsible for manually approving requests to modify subscriber accounts instead of allowing agents at AT&T or Verizon to make those changes. Efani also masks your information before submitting it to the MNOs, making it harder for an insider to locate your account.

Place a Note on Your Carrier Account

If you can’t switch carriers or no secure carriers are available in your area, your next option is to mitigate the likelihood of a support agent being social engineered. Some carriers will offer this explicitly (for example, some sort of account lock that you can opt into). If there is no option, you may need to either call or go in-store and ask for a note to be placed on your account.

Keep in mind that some support agents may not know about SIM swapping, and that’s not their fault. If this happens, you might need to politely ask to speak to a manager or just come back another day. Also, keep in mind that while you may be able to add an internal note to your account, there’s no guarantee that whatever support agent who is communicating with a scammer will actually read the note. The scammer may also be able to convince the agent that they’re desperately in need to regain access quickly, and to ignore the note entirely. As such, placing a note on your account is a nice additional measure but not nearly as effective as simply disabling SMS 2FA on your accounts.

Telegram

tag: [Security Specialist, Operations & Strategy]

1. Use Two-Step Verification

  • Enable Two-Step Verification: Protect your account with an additional password to ensure that even if someone has your phone number, they cannot access your account without the additional password.
    • Go to Settings > Privacy and Security > Two-Step Verification and set up a password.

2. Enable End-to-End Encryption for Secret Chats

  • Use Secret Chats: For sensitive conversations, use Telegram's Secret Chats, which are end-to-end encrypted and not stored on Telegram’s servers.
    • Start a new secret chat by selecting a contact, tapping on their name at the top, and choosing Start Secret Chat.

3. Set Self-Destruct Timers for Messages

  • Self-Destruct Timers: In Secret Chats, set a self-destruct timer for messages, which automatically deletes messages after a set period of time.
    • Tap the clock icon in the message input bar within a secret chat to set the timer.

4. Control Your Online Presence

  • Manage Last Seen and Online Status: Control who can see your last seen and online status by adjusting your privacy settings.
    • Go to Settings > Privacy and Security > Last Seen & Online and select who can see your status.

5. Limit Who Can Add You to Groups

  • Group and Channel Privacy: Restrict who can add you to groups or channels to prevent being added to unwanted or potentially malicious groups.
    • Go to Settings > Privacy and Security > Groups & Channels and select your preferences.

6. Use a Strong Passcode Lock

  • Enable Passcode Lock: Set a passcode to lock the Telegram app, adding an extra layer of security.
    • Go to Settings > Privacy and Security > Passcode Lock and set up a passcode.

7. Review Active Sessions Regularly

  • Active Sessions: Monitor and terminate any unauthorized active sessions to ensure no one else is accessing your account.
    • Go to Settings > Privacy and Security > Active Sessions to review and manage your sessions.
  • Beware of Phishing: Do not click on suspicious links sent by unknown contacts. These could lead to phishing attempts or malware.

9. Control Data Sharing

  • Manage Contact Syncing: Disable contact syncing if you want to prevent Telegram from accessing your contact list.
    • Go to Settings > Privacy and Security > Data Settings > Contacts and toggle off Sync Contacts.

10. Be Cautious with Public Channels and Bots

  • Join Public Channels Wisely: Only join public channels and interact with bots from trusted sources, as they can collect your data.
  • Review Bot Permissions: Be cautious about giving bots access to your account information.

11. Regularly Update the App

  • Keep Telegram Updated: Ensure you are using the latest version of Telegram to benefit from the latest security patches and features.
    • Check your app store regularly for updates or enable automatic updates.

12. Avoid Using Third-Party Telegram Apps

  • Use the Official App: Stick to the official Telegram app for the best security and privacy protections.
    • Download from the official Telegram website or your device's official app store.

13. Backup Your Two-Step Verification Password

  • Store Your Password Safely: Ensure you store your two-step verification password in a secure password manager to avoid being locked out of your account.

14. Disable Automatic Media Download

  • Control Media Download: Disable or limit automatic media downloads to prevent unwanted files from being stored on your device.
    • Go to Settings > Data and Storage > Automatic Media Download and adjust your preferences.

Standard Operating Environment

tag: [Engineer/Developer, Security Specialist, Devops, SRE]

A Standard Operating Environment (SOE) refers to a standardized and controlled computing environment used across a project. It ensures that all devices and systems adhere to the same security policies, configurations, and software versions, thereby reducing vulnerabilities and simplifying management.

Key Components of an SOE

Device Configuration

  1. Ensure all workstations and mobile devices use full-disk encryption to protect data at rest.
  2. Configure devices to automatically apply critical security patches and updates.
  3. Ensure all installed applications are regularly updated to their latest versions to mitigate vulnerabilities.
  4. Never leave workstations unlocked and unattended.
  5. Operating Systems commonly affected by malicious software should have anti-malware software installed and running.
  6. Ensure the plugins you use for your browser are secure.
  7. Avoid using an Administrator account for day-to-day activities.
  8. Disable macros on Office products.
  9. If a device has been left unlocked with a third party having access without you seeing what they did (e.g., at an airport security check), treat it as having been compromised.

User Access Controls

  1. Grant users the minimum level of access required to perform their job functions. Avoid using administrative accounts for day-to-day activities.
  2. Implement RBAC to manage permissions and access based on user roles within the organization.
  3. Require MFA for accessing sensitive systems and data. Use hardware tokens (e.g., Yubikeys) for the highest level of security.

Security Software

  1. Install and maintain anti-malware software on all devices where relevant. Ensure it is configured to automatically update and scan regularly.
  2. Enable and configure local firewalls on all devices where applicable to control inbound and outbound network traffic.

Data Management

  1. Encrypt sensitive data both in transit and at rest. Use strong encryption standards and manage encryption keys securely.
  2. Implement regular backup procedures for all critical data. Ensure backups are encrypted and stored securely offsite or in the cloud. Regularly test recovery processes to ensure data integrity.
  3. Classify data based on sensitivity and implement appropriate handling and storage procedures for each classification level.

Network Security

  1. Segment networks to limit access to sensitive systems where applicable. Use virtual LANs (VLANs) and firewalls to enforce segmentation.
  2. Require the use of VPNs for remote access to the organization's network. Ensure VPNs use strong encryption protocols.
  3. Secure wireless networks using WPA3 or WPA2 with AES encryption. Regularly update Wi-Fi passwords and manage access to authorized devices only.

Wireless Security

tag: [Security Specialist, Operations & Strategy]

Wireless networks offers convenience and flexibility. However, they also present unique security challenges.

Key Components of Wireless Security

Secure Network Configuration

  1. Use WPA3 (Wi-Fi Protected Access 3) for the highest level of security. If WPA3 is not available, use WPA2 with AES encryption.
  2. Disable SSID broadcasting to hide the network from casual discovery, although it's still visible by scanners. Use a non-identifiable SSID that does not reveal the project’s name or purpose.
  3. Segment the wireless network from the wired network, if you have critical devices connected via the wired network that does not require someone to access it from the wireless network. Use VLANs to separate different types of traffic and limit access to sensitive resources.

Access Control

  1. Use strong, unique passwords for network access. Never use default passwords provided by the manufacturer.
  2. Consider implementing MAC address filtering to restrict network access to authorized devices only. Regularly update the list of allowed devices.
  3. Considering using enterprise-grade authentication methods, such as 802.1X with RADIUS, to authenticate users before granting network access.

Monitoring and Intrusion Detection

  1. Deploy WIDS to monitor for suspicious activities, unauthorized devices, and rogue access points, especially if built into the wireless network system of your choice.
  2. Monitor network traffic for unusual patterns that may indicate a security breach or attack, which can be enabled on some wireless network devices.

Device Security

  1. Regularly update the firmware of wireless access points and routers to patch security vulnerabilities.
  2. Disable unnecessary services and features on wireless devices to reduce the attack surface. Implement strong access controls and change default settings.
  3. Secure wireless access points in locked enclosures to prevent tampering and unauthorized access.

Best Practices for Wireless Security

Network Security

  1. Consider the security implications of someone obtaining access into your network via an activated inbound VPN connection, and make configurations to prevent a disaster should this happen, if inbound VPN must be enabled.
  2. Create a secure wireless network for your work, and use a less safe wireless network for other devices such as IoT devices, TVs, and other types of non-work related devices that is on a restricted network.

Guest Networks

  1. Set up a separate guest network for friends and temporary users. Ensure it is isolated from the main corporate network.
  2. Restrict guest network access to the internet only. Implement bandwidth limits and usage policies to prevent abuse.

Password/Secrets Management

tag: [Security Specialist, Operations & Strategy]

Effective management of passwords and cryptographic keys help maintain the security and integrity of digital assets and sensitive information.

Best Practices

  1. Do not reuse passwords across services as it increases the risk of multiple accounts being compromised when one service is breached. Instead, use a password vault that can generate complex, random, and unique passwords for each service.
  • While browsers provide password vaults with passwords, it is recommended to use an external password vault with improved security features.
  1. Check if your email has been in any breach on Have I Been Pwned and set up notifications for future breaches. Change passwords on the services where you may have been breached.
  2. If you suspect a breach of your password, change it as soon as possible.
  3. Use MFA whenever possible. It is a key measure in preventing account breaches. It is highly recommended to use a hardware token such as Yubikey to protect your accounts. If you use a mobile authenticator such as Authy to store your MFA tokens, ensure that you also set an encryption password to mitigate the risk of SIM swapping. Avoid using SMS for MFA unless there is no other option, as there are multiple cases where people have been SIM swapped and their accounts taken over. If SMS is the only option, it is still better than having no MFA enabled at all. It is recommended to not use the password manager/vault used for your passwords to store your MFA codes.
  4. Reminder: Do not derive wallets from self generated passwords, even if they look random. It is very easy to make mistakes in the derivation process and end up with a wallet that is easy to compromise. It is always better to use an appropriate wallet software to generate your seed phrases.

Password and Key Security

Passphrases

Utilizing long, memorable phrases as passwords. They are easier to remember than complex passwords and can be equally secure. For example, "CorrectHorseBatteryStaple" is more secure and memorable than a shorter, complex password.

XKCD Password Strength

Password Cards (e.g., Qwertycards)

Aids in generating and recalling complex passwords using a physical card as a mnemonic device. These can be particularly useful for creating strong, unique passwords without relying on digital tools.

Non-default BIP-44 Derivation Path

Using custom paths for key generation in crypto wallets to enhance security. For example, MyEtherWallet allows users to set custom derivation paths.

Password Managers

Digital solutions for securely storing and managing various passwords. They reduce the risk of password reuse and simplify password management by generating and storing complex, unique passwords for each service.

Key Storage and Recovery

Memory and Notebook

Relying on human memory or physical writing to store keys. It's highly secure against digital theft but vulnerable to forgetting or physical loss. Always have a secure backup plan.

Paper Wallets

Involves printing or writing down keys on paper. Offers protection from online hacks but can be lost, damaged, or deteriorate over time. Store paper wallets in secure, dry, and fireproof locations.

Encrypted Drives

Storing keys on encrypted drives balances digital convenience with security. However, it is vulnerable to physical theft and damage. Always have multiple backups in different locations.

Back-ups / Rotation / Recovery

Regular backup and update of key information to ensure recovery. This is critical for maintaining access in case of primary key loss. Use secure, redundant backup solutions and periodically test recovery procedures.

Shamir Backup

Shamir's Secret Sharing is a method to split a secret, such as a private key, into multiple parts, where a subset of these parts is required to reconstruct the secret. This enhances security and ensures recoverability.

Authentication and Access Control

2FA / MFA (Multi-Factor Authentication)

Employs multiple verification methods, significantly increasing security by adding layers beyond just passwords. Use hardware tokens like Yubikeys for the highest level of security.

SSO (Single Sign-On)

Allows using one set of credentials to access multiple services. Convenient but necessitates strong security for the primary credentials. Ensure SSO solutions are configured with strong security measures and regularly audited.

Trusted Key Management System (KMS)

Systems designed to manage and protect digital keys, critical for securing cryptographic operations and sensitive data. Use a reputable KMS to handle key generation, storage, and rotation securely.

Hardware Security Keys

Physical devices used for authentication, offering a high level of security against remote attacks. They are particularly effective when combined with MFA.

Biometric Security

Fingerprint Scanners

Uses fingerprints, unique to every individual, as a means of secure and convenient authentication. They are widely used in mobile devices and some laptops.

Facial Recognition

Employs facial characteristics for verification, increasingly popular in mobile and personal devices.

Physical Security

tag: [Security Specialist, Operations & Strategy]

Physical security is an often overlooked but crucial aspect of operational security, especially for individuals and organizations involved in cryptocurrency. This section provides guidelines on how to protect yourself, your digital assets, and your organization from physical threats and attacks.

Best Practices

  1. Random USB storage devices should not be plugged into your devices. Dropping malicious USB sticks and hoping for someone to pick them up and insert them into their computer is a real threat. On the subject of USB, do not plug in your device into an untrusted charger (e.g., on a bus or airplane) without a data blocker.
  2. Do not click on links from untrusted sources, as they may lead to malicious websites or legitimate websites that have been compromised. In the event that you’re asked to take action on a website through, for example, email, visit the website manually (e.g., discord.com) rather than clicking the link.
  3. Avoid scanning QR codes as they could potentially contain exploits.
  4. Be wary of websites pushing pop-ups that make it seem that you need to install software to upgrade or secure your computer, these are often malware.
  5. If you receive a suspicious message, try reaching out to the person via a different channel.

Secure Traveling

Preparation

  1. Travel with the minimum number of devices necessary. Leave non-essential devices at home.
  2. Backup all important data before traveling. Store backups in secure, separate locations.
  3. Remove sensitive data from devices before traveling. Consider using travel-specific devices with minimal data depending on the country you're visiting.

During Travel

  1. Keep your devices with you at all times. Use secure storage options when necessary.
  2. Avoid using public Wi-Fi networks. If necessary, use a VPN to secure your connection.
  3. Avoid using untrusted charging stations. Use a USB data blocker or carry a portable charger.

Border Security

  1. Encrypt your devices to protect data in case they are inspected or seized.
  2. Carry minimal data across borders. Be aware that some countries may require decryption of devices.
  3. Be prepared for device inspections. Consider using travel-specific accounts and removing sensitive information.

Preventing "Wrench Attacks"

A "wrench attack" refers to the scenario where an attacker uses physical force or coercion to gain access to your assets.

Mitigation Strategies

  1. Use multi-signature wallets that require multiple parties to authorize transactions.
  2. Distribute parts of cryptographic keys among trusted individuals or locations.
  3. Use decoy wallets with small amounts of cryptocurrency to satisfy attackers without compromising significant assets.
  4. Establish clear policies for responding to physical threats in your project, including non-compliance and emergency contacts.

Home Security

  1. Use strong locks, security doors, and window bars to prevent unauthorized entry.
  2. Install security cameras and alarm systems. Monitor the premises regularly.
  3. Use safes or locked cabinets to store devices and sensitive documents.

Device Protection

Hardware Security

  1. Use laptop locks and secure your devices to immovable objects when in public or shared spaces.
  2. Use tamper-evident seals on devices to detect unauthorized access attempts.
  3. Regularly check devices for signs of tampering or unauthorized access.

Environmental Considerations

  1. Protect hardware wallets or other devices from extreme temperatures, humidity, and physical shocks.
  2. Store hardware wallets or other important devices in fire-resistant safes and ensure that your environment has appropriate fire detection and suppression systems.

Emergency Contacts

Maintain a list of emergency contacts, including law enforcement, cybersecurity experts, and team contacts.

Detecting and Mitigating Insider Threats

tag: [Security Specialist, Operations & Strategy]

Insider threats, whether intentional or unintentional, pose a significant risk to any project. These threats can come from current or former employees, contractors, or business associates who have inside information concerning the project's security practices, data, and computer systems. Effective detection and mitigation strategies are crucial for safeguarding your project against these risks.

What Are Insider Threats?

Insider threats can be categorized into three main types:

  1. Malicious Insiders: Individuals who intentionally cause harm to the project by stealing data, sabotaging systems, or leaking sensitive information.
  2. Negligent Insiders: Team members who unintentionally cause security breaches through careless actions, such as falling for phishing attacks or mishandling sensitive data.
  3. Compromised Insiders: Team members whose accounts or systems are compromised by external threat actors and used to gain access to the project's resources.

Detecting Insider Threats

Monitoring and Analytics

  1. Implement systems to monitor team member's activity and identify unusual behavior patterns. This includes tracking logins and on-chain transactions related to the project.
  2. Use anomaly detection to establish a baseline of normal user behavior and detect deviations that may indicate malicious activity.

Access Controls

  1. Implement RBAC to ensure that employees have access only to the information and systems necessary for their job functions.
  2. Enforce the principle of least privilege, granting users the minimum level of access required to perform their duties.
  3. Conduct regular reviews of user access permissions to ensure they are still appropriate for their current roles.

Training and Awareness

  1. Conduct regular security training sessions to educate employees about the risks of insider threats and the importance of following security protocols.
  2. Run (spear) phishing simulations to test employees' awareness and response to potential (spear) phishing attacks.

Mitigating Insider Threats

Incident Response Plan

  1. Create a detailed incident response plan that outlines the steps to be taken in the event of an insider threat incident.
  2. Clearly define roles and responsibilities for the incident response team to ensure a coordinated and effective response.

Technical Controls

  1. Require MFA for access to critical systems and sensitive data to add an extra layer of security.
  2. Encrypt sensitive data both at rest and in transit to protect it from unauthorized access.

Project Policies

  1. Establish clear policies and procedures for handling sensitive information and responding to security incidents.
  2. Be aware that malicious organizations/countries may try to obtain access to your project for reasons of financial or technology theft. Conduct thorough background checks on new employees and contractors to identify potential risks.
  3. Implement strict exit procedures for departing employees, including revoking access to systems and multi-signature wallets.

Behavioral and Cultural Measures

  1. Foster a culture of security awareness where team members understand the importance of protecting sensitive information and reporting suspicious activities.

Google Workspace Security

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]

Google Workspace (formerly G Suite) is a powerful suite of productivity and collaboration tools widely used by projects. A lot of things may depend on Google Workspace, in which case it is important to consider the security of it.

Account Security

Multi-Factor Authentication (MFA)

  1. Require all users to enable multi-factor authentication for their Google Workspace accounts. This adds an extra layer of security by requiring a second form of verification in addition to the password.
  2. Encourage the use of hardware tokens (e.g., Yubikeys) for MFA instead of SMS, which is more vulnerable to SIM swapping attacks.

Strong Password Policies

  1. Implement policies requiring strong, complex passwords that are regularly updated.
  2. Encourage the use of password managers to generate and store unique passwords for each account.

Access Management

Role-Based Access Control (RBAC)

  1. Implement RBAC to ensure users have access only to the information and applications necessary for their job roles.
  2. Conduct regular reviews of user permissions to ensure access levels are appropriate and revoke access for users who no longer need it.

Least Privilege Principle

  1. Ensure users have the minimum level of access necessary to perform their duties.
  2. Use Just-In-Time (JIT) access controls to grant temporary access when needed and automatically revoke it after a specified period.

Data Protection

Data Loss Prevention (DLP)

  1. Set up DLP policies to monitor and protect sensitive information from being shared outside the organization or to unauthorized users.
  2. Use DLP to scan emails and documents for sensitive content and enforce policies to prevent data leakage.

Encryption

  1. Use Google Workspace's built-in encryption features to protect emails in transit.
  2. Ensure that files stored in Google Drive are encrypted both in transit and at rest.

Monitoring and Alerts

Activity Monitoring

  1. Enable and regularly review audit logs to track user activities, such as login attempts, file access, and administrative changes.
  2. Use the Google Workspace Security Center to monitor security metrics, detect potential threats, and receive alerts for suspicious activities.

Incident Response

  1. Set up alerts for unusual activities, such as multiple failed login attempts, suspicious file sharing, and changes to security settings.
  2. Develop and maintain an incident response plan specific to Google Workspace, detailing the steps to be taken in the event of a security breach.

Device Management

Mobile Device Management (MDM)

  1. Use Google Workspace's MDM features to enforce security policies on mobile devices, such as requiring screen locks, enabling encryption, and remotely wiping data if a device is lost or stolen.
  2. Maintain an inventory of all devices accessing Google Workspace and regularly audit to ensure compliance with security policies.

Communication and Collaboration

Secure Sharing

  1. Set policies to control sharing of files and documents within and outside the project. Use link sharing settings that restrict access to only specific people.
  2. Use shared drives for team collaboration with appropriate access controls and permissions.

Email Security

  1. Enable advanced spam and phishing protection features to filter out malicious emails.
  2. Encourage the use of secure communication channels for sensitive discussions, such as Google Chat with end-to-end encryption.

Compliance and Governance

Compliance Settings

  1. Configure Google Workspace to comply with relevant regulatory requirements (e.g., GDPR) by using compliance tools and settings.
  2. Use Google Workspace Admin Console to enforce security policies and ensure compliance with project and regulatory standards.

DevSecOps

tag: [Engineer/Developer, Security Specialist, Devops, SRE]

Traditionally, rapid development and deployment is often prioritized at the expense of security considerations. This is generally speaking no different in web3, but it is important to take integrity, confidentiality, and availability into consideration too. To effectively address this without compromising on rapid development and deployment, it is essential to integrate security into the process, which is where devsecops comes into play. By implementing devsecops, projects can not only deploy faster, but also be more secure.

When operating in a devsecops mindset, projects prioritizes automation and collaboration between the development, operations and security teams.

Some of the key areas to consider are:

  1. Integrate security measures early in the development process, such as by utilizing security tools such as fuzzing, static and dynamic analysis tools in your CI/CD process, to identify and mitigate vulnerabilities before they turn into critical issues.
  2. Implement automated security testing and monitoring.
  3. Development, Operations and Security teams should be aligned and work closely together.

Repository Hardening

tag: [Engineer/Developer, Security Specialist, Devops]

If a threat actor obtains access to your repository, it could have very severe consequences. In order to help avoid this, you could consider implementing the following best practices:

  1. Require Multi-Factor Authentication (MFA) for all repository members.
  2. Enable protected branches to prevent unauthorized changes to critical branches. Learn more about protected branches.
  3. Follow the Security hardening for GitHub Actions to avoid token stealing and other vulnerabilities.
  4. Implement strict access controls to limit who can push to critical branches and repositories.
  5. Conduct regular security audits of the repository to identify and mitigate potential vulnerabilities.
  6. Require all commits to be signed to verify the identity of contributors and ensure the integrity of the code.
  7. Regularly update dependencies and use tools to check for and manage vulnerabilities in dependencies.

Code Signing

tag: [Engineer/Developer, Security Specialist, Devops]

Code signing ensures that the code has not been tampered with, and verifies the identity of the developer. Here are some best practices that could be followed:

  1. Ensure all Pull Requests (PRs) are signed with the user’s GPG key.
  2. Every PR must be reviewed by another core team member before being merged into the stable/main/master branch, with github settings set to reflect this.
  3. Require Multi-Factor Authentication (MFA) for all users where applicable and available. Encourage the use of hardware MFA such as Yubikeys.
  4. Rotate GPG keys regularly to mitigate the risk of key compromise.
  5. Maintain clear documentation on the code signing procedures for your team members.

Integrated Development Environments (IDEs)

tag: [Engineer/Developer, Security Specialist, Devops]

Integrated Development Environments (IDEs) are essential tools for developers, but they also need to be secured. Consider implementing the following best practices:

  1. Ensure IDEs are configured securely, with plugins and extensions only installed from trusted sources. Some IDEs have features that allow for automated execution of files in folders. Use restricted mode if you don't fully trust a project.
  2. Keep IDEs and their plugins/extensions up-to-date to protect against vulnerabilities.
  3. Integrate static code analysis tools within the IDE to catch security issues early in the development process.
  4. Configure IDEs to follow the principle of least privilege, limiting access to sensitive information and systems.
  5. Ensure that potential development environments are isolated from production environments.

Continuous Integration and Continuous Deployment (CI/CD)

tag: [Engineer/Developer, Security Specialist, Devops, SRE]

Continuous Integration and Continuous Deployment are there to ensure good code quality and create rapid and secure deployments. Some best practices are:

  1. Ensure every PR undergoes CI testing (e.g., GitHub Actions) that must pass before merging. CI tests should at least include unit tests, integration tests, and checks for known vulnerabilities in dependencies.
  2. The CI/CD pipeline should check for misconfigurations and leaked credentials.
  3. Produce deterministic builds with a strict set of dependencies and/or a build container that can reliably produce the same results on different machines.
  4. Integrate security scanning tools to detect vulnerabilities in code and dependencies during the CI process.
  5. Use isolated environments for building and testing to prevent contamination between different stages of the pipeline.
  6. Implement strict access controls for CI/CD pipelines to limit who can modify the pipeline configurations.

Privacy

tag: [Engineer/Developer, Security Specialist, Devops]

Privacy is a fundamental aspect of security. Protecting your personal and team's information from unauthorized access and exposure is crucial. This section provides guidelines and resources for maintaining privacy, managing your digital footprint, and utilizing privacy-focused tools and services.

Digital Footprint

tag: [Engineer/Developer, Security Specialist]

Your digital footprint is the trail of data you leave behind while using the internet.

Understanding Your Digital Footprint

  1. Active Footprint

    • Information you intentionally share online, such as social media posts, blog comments, and online profiles.
  2. Passive Footprint

    • Information collected without your explicit consent, such as tracking cookies, IP addresses, and browsing history.

Managing Your Digital Footprint

  1. Audit Your Online Presence

    • Regularly search your name and personal information on search engines.
    • Review your social media profiles and privacy settings.
  2. Limit Information Sharing

    • Be cautious about the personal information you share online.
    • Avoid sharing sensitive information such as your home address, phone number, and financial details.
  3. Use Privacy Settings

    • Adjust privacy settings on social media platforms to control who can see your information.
    • Enable two-factor authentication for added security.
  4. Delete Unused Accounts

    • Remove accounts you no longer use to minimize the amount of personal information available online.
  5. Opt-Out of Data Collection

    • Use tools and browser extensions to block tracking cookies and ads.
    • Opt-out of data collection by data brokers and online advertisers.

Tools for Managing Your Digital Footprint

  1. Privacy Badger

    • A browser extension that blocks tracking cookies and ads.
    • Pros: Free, easy to use.
    • Cons: May block some legitimate content.
  2. Ghostery

    • A browser extension that blocks trackers and enhances privacy.
    • Pros: Detailed tracker information, customizable.
    • Cons: Some features require a subscription.
  3. Deseat.me

    • A tool to find and delete your old accounts.
    • Pros: Simple interface, effective.
    • Cons: Requires access to your email.

Best Practices

  1. Conduct regular audits of your online presence to identify and remove unwanted information.
  2. Protect your accounts with strong, unique passwords.
  3. Keep up-to-date with privacy news and updates to stay informed about new threats and tools.

Secure Browsing

tag: [Engineer/Developer, Security Specialist]

Secure browsing is essential to protect your privacy and personal information while using the internet.

Best Practices for Secure Browsing

  1. Use HTTPS

    • Always use HTTPS to ensure that your connection to websites is encrypted. Look for the padlock icon in the browser address bar.
    • Most browser now enforce HTTPS by default, otherwise use browser extensions like HTTPS Everywhere to enforce HTTPS connections.
  2. Avoid Public Wi-Fi

    • Avoid using public Wi-Fi for sensitive activities. If you must use it, ensure you connect through a VPN to encrypt your internet traffic.
  3. Disable Third-Party Cookies

    • Disable third-party cookies in your browser settings to prevent tracking by advertisers and other third parties.
  4. Use Private Browsing Mode

    • Use private browsing mode to prevent your browser from storing your browsing history, cookies, and temporary files.
  5. Keep Your Browser Updated

    • Regularly update your browser to ensure you have the latest security patches and features.

Tools for Secure Browsing

  1. Tor Browser

    • A browser designed for anonymous browsing using the Tor network.
    • Pros: Strong anonymity, easy to use.
    • Cons: Slower browsing speeds, some websites block Tor traffic.
  2. Brave Browser

    • A privacy-focused browser that blocks ads and trackers by default.
    • Pros: Fast, blocks ads and trackers, built-in Tor support.
    • Cons: Limited extensions compared to other browsers.
  3. uBlock Origin

    • A browser extension that blocks ads, trackers, and malware.
    • Pros: Highly configurable, efficient.
    • Cons: Requires setup for optimal use.
  4. Privacy Badger

    • A browser extension that blocks tracking cookies and ads.
    • Pros: Easy to use, protects privacy.
    • Cons: May block some legitimate content.

Secure Search Engines

  1. DuckDuckGo

    • A search engine that does not track your searches or store your personal information.
    • Pros: Strong privacy, no tracking.
    • Cons: Less personalized search results.
  2. Start-page

    • A search engine that uses Google’s search results but protects your privacy.
    • Pros: Google search results, strong privacy.
    • Cons: Slower than Google.

Best Practices

  1. Regularly clear your browsing history, cookies, and cache to remove any stored data.
  2. Only install trusted browser extensions and regularly review their permissions.
  3. Use a password manager to create and store strong, unique passwords for each website.

Privacy-Focused Operating Systems and Tools

tag: [Engineer/Developer, Security Specialist]

Using privacy-focused operating systems and tools can significantly enhance your digital privacy. These systems and tools are designed to protect your data and minimize your digital footprint.

Privacy-Focused Operating Systems

  1. Tails

    • A live operating system that you can start on any computer from a USB stick or DVD.
    • Pros: Leaves no trace on the computer, comes with built-in privacy tools.
    • Cons: Requires a USB stick or DVD, limited software availability.
  2. Qubes OS

    • An open-source operating system designed for security through isolation.
    • Pros: Strong isolation, supports running multiple virtual machines.
    • Cons: Requires fairly powerful hardware, steep learning curve.
  3. Whonix

    • A security-focused operating system that runs in a virtual machine and uses Tor to anonymize internet traffic.
    • Pros: Strong anonymity, easy to use.
    • Cons: Slower internet speeds due to Tor, requires a virtual machine.

Privacy-Focused Tools

  1. Tor Browser

    • A web browser designed for anonymous browsing using the Tor network.
    • Pros: Strong anonymity, easy to use.
    • Cons: Slower browsing speeds, some websites block Tor traffic.
  2. Signal

    • An encrypted messaging app for secure communication.
    • Pros: End-to-end encryption, open source.
    • Cons: Requires a phone number for registration.
  3. KeePass

    • An open-source password manager for securely storing and managing passwords.
    • Pros: Strong encryption, no cloud storage.
    • Cons: Requires manual setup, less user-friendly than some alternatives.
  4. VeraCrypt

    • A disk encryption software for creating secure, encrypted volumes.
    • Pros: Strong encryption, supports hidden volumes.

Financial Privacy Services

tag: [Engineer/Developer, Security Specialist]

Maintaining financial privacy is often seen by an important thing for people inside the web3 ecosystem, and it can help prevent personal and financial information from unauthorized access and fraud.

Tools for Financial Privacy

  1. Cash

    • Using cash for transactions can help maintain privacy by avoiding digital records.
    • Pros: Anonymous, widely accepted.
    • Cons: Not practical for online transactions, physical security risks.
  2. Prepaid Cards

    • Use prepaid debit cards for purchases to avoid linking transactions to your bank account.
    • Pros: Anonymity, control over spending.
    • Cons: Fees, limited acceptance.
  3. Privacy.com

    • A service that allows you to create virtual credit cards for online purchases.
    • Pros: Protects your real credit card information, easy to use.
    • Cons: Limited to US users.

Strategies for Financial Privacy

  1. Limit Data Sharing

    • Be cautious about sharing financial information online.
    • Use secure methods for sharing sensitive information, such as encrypted emails.
  2. Monitor Your Accounts

    • Regularly review your cryptocurrency wallets, bank and credit card statements for unauthorized transactions.
    • Set up alerts for suspicious activity.
  3. Use Secure Connections

    • Ensure that your internet connection is secure when conducting financial transactions.
    • Use a VPN to encrypt your internet traffic.
  4. Shred Financial Documents

    • Shred any physical documents containing financial information before disposing of them.
    • Store important documents in a secure location.

Encrypted Communication Tools

tag: [Engineer/Developer, Security Specialist]

Encrypted communication tools are essential for maintaining privacy and security in digital communications. These tools ensure that your messages and calls are protected from eavesdropping and unauthorized access.

  1. Signal

    • An encrypted messaging app that provides end-to-end encryption for messages, calls, and video chats.
    • Pros: Strong encryption, open source, user-friendly.
    • Cons: Requires a phone number for registration.
  2. WhatsApp

    • A widely-used messaging app that offers end-to-end encryption for messages, calls, and media.
    • Pros: Easy to use, large user base, supports various media types.
    • Cons: Owned by Facebook, requires a phone number.
  3. Telegram

    • A messaging app that offers optional end-to-end encryption through its "Secret Chats" feature.
    • Pros: Cloud-based, supports large groups and channels, feature-rich.
    • Cons: End-to-end encryption is not enabled by default, requires a phone number.
  4. Wire

    • A secure messaging app that provides end-to-end encryption for messages, calls, and file sharing.
    • Pros: Strong encryption, open source, supports multiple devices.
    • Cons: Requires an email or phone number for registration.
  5. Threema

    • A privacy-focused messaging app that offers end-to-end encryption for messages, calls, and media.
    • Pros: No phone number or email required, strong encryption, anonymous usage.
    • Cons: Paid app, smaller user base.

Best Practices for Encrypted Communication

  1. Verify Contacts

    • Always verify the identity of your contacts through security codes or other verification methods to ensure you are communicating with the intended person.
  2. Keep Apps Updated

    • Regularly update your encrypted communication apps to ensure you have the latest security patches and features.
  3. Use Strong Passwords

    • Protect your accounts with strong, unique passwords and enable two-factor authentication where possible.
  4. Be Cautious with Metadata

    • Be aware that while the content of your messages may be encrypted, metadata such as timestamps and contact information may still be accessible.
  5. Educate Yourself and Others

    • Stay informed about the latest security practices and educate your contacts on the importance of using encrypted communication tools.

Additional Resources

  1. Electronic Frontier Foundation (EFF)

    • Provides guides and resources on secure communication and privacy tools.
  2. PrivacyTools.io

    • Offers recommendations and reviews of privacy-focused tools and services.
  3. ProtonMail Blog

    • Features articles on privacy, security, and encrypted communication.

By using encrypted communication tools and following best practices, you can significantly enhance the privacy and security of your digital communications.

VPN Services

tag: [Engineer/Developer, Security Specialist]

Virtual Private Networks (VPNs) can help increase online privacy. They encrypt your internet traffic and hide your IP address, increases the protection of your data from eavesdroppers and provide you additional anonymity online.

Choosing a VPN Service

When selecting a VPN service, consider the following factors:

  1. Privacy Policy

    • Ensure the VPN provider has a strict no-logs policy, meaning they do not store any information about your online activities.
  2. Encryption Standards

    • Look for VPNs that use strong encryption standards, such as AES-256, to protect your data.
  3. Server Locations

    • A wide range of server locations allows you to access content from different regions and improves connection speeds.
  4. Speed and Performance

    • Choose a VPN that offers high-speed connections and minimal impact on your browsing and streaming experience.
  5. Security Features

    • Look for additional security features such as kill switch, DNS leak protection, and multi-hop connections.
  1. MullvadVPN

    • Pros: Strong privacy policy, fast speeds, wide range of server locations, robust security features.
    • Cons: More expensive than some competitors.
  2. ProtonVPN

    • Pros: Strong focus on privacy, no-logs policy, free tier available, high security standards.
    • Cons: Fewer servers compared to competitors, can be slower on free tier.
  3. NordVPN

    • Pros: No-logs policy, strong encryption, numerous servers, additional security features (e.g., Double VPN, CyberSec).
    • Cons: Some servers can be slow, interface can be cluttered.
  4. Surfshark

    • Pros: Affordable, no-logs policy, unlimited simultaneous connections, strong security features.
    • Cons: Relatively new, smaller network of servers.
  5. ExpressVPN

    • Pros: Strong privacy policy, fast speeds, wide range of server locations, robust security features.
    • Cons: More expensive than some competitors.

Best Practices for Using a VPN

  1. Always Connect to a VPN on Public Wi-Fi

    • Public Wi-Fi networks are often unsecured, making them prime targets for attackers. Always use a VPN when connected to public Wi-Fi.
  2. Enable the Kill Switch

    • A kill switch ensures that your internet connection is cut off if the VPN connection drops, preventing your data from being exposed.
  3. Regularly Update Your VPN Software

    • Ensure that you are using the latest version of your VPN software to benefit from the latest security updates and features.
  4. Use Multi-Hop Connections for Extra Security

    • Some VPNs offer multi-hop connections, which route your traffic through multiple servers for additional security.
  5. Avoid Free VPNs

    • Free VPNs often come with limitations, such as data caps and slower speeds, and may not offer the same level of privacy and security as paid services.

Data Removal Services

tag: [Engineer/Developer, Security Specialist]

Removing your personal data from online platforms can help protect your privacy and reduce the risk of identity theft. Here are some steps and services to help you remove your data from the internet.

Steps to Remove Your Data

  1. Identify Where Your Data Is

    • Conduct a search of your name and information on search engines to identify where your data is located.
    • Review your social media accounts, online forums, and public records for any personal information.
  2. Request Data Removal

    • Contact websites directly to request the removal of your data. Most sites have a contact form or email for privacy concerns.
    • Use online tools and forms provided by search engines like Google to remove specific results.
  3. Opt-Out of Data Brokers

    • Data brokers collect and sell personal information. Opt-out of their databases using their online forms.
    • Some common data brokers include Spokeo, Whitepages, and PeopleFinder.

Data Removal Services

  1. DeleteMe

    • A subscription service that removes your data from data brokers and online databases.
    • Pros: Comprehensive removal, regular monitoring.
    • Cons: Costly subscription model.
  2. PrivacyDuck

    • Offers manual removal services from various websites and databases.
    • Pros: Thorough and personalized service.
    • Cons: Expensive, manual process.
  3. OneRep

    • Automated removal service that targets over 100 data broker sites.
    • Pros: Automated process, extensive reach.
    • Cons: Subscription fee required.
  4. JustDeleteMe

    • A directory of direct links to delete your account from web services.
    • Pros: Free, easy to use.
    • Cons: Requires manual effort.

Best Practices

  1. Regularly check and update the privacy settings on your online accounts.
  2. Be mindful of the information you share online and with whom.
  3. Use pseudonyms for accounts that don't require your real name.

Vulnerability Disclosure

tag: [Engineer/Developer, Security Specialist, Devops]

Vulnerability disclosure is the task that is done after a vulnerability has been identified and fixed, and means to make the vulnerability known to the larger public. Often, a vulnerability disclosure will come after a bug bounty report has been filed and the vulnerability has been corrected, or from a team member that noticed a vulnerability which was then fixed. In the event that responsible disclosure of the vulnerability is not possible because the vulnerable code is actively or will imminently be exploited, Safe Harbor may be applicable.

Security Contact

tag: [Engineer/Developer, Security Specialist]

Having a security contact provides a designated point of contact for security researchers to report vulnerabilities to.

SECURE.md File

Importance

A SECURE.md file in your GitHub repository provides clear instructions on how to report security vulnerabilities.

Example Content

# Security Policy

We take the security of our project seriously. If you discover any security vulnerabilities, please report them responsibly.

## Reporting a Vulnerability

Please email us at security@projectname.TLD with the details of the vulnerability. We will respond as soon as possible.

We appreciate your help in improving the security of our project.

Security Email Address

Importance

Having a dedicated security email address (e.g., security@projectname.TLD) ensures that vulnerability reports are directed to the appropriate team members.

Setup

  • Dedicated Team: Ensure that the security email is monitored by a team with the expertise to handle vulnerability reports.
  • Prompt Responses: Aim to acknowledge receipt of vulnerability reports within 24 hours.

.well-known/security.txt

Importance

The .well-known/security.txt file is a standardized way to provide security contact information on your website.

Example Content

Contact: mailto:security@projectname.TLD
Encryption: https://projectname.TLD/pgp-key.txt
Acknowledgements: https://projectname.TLD/hall-of-fame.html
Policy: https://projectname.TLD/security-policy.html
Preferred-Languages: en

Implementation

  • Standard Location: Place the security.txt file in the .well-known directory of your website (e.g., https://projectname.TLD/.well-known/security.txt).
  • Regular Updates: Keep the security.txt file updated with current contact information and policies.

Managing Security Contacts

Responsibilities

  • Triage: Assess and prioritize vulnerability reports based on severity and impact.
  • Communication: Maintain clear and respectful communication with reporters. Provide regular updates on the status of their reports.
  • Resolution: Work promptly to resolve reported vulnerabilities and update the reporter on the actions taken.

Best Practices

  • Confidentiality: Treat all vulnerability reports as confidential until a fix is implemented.
  • Acknowledgement: Consider publicly acknowledging researchers who report vulnerabilities, with their permission.
  • Transparency: Be transparent about your vulnerability disclosure process and timelines.

Bug Bounties

tag: [Engineer/Developer, Security Specialist]

Bug bounty programs incentivize security researchers to identify and report vulnerabilities in your project. They augments a security team and audits by allowing external security researchers to disclose vulnerabilities in your project in a way that should be a good experience for the security researcher. Depending what the scope of the bug bounty program is, you may have a higher success rate having certain parts at different types of bug bounty as a service providers, as they generally have security researchers with different skill sets using their platforms.

Bug Bounty as a Service

Web3

  • Immunefi
    • Pros: One of the largest bug bounty as a service platforms for web3
  • Hackenproof
    • Pros: Provides end-to-end encryption for reports, ensuring only a project's security team can decrypt it using their own private keys.

Web2

  • HackerOne
  • Bugcrowd

Pros and Cons of Running Your Own Bug Bounty Program

Pros

  1. Full control over the scope, rewards, and rules of the program.
  2. Potentially lower cost.
  3. Direct interaction with security researchers could build strong relationships.

Cons

  1. Requires significant time and resources to manage.
  2. Need for skilled triage abilities to handle and prioritize reports.
  3. Risk of being overwhelmed by reports, including false positives.

Key Elements of a Successful Bug Bounty Program

Scope

  1. Clearly define the scope of the program, including in-scope and out-of-scope assets.
  2. Regularly update the scope to include new features and exclude deprecated ones.

Rewards

  1. Offer competitive rewards based on the severity and impact of the vulnerabilities.
  2. Be transparent about the reward structure and criteria for evaluating reports.

Triage and Response

  1. Have skilled personnel to triage incoming reports, assess severity, and prioritize responses.
  2. Respond to reports promptly, acknowledging receipt and providing regular updates.

Communication

  1. Treat all reporters with respect and professionalism.
  2. Provide feedback to researchers on the status of their reports and any actions taken.
  1. Clearly state safe harbor provisions to protect researchers from legal action when acting in good faith.
  2. Define your policy on public disclosure of vulnerabilities, including timelines and conditions.

Whitehat Safe Harbor

tag: [SEAL/Initiative, Protocol, Whitehat, DAO]

SEAL’s Whitehat Safe Harbor agreement is a legal and technical framework which can be adopted by protocols and crypto communities to grant advanced permission to whitehats and MEV bots for frontrunning exploits so long as:

  1. Funds are returned to a designated Asset Recovery Address determined by the protocol.
  2. Action is only taken in the event of an Active Exploit.

Documents

Components

FAQ

How Does Safe Harbor Differ From Bug Bounty Programs?

In bug bounty programs, whitehats identify and report security vulnerabilities that are not yet publicly known. This allows for a more controlled response, as the information is initially shared with a limited audience, reducing immediate risk.

With the Safe Harbor Initiative, whitehat intervention is permitted only after an exploit has been attempted by a separate malicious actor. This scenario requires a more immediate and urgent response. The Safe Harbor agreement pre-emptively grants whitehats the authorization to act in these circumstances, ensuring that they can address immediate threats without the delay of communicating with the protocol.

Who Wrote Safe Harbor?

The current proposal was written by lawyers and security researchers specialized in cybersecurity incident response, web3, and global disclosure laws.

The legal contract was written by web3 law firm Piper Alderman, white shoe firm Debevoise & Plimpton, and LexPunk Community legal. In addition, general support was received from the in-house legal counsel at many of the world’s largest crypto funds and projects.

How Does Safe Harbor Work Legally?

The contract is triggered only when a blackhat attacks a protocol or a systemic breach is discovered. At that point, a separate whitehat (unaffiliated with the attacker) can attempt to save the assets being stolen by using similar hacking methods.

The contract activates through the action of the whitehat, but is not binding unless both of the following happens:

  1. The protocol community has given the whitehat authorization to attempt to hack the affected protocol in advance via adoption of Safe Harbor.
  2. The whitehat demonstrates via their actions and delivery of assets to the return address  that they are competent.

The whitehat succeeds once they return any assets recovered to a safety address. In return, they receive a reward and protection against lawsuits from the other parties to the contract.

If the whitehat doesn’t succeed, they don’t receive a reward or legal protection because in this case, it’s impossible for the protocol community to distinguish between incompetence and malice.

How Can I Participate?

For protocols or DAOs to participate in Safe Harbor, they can adopt Safe Harbor and register all assets under scope. This involves adopting the Safe Harbor agreement, publicly announcing their adoption, and selecting adoption details such as bounty terms, assets under scope, and an asset recovery address. Once a protocol has adopted safe harbor, in the event of an active exploit, whitehats will be allowed to intervene and attempt to save protocol funds.

For whitehats to participate in Safe Harbor, they must have sufficient experience in blockchain security to perform the rescue competently. While there is no formal standard, they should have some background experience in software engineering, security, and/or blockchain auditing. They must also be free from OFAC sanctions and not involved in legal issues related to any other blockchain exploits.

For more details you can review Safe Harbor for Protocols and Safe Harbor for Whitehats.

Safe Harbor for Protocols

tag: [SEAL/Initiative, Protocol, DAO]

Why You Should Care

Currently, the process for fund recovery during an active exploit is a Wild West. There are no standards or protections for ethical Whitehats hoping to help prevent the next hack. Those who intervene do so without any legal protection or assurance of reward.

As of 2023, just 20% of stolen assets are recovered. With Safe Harbor we aim to approach 100%.

20% Assets Recovered
Hacken 2023 Security Report

Safe Harbor defines clear guidelines for what a Whitehat can and cannot do to protect your protocol, as well as what happens after protection occurs.

  1. A higher chance of fund recovery: In the event of an attack on your protocol, whitehats will be more likely to step in and your funds are more likely to be returned.
  2. Guide of how Whitehats operate: When adopting Safe Harbor, you can define certain adoption details. These details specify bounty terms for successful Whitehats, what assets should be protected, where recovered funds should be returned (asset recovery address), and KYC requirements prospective Whitehats must follow.
  3. Systematic & Financial Premonition: Safe Harbor helps answer the question “what next” after a hack targeting your protocol. The agreement specifies how Whitehats should return your funds and the maximum bounty they can receive, letting you better plan ahead.

Protocol Adoption

Safe Harbor adoption is easier than setting up a Bug Bounty. You can either do so manually, following SEAL’s adoption checklist, or you can use the tools provided by third parties like Skylock or Immunefi.

Safe Harbor was written explicitly with DAOs in mind. They can adopt safe harbor using their decentralized governance measures.

To get started, we recommend:

  1. If you already use Immunefi for bug bounties, sign up using their adoption portal.
  2. Otherwise, contact Dickson at “dickson@skylock.xyz” who can help kickstart your adoption.

Adoption will generally follow the following process:

  1. Decide on Adoption Details:

    • On-Chain Assets: List all smart contract and wallet addresses to protect.
    • Asset Recovery Address: Provide an address for Whitehats to return recovered funds.
    • Bounty Terms: Set bounty percentage and cap for successful Whitehats (recommended 10% and $1M USD, respectively).
    • KYC Requirements: Define Know Your Customer (KYC) requirements for Whitehats.
    • Emergency Contact Information: Provide contact details for use during an exploit.
  2. Adoption Process:

    • Create Agreement Fact Pages: Detail your adoption specifics.
    • DAO Procedures: For DAOs, follow standard procedures to push through adoption.
    • Public Disclosure: Publish adoption details in accessible locations such as the Safe Harbor Registry and your website’s Terms and Conditions.
    • Maintain Adoption: Ensure adoption details are updated whenever a new asset is deployed on-chain.

Collecting all this information ensures that, in the event of an attack against your protocol, whitehats have the knowledge and permission required to step in and minimize losses.

After You’ve Adopted

Once you've adopted Safe Harbor, maintaining it is crucial for ongoing protection of any new assets. If you publish a new asset always ensure you update your safe harbor adoption so everything remains protected.

If you want to make any changes to your adoption details, for example adjusting the bounty terms or KYC requirements, you must do so before an exploit occurs. Protocols are not permitted to retroactively change their adoptions details after an exploit.

In the Event of a Hack

In the event of an exploit you’ll follow the below process.

  1. Asset Recovery: Whitehats will use your designated Asset Recovery Address to return any recovered funds and attempt to contact your designated emergency contact. In general this should happen within 6 hours of the event, though it may take as long as 48 hours.
  2. Post-recovery Procedure: Upon receiving your recovered assets, conduct any required KYC checks using the disclosed KYC provider. Then, distribute the agreed bounty to the Whitehat according to the bounty terms specified in your adoption details.

Safe Harbor for Whitehats

tag: [SEAL/Initiative, Whitehat]

Why You Should Care

Safe Harbor lets whitehats step in during active exploits to help secure protocol funds. It does so by providing a legal framework that outlines what whitehats can and can't do, how they ought to operate, and protects whitehats in the event of legal action taken by the protocol.

In addition to the legal protections, Safe Harbor also helps whitehats by telling them for every organization that adopts Safe Harbor:

  1. What assets are owned by a protocol
  2. What is the protocol's (asset recovery address)
  3. Who the security contact
  4. What KYC requirements (if any) protocols impose onto whitehats
  5. What bounty terms whitehats will be awarded under Safe Harbor

This information is all neatly cataloged in the Safe Harbor Registry - an on-chain registry cataloging all protocol adoptions and their adoption details. For more details, review the Safe Harbor for Protocols document.

Whitehat Adoption

If a whitehat reads and understands the entire legal framework, they may later be eligible to participate in a whitehat rescue. These rescues should only be taken in very specific circumstances, and it is important to reiterate the following:

  • The framework only applies to active exploits, and it is a violation of the agreement if the whitehat initiates an exploit themselves.
  • The protocol is not responsible for ensuring the whitehat follows the law, and the whitehat can not be protected from criminal charges outside the agreement's scope.
  • There are nuances that can affect the agreement's enforceability, and whitehats will assume many legal risks by becoming involved.
  • If the whitehat decides to proceed with a whitehat rescue, they must follow the process specified in the agreement. This includes transferring rescued funds to the protocol's "Asset Recovery Address" and promptly notifying the protocol of the fund recovery. The whitehat may keep (or later receive) a reward, based on the terms of the agreement.

Safe Harbor may also apply to generalized frontrunner / arbitrage bots. The rules of conduct enforced by Safe Harbor for Prospective and Retrospective whitehats differs in a few key areas.

In the Event of a Hack

Pre-Intervention

In the event of a hack targeting a protocol that has adopted Safe Harbor, whitehats are permitted to take broad actions to secure the protocol's funds. Before taking action, review the following checklist (also present in the Safe Harbor Technical Summary):

  • Is this an active, urgent exploit?
  • Are you unable to responsibly disclose the exploit (e.g. via a bug bounty program) due to time constraints or other reasons?
  • Can you reasonably expect your intervention to be net beneficial, reducing total losses to the protocol and associated entities?
  • Are you experienced and confident in your ability to manage execution risk, avoiding unintentional loss of funds?
  • Will you avoid intentionally profiting from the exploit in any way other than through the reward granted by the protocol?
  • Are you and anyone with whom you directly cooperate during the funds rescue, as well as all funds and addresses used in said rescue, free from OFAC sanctions and/or other connections to sanctioned parties?
  • Have you confirmed the agreement has been duly adopted by the protocol community?
  • Are you fully aware of the risks associated with your actions, including but not limited to accidental loss of funds, claims and liabilities outside this agreement's scope, and the unclear extent of this agreement's enforceability?

In the event that all the above applies, you may chose to take action to protect the protocol's assets.

Post-Intervention

After the funds have been recovered, it is your responsibility to ensure their safe return to the owner protocol. If possible, we recommend contacting SEAL911 immediately to advise on the fund recovery process and to assist with KYC, protocol communications, and bounty collection. Otherwise, you must contact the protocol's posted security contact and return all recovered funds to the protocol's asset recovery address within 6 hours of the event, or 48 hours if reason is provided and the protocol has been made aware.

Key Terms

Active Exploit

Active Exploits (or, in the legal contract, an “Urgent Blackhat Exploit”), are defined in the Safe Harbor Agreement (2.3 Certain Defined Terms, Urgent Blackhat Exploits). Summarizing, an exploit is considered to be active when:

  1. The exploit has already been initiated against a Protocol and remain an active threat; or
  2. The exploit that is highly likely to be imminently initiated against a Protocol.

In general, this means an active exploit is one that is already in progress, where perusing regular reporting methods such as a bug bounty wouldn’t be fast enough to protect protocol funds.

Safe Harbor Registry

The Safe Harbor registry is an on-chain smart contract that helps protocols adopt Safe Harbor. The smart contract allows protocols to register their adoption details and legally adopt Safe Harbor, publicly displaying the protocol's Agreement Details

The contract’s source code and deployment details are stored in the security-alliance/safe-harbor GitHub repository.

Agreement Details

The Agreement Details are the set of options protocols may configure when adopting Safe Harbor. These options differ from protocol-to-protocol and should be reviewed by any prospective whitehats.

  • On-Chain Assets: List all smart contract and wallet addresses to protect.
  • Asset Recovery Address: Provide an address for Whitehats to return recovered funds.
  • Bounty Terms: Set bounty percentage and cap for successful Whitehats (recommended 10% and $1M USD, respectively).
  • KYC Requirements: Define Know Your Customer (KYC) requirements for Whitehats.
  • Emergency Contact Information: Provide contact details for use during an exploit.

Asset Recovery Address

An Asset Recovery Address is an on-chain address that is created by a protocol prior to their Safe Harbor adoption. This address is used by Whitehats to return funds to a protocol after successfully intervening during an active exploit under Safe Harbor. Protocols must create this address on every chain for which they have assets under scope. The address should be highly secure and able to handle large sums of assets.

Prospective & Retrospective Whitehats

Safe Harbor may also apply to generalized frontrunner / arbitrage bots, though the specifics may differ. In general, regular whitehats are considered prospective whitehats and are required to give notice to the protocol and return all funds immediately after the exploit, while bots are considered retrospective whitehats and are required to give notice and return all funds as soon as they become aware of the exploit. We recommend reviewing the full agreement to understand all differences between prospective and retrospective whitehats.

Supply Chain Security

tag: [Engineer/Developer, Security Specialist, Devops]

Supply chain security involves managing and securing all the components, dependencies, and processes involved in the development, deployment, and maintenance of software. In the context of blockchain and web3 projects, supply chain security could for example be parts of the web application stack, or external libraries used by the smart contract.

Dependency Awareness

tag: [Engineer/Developer, Security Specialist]

Dependency awareness is the practice of understanding and managing all the external libraries, frameworks, and components that a software project relies on. Dependencies can introduce vulnerabilities and risks, which means it's important to keep track of them and ensure they are secure.

Importance of Dependency Awareness

  1. Security Risks

    • Dependencies can contain vulnerabilities that may be exploited by threat actors.
  2. Compliance

    • Ensuring that dependencies comply with licensing and regulatory requirements is essential to avoid legal issues.
  3. Maintainability

    • Understanding dependencies and their impact on the project will help understand if it's possible to update a dependency used by your application.

Best Practices for Dependency Awareness

  1. Use Dependency Management Tools

    • Leverage tools that can automatically track and manage dependencies. Examples include:
      • Web2:
        • Snyk: Monitors and fixes vulnerabilities in dependencies.
        • Dependabot: Automatically updates dependencies in GitHub projects.
      • Solidity:
        • Ethlint: Analyzes and lints Solidity code, including dependencies.
        • MythX: Scans for vulnerabilities in smart contract dependencies.
  2. Regularly Update Dependencies

    • Regularly update dependencies to the latest secure versions after verifying them.
  3. Monitor for Vulnerabilities

    • Continuously monitor dependencies for known vulnerabilities using tools like Snyk, npm audit, and GitHub Security Alerts.
  4. Audit Dependencies

    • Perform regular audits of dependencies to ensure they are necessary and secure. Remove unused or outdated dependencies.
  5. Use Trusted Sources

    • Only use dependencies from trusted and reputable sources. Avoid using unverified or poorly maintained libraries.

Supply Chain Levels for Software Artifacts

tag: [Engineer/Developer, Security Specialist]

Supply chain levels for software artifacts provide a framework for categorizing and securing software components based on their risk levels. This approach helps projects prioritize their security efforts towards software components with the highest risk levels.

Framework for Supply Chain Levels

  1. Level 1: Critical Artifacts

    • These artifacts are essential to the core functionality of the software and pose a high risk if compromised.
    • Examples: Core libraries.
  2. Level 2: High-Risk Artifacts

    • Artifacts that are important but not critical. Their compromise could lead to significant security issues.
    • Examples: Middleware, database connectors, oracles, authentication modules.
  3. Level 3: Moderate-Risk Artifacts

    • Artifacts that are used frequently but have a lower risk profile. Their compromise could cause inconvenience but not catastrophic failure.
    • Examples: User interface libraries, utility functions, data processing modules.
  4. Level 4: Low-Risk Artifacts

    • Artifacts that have minimal impact on security if compromised.
    • Examples: Logging libraries, test utilities.

Best Practices for Securing Supply Chain Levels

  1. Critical Artifacts

    • Implement strict access controls and require code reviews for all changes.
    • Use robust security testing, including static and dynamic analysis.
    • Monitor continuously for vulnerabilities and apply patches promptly.
  2. High-Risk Artifacts

    • Enforce strong access controls and conduct regular security assessments.
    • Perform regular updates and vulnerability scans.
    • Implement automated security testing in CI/CD pipelines.
  3. Moderate-Risk Artifacts

    • Apply standard security practices, including access controls and regular updates.
    • Use automated tools to scan for vulnerabilities periodically.
    • Ensure that dependencies are from trusted sources.
  4. Low-Risk Artifacts

    • Follow basic security hygiene, such as using trusted sources and applying updates.
    • Perform occasional security reviews and audits.

Security Awareness

tag: [Security Specialist, Operations & Strategy, Community & Marketing, HR]

Security Awareness aims to bring essential information that is relevant to each team. Each team has different needs of security and potential threat actors, and for security awareness to be successful it should be tailored to each team's unique threat landscape.

Contents

  1. Security Training
  2. Social Engineering
  3. Staying Up-to-Date

Social Engineering

tag: [Security Specialist, Operations & Strategy]

Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information. This is one of the easiest and most effective ways to obtain access to your project.

Common Social Engineering Techniques

1. Phishing

  • Email Phishing: Fraudulent emails that appear to be from reputable sources, often containing malicious links or attachments.
  • Spear Phishing: Targeted phishing attacks tailored to specific individuals or organizations.

2. Pretexting

  • False Pretenses: Attackers create a fabricated scenario to steal personal information.
  • Impersonation: Pretending to be someone in authority or a trusted individual to gain access to sensitive information.

3. Baiting

  • Physical Baiting: Leaving infected USB drives or other devices in public places to lure victims into using them.
  • Online Baiting: Offering free downloads or deals that contain malware or is used to obtain access to accounts.

4. Tailgating

  • Physical Security Breach: Following authorized personnel into restricted areas without proper credentials.

5. Shoulder Surfing

-Information Leakage: A threat actor could be monitoring your screen in a shared co-working space, to understand what you're working on and use the information to gain unauthorized access.

Users should be particularly vigilant in co-working spaces, as well as be aware of the presence of cameras or other recording devices that could capture sensitive information. Always position your screen away from prying eyes and use privacy screens if necessary.

Preventive Measures

1. Education and Awareness

It could prove valuable to conduct regular training sessions on recognizing and responding to social engineering attacks, and stay up to date on the current trends in web2 and web3. For example, right now it's getting increasingly common that threat actors are pretending to provide jobs, and ask applicants to run malicious projects that create backdoors on the applicant's computer.

2. Verification

  • Double-Check Requests: Always verify the identity of individuals requesting sensitive information, especially if the request is unusual or urgent.
  • Use Secure Channels: Communicate through official channels and avoid sharing sensitive information over unsecured methods.

3. Security

  • Access Control: Implement strict access control measures, preferably requiring confirmations by multiple people before critical actions can be taken.
  • Report Suspicious Activity: Encourage team members to report any suspicious behavior or requests immediately.

Security Training

tag: [Security Specialist, Operations & Strategy, HR]

All team members should receive some type of security training, however how in-depth this training is depends on their specific needs and what type of access they have. It is important to not do this only once, but to keep it as a recurring activity, however a training session does not need to mean sitting down for 60 minutes to look at a power point presentation but rather could be tiny nuggets of relevant information that doesn't take more than a minute to consume each time.

Security Training Session

As an introductory and overarching training session, this could be done:

1. Introduction to Security

  • Importance of Security: Explain why security is important for your project.
  • Common Threats: What are the common threats targeting your platform, and what type of attacks are most likely to happen for the team you're doing security training for.

2. Password Management

  • Strong Passwords: Explain the reason for using unique and complex passwords for accounts.
  • Password Managers: Show the value and time save of using a password manager to securely store and manage passwords.

3. Two-Factor Authentication (2FA)

  • Enabling 2FA: Explain why it's important to enable 2FA.
  • Types of 2FA: Explain the different types of 2FA, including SMS, authenticator apps, and hardware tokens. Each of these have their strengths and weaknesses which should be explained (and especially why nobody should be using SMS for 2FA).

4. Secure Communication

  • Email Security: Explain how phishing emails and fake jobs can be used by a threat actor to compromise a project.
  • Messaging Apps: Explain why messaging apps such as Telegram does not have end to end encryption, and why secure messaging apps like Signal should be used for sensitive communications.

5. Device Security

  • Software Updates: Explain why it's important to keep operating systems and software up to date.
  • Antivirus Software: Explain when it could be relevant to install and keep antivirus software up to date on relevant devices.

6. Data Protection

  • Backups: Discuss when it could be relevant to back up important data.
  • Encryption: Discuss when using encryption could be important to to protect sensitive data both in transit and at rest.

7. Phishing Training

  • Phishing Test Campaigns: As a means to keep team members aware of the type of phishing emails that they may be receiving, it could be beneficial to run a phishing test campaign against the team members from time to time.
  • Effectiveness of Phishing Training: While phishing training can be beneficial, it's important to note that not all phishing tests are insightful. Poorly designed phishing tests can lead to frustration and a contrary effect, where team members become desensitized or overly cautious, impacting their productivity. It's crucial to design phishing tests that are realistic, educational, and provide constructive feedback to truly enhance security awareness.

8. Incident Response

  • Reporting Incidents: Discuss the need for everybody knowing how to react during security incidents, and how one should never be afraid to raise the alarm.
  • Response Plan: For teams where relevant, discuss the incident response plan.

Staying Up-to-Date

tag: [Security Specialist, Operations & Strategy]

It is often very valuable to have information on the latest security threats and trends, as you may be able to take preventive actions for attacks that are increasing, or security vulnerabilities that may be relevant to your project. Some things you could consider doing are:

1. Subscribe to Security Newsletters

  • Industry News: While most security newsletters are focused on web2, they could still be relevant to your project as a large part is actually likely to run on web2 services. You could subscribe to newsletters from sources such as FIRST.org.
  • Vendor Updates: If you have awareness of what software and hardware you're running in your project stack (which you should), you can follow updates from them for information on new vulnerabilities and patches.

2. Participate in Security Communities

  • Forums and Groups: Join online groups dedicated to security topics, such as the SEAL Discord.
  • Local Meetups: Attend local security meetups and conferences such as Defi Security Summit to network with other professionals and learn about what's new in security.

3. Follow Security Blogs and Podcasts

  • Social Feeds: Follow blogs and listen to podcasts such as the Daily Stormcast from FIRST.org or Darknet Diaries to gain deeper insights into emerging threats and solutions.

External Security Reviews

tag: [Security Specialist, Operations & Strategy, Devops]

External security reviews are quite common in web3 when it comes to smart contract audits which are often being done to check if the smart contracts are secure.

It's important to note though that smart contracts are not the only components that should be considered during security reviews. Any relevant off-chain software (Bridges, Oracles, Sequencers, etc.) should also be reviewed in conjunction with any on-chain application.

While external security reviews are good, they are certainly not foolproof and cannot guarantee absolute security, and for that reason this type of security testing is not a one-time event but an ongoing commitment to the safety and security of your web3 project.

Contents

  1. Expectation
  2. Preparation
  3. Vendor Selection
  4. Security Policies and Procedures

Expectation

tag: [Security Specialist, Operations & Strategy]

A security review is a time-boxed assessment, generally with a project's smart contracts being in scope.

Generally speaking, a security review will generate the following:

  • Identification of security vulnerabilities and potential proof of concept attacks.
  • Recommendations for mitigating identified risks.
  • A review of changes implemented for mitigating identified risks.
  • Comprehensive report detailing findings and suggested improvements, which in web3 is commonly publicly published.

Preparation

tag: [Security Specialist, Operations & Strategy, Devops]

A common misconception is that when doing a security review, you can just hand off the written code and let reviewers do their work. This could in theory work, however this would mean that time by reviewers is spent doing things that you could have easily done on your side to make the review more cost effective. Some of the steps you could consider taking before initiating a security review are:

Set a Goal for the Review

This is the most important step of a security review and often the most overlooked. By setting a scope that is not too large or undefined, you are more likely to have a successful audit. If the project is very large, you may want to focus on the most critical aspects of the project.

Internal Due Diligence

Conduct internal testing before engaging an external security provider. You can do this by creating and running test vectors for your code, and leverage automated tools to identify low-hanging fruit. Here’s a list of free/open-source tools your project could use:

  • Solidity: slither, mythril, semgrep-smart-contracts
  • Golang: golangci-lint, go-critic, gosec, gokart
  • Rust: cargo audit, cargo outdated, clippy, cargo geiger, cargo tarpaulin

Documentation

Documentation is critical for knowledge transfer and future-proofing projects. At a minimum, your documentation should include:

  • Project Overview: Describe your protocol in plain English—what it does and its components.
  • Flow Diagrams: Outline all possible interaction paths within your system.
  • Design Choices: Document design decisions and any known potential issues.
  • Known Restrictions / Limitations: Document centralization risks and known limitations (e.g., limited TVL, token support).
  • Dependencies: List all external dependencies.
  • Access Control / Privileged Roles: Record all roles and their privileges.

Vendor Selection

tag: [Security Specialist, Operations & Strategy]

There are a lot of security vendors in the web3 ecosystem, and also in the web2 ecosystem. Depending on what you want to have reviewed, for example a Solidity contract, it may be relevant to use a security vendor that focus on web3, while if for example you're reviewing your infrastructure it may be more relevant to choose a vendor that focus on web2.

  1. Make sure you evaluate potential vendors based on their track record, reputation, and experience in what you want to test.
  2. Look for vendors with a proven history of addressing security challenges similar to your project’s needs.
  3. Ensure the vendor has relevant experience in web3 security vulnerabilities, as these require specialized skills.
  4. For example, if you’re building an L2, it may be beneficial to choose a vendor with a track record of reviewing L2s.
  5. It could prove valuable to start with a crowd-sourced assessment which is likely to catch a lot of low hanging fruit, then move to a dedicated security vendor that will dig down into the code to potentially find remaining issues.

Security Policies and Procedures

tag: [Security Specialist, Legal & Compliance, Operations & Strategy, HR] As part of the external security review, it could be beneficial to also review the internal security policies and procedures as well. Some of the things that could be relevant to review are:

  1. Ensure there is a developed and maintained plan for responding to security incidents.
  2. Ensure there are defined roles and responsibilities, and enforce the principle of least privilege.
  3. Ensure there are processes implemented for managing changes to the codebase and infrastructure.
  4. Ensure there are regular training sessions conducted for all team members on security best practices.
  5. Ensure adherence to any potentially relevant regulatory and industry standards for your project.

Governance

tag: [Operations & Strategy, Legal & Compliance]

Good governance practices involve setting clear policies, establishing accountability, and continuously monitoring and improving security measures. This section provides some best practices and guidelines for how you could implement governance in your project.

Contents

  1. Compliance with Regulatory Requirements
  2. Risk Management
  3. Security Metrics and KPIs

Risk Management

tag: [Operations & Strategy, Legal & Compliance]

If a project has effective risk management, it is also likely to be successful at identifying, assessing, and mitigating potential threats to the project. By utilizing risk management, you're likely to be able to prioritize security efforts and see where resources are needed. Risk management provides the capabilities to develop and implement strategies to mitigate identified risks by continuously monitoring the security landscape for new threats and vulnerabilities and then communicating risk findings and mitigation strategies to relevant people.

Best Practices for Risk Management

  1. Use established frameworks such as NIST, ISO 27001, or COBIT to help start your risk management efforts.
  2. Focus on the most critical risks first, using a risk matrix to prioritize based on likelihood and impact.
  3. Conduct regular risk assessments and reviews to keep up with the so very evolving threat landscape.
  4. Use lessons learned from past incidents and risk assessments to continuously improve your risk management practices.

Compliance with Regulatory Requirements

tag: [Operations & Strategy, Legal & Compliance, Devops, HR]

Compliance with regulatory requirements may be essential for your project. Understanding the needs and ensuring the necessary compliance helps protect your project from potential legal penalties.

Key Regulatory Frameworks

Some examples of regulatory frameworks or standards for web3 are:

Best Practices for Compliance

Best Practices for Regulatory Compliance in Terms of Security

1. Understand Applicable Regulations

  • Identify Relevant Regulations: Clearly identify all regulatory frameworks that apply to your organization, such as GDPR, HIPAA, CCPA, or PCI DSS.
  • Regularly Review Legal Requirements: Stay updated on changes in regulations that impact your industry, ensuring compliance measures evolve accordingly.
  • Engage Legal Counsel: Work with legal experts to interpret regulations accurately and implement appropriate security controls.

2. Develop a Robust Security Policy Framework

  • Comprehensive Security Policies: Develop detailed security policies that align with regulatory requirements, covering areas like data protection, access control, and incident response.
  • Policy Documentation: Maintain thorough documentation of all security policies, procedures, and controls, ensuring they are easily accessible for audits and reviews.
  • Regular Policy Updates: Review and update security policies regularly to reflect changes in regulations and emerging threats.

3. Data Protection and Privacy

  • Data Classification: Classify data based on sensitivity and regulatory requirements, ensuring appropriate protection levels for each category.
  • Data Minimization: Collect and retain only the minimum amount of data necessary for business operations, reducing exposure to potential breaches.
  • Anonymization and Pseudonymization: Where possible, apply anonymization or pseudonymization techniques to protect personal data.

4. Access Management and Control

  • Role-Based Access Control (RBAC): Implement RBAC to ensure that employees have access only to the data and systems necessary for their roles.
  • Multi-Factor Authentication (MFA): Require MFA for access to sensitive systems and data, adding an extra layer of security.
  • Regular Access Audits: Conduct regular audits of user access rights to ensure compliance with the principle of least privilege.

5. Incident Response Planning

  • Comprehensive Incident Response Plan: Develop an incident response plan that aligns with regulatory requirements, detailing steps for identifying, responding to, and reporting security incidents.
  • Regulatory Reporting: Ensure the incident response plan includes protocols for reporting breaches to regulatory authorities within the required timeframes.
  • Regular Testing: Conduct regular simulations and tabletop exercises to test the effectiveness of the incident response plan.

6. Continuous Monitoring and Auditing

  • Automated Monitoring Tools: Implement automated tools to continuously monitor compliance with security regulations and detect potential vulnerabilities or breaches.
  • Internal Audits: Conduct regular internal audits to assess compliance with security policies and regulatory requirements.
  • External Audits: Engage third-party auditors to provide independent assessments of your security posture and compliance status.

7. Employee Training and Awareness

  • Regular Training Programs: Provide regular training on regulatory requirements, data protection, and security best practices for all employees.
  • Phishing and Social Engineering Awareness: Educate employees about phishing, social engineering, and other common attack vectors that could lead to compliance breaches.
  • Role-Specific Training: Tailor training programs to address the specific regulatory and security responsibilities of different roles within the organization.

8. Third-Party Risk Management

  • Vendor Due Diligence: Conduct thorough due diligence on third-party vendors to ensure they comply with relevant security regulations.
  • Contractual Obligations: Include specific security and compliance requirements in contracts with third-party vendors.
  • Continuous Monitoring: Monitor third-party vendors’ compliance with security requirements throughout the relationship.

9. Data Encryption and Secure Communication

  • Encryption Standards: Use strong encryption standards for protecting data both at rest and in transit, in line with regulatory requirements.
  • Secure Communication Channels: Ensure that all communication involving sensitive data is conducted over secure channels (e.g., TLS, VPN).
  • Key Management: Implement robust key management practices to protect encryption keys from unauthorized access.

10. Documentation and Record-Keeping

  • Compliance Documentation: Maintain detailed records of compliance efforts, including audit results, incident reports, and training logs.
  • Retention Policies: Establish data retention policies that comply with regulatory requirements, ensuring that records are kept for the required duration.
  • Audit Trails: Ensure that all access to sensitive data is logged, creating a clear audit trail for compliance verification.

Useful Resources

Here are some useful resources where you can follow and learn more about the best practices mentioned:

  1. National Institute of Standards and Technology (NIST)

    • NIST Cybersecurity Framework: A comprehensive resource for implementing cybersecurity best practices and complying with regulatory requirements.
    • URL: https://www.nist.gov/cyberframework
  2. International Organization for Standardization (ISO)

  3. Center for Internet Security (CIS)

    • CIS Controls: A prioritized set of actions that help organizations comply with regulatory requirements and improve their cybersecurity posture.
    • URL: https://www.cisecurity.org/controls/
  4. General Data Protection Regulation (GDPR)

    • Official GDPR Portal: Provides detailed information on GDPR requirements, including guidelines, tools, and resources for compliance.
    • URL: https://gdpr.eu/
  5. Health Insurance Portability and Accountability Act (HIPAA)

    • HIPAA Journal: Offers news, resources, and guidelines for ensuring compliance with HIPAA regulations, particularly in the healthcare sector.
    • URL: https://www.hipaajournal.com/
  6. Payment Card Industry Data Security Standard (PCI DSS)

    • Official PCI Security Standards Council: Provides comprehensive resources, including guidelines and tools for complying with PCI DSS requirements.
    • URL: https://www.pcisecuritystandards.org/
  7. Cybersecurity & Infrastructure Security Agency (CISA)

  8. Cloud Security Alliance (CSA)

  9. International Association of Privacy Professionals (IAPP)

    • IAPP Resource Center: Offers a wealth of resources, including whitepapers, research, and tools, to help organizations comply with data protection regulations.
    • URL: https://iapp.org/resources/
  10. SANS Institute

  • SANS Security Resources: Provides extensive resources, including guides, whitepapers, and training courses, for improving security and regulatory compliance.
  • URL: https://www.sans.org/security-resources/

Security Metrics and KPIs

tag: [Operations & Strategy, Legal & Compliance]

Measuring security performance through metrics and Key Performance Indicators (KPIs) can be very useful for assessing the effectiveness of your security program, and can allow you to make informed decisions on what actions to take with regards to security.

Some examples of what could be worth recording are:

Key Security Metrics

  1. Measure the time taken to detect, respond to, and resolve security incidents.
  2. Track the total number of security incidents over a specified period.
  3. Measure the time taken to fix identified vulnerabilities.
  4. Monitor the rate of false positives generated by security tools to assess their accuracy and efficiency.

Key Performance Indicators (KPIs)

  • Mean Time to Detect (MTTD): The average time taken to detect a security incident.
  • Mean Time to Respond (MTTR): The average time taken to respond to a security incident.
  • Patch Management Effectiveness: Percentage of code/systems patched within a defined timeframe.
  • User Training Completion Rate: Percentage of project team members who have completed required security training.
  • Security Audit Findings: Number of findings from security audits and the percentage of findings resolved within a specified period.

Security Automation

tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE]

Security automation involves using technology to perform security tasks with minimal human intervention. By automating repetitive and complex security processes, teams can improve efficiency, reduce the risk of human error, and respond to threats more quickly. This section covers best practices and tools for automating various aspects of security, including compliance checks, infrastructure as code, and threat detection and response.

Threat Detection and Response

tag: [Engineer/Developer, Security Specialist, Devops, SRE]

Threat detection and response is a critical aspect of maintaining the security of your project. It involves identifying potential threats, monitoring for signs of malicious activity, and responding effectively to mitigate any identified risks. By implementing robust threat detection and response strategies, you can protect your project from security breaches and minimize the impact of any incidents that do occur.

Guidelines for Threat Detection and Response

  1. Implement Continuous Monitoring: Use automated tools to continuously monitor your systems for signs of suspicious activity. This can help you detect threats early and respond quickly.
  2. Establish Clear Response Protocols: Develop and document clear protocols for responding to different types of security incidents. Ensure that all team members are familiar with these protocols and know their roles in the response process.
  3. Conduct Regular Threat Assessments: Regularly assess your systems for potential vulnerabilities and update your threat detection and response strategies accordingly.
  4. Use Threat Intelligence: Leverage threat intelligence sources to stay informed about the latest threats and trends in the security landscape. This can help you anticipate and prepare for new types of attacks.
  5. Train Your Team: Provide regular training for your team on threat detection and response best practices. This can help ensure that everyone is prepared to act quickly and effectively in the event of a security incident.

Example Best Practice

One effective approach to threat detection and response is to use a Security Information and Event Management (SIEM) system. A SIEM system collects and analyzes data from various sources within your network, helping you to identify and respond to potential threats in real-time. By integrating a SIEM system into your security strategy, you can improve your ability to detect and respond to threats, ultimately enhancing the overall security of your project.

Incident Example

Imagine that your SIEM system detects unusual login activity from an IP address located in a different country than your usual operations. This could be an indication of a potential security breach.

Sample Process

  1. Detection: The SIEM system flags the unusual login activity and generates an alert.
  2. Analysis: A security analyst reviews the alert and examines the login activity to determine if it is indeed suspicious.
  3. Containment: If the activity is confirmed to be malicious, the analyst takes steps to contain the threat, such as blocking the IP address and disabling the compromised account.
  4. Eradication: The analyst investigates the extent of the breach and removes any malicious software or unauthorized access points.
  5. Recovery: The affected systems are restored to normal operation, and any necessary security patches or updates are applied.
  6. Lessons Learned: A post-incident review is conducted to identify any gaps in the threat detection and response process and to implement improvements for future incidents.

Infrastructure as Code

tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE]

Infrastructure as Code (IaC) is the managing and provisioning computing infrastructure through machine-readable definition files, rather than manual configuration or interactive configuration tools. Automating security within IaC helps ensure that infrastructure is configured securely and consistently.

Benefits of Automating Security in IaC

  1. Consistency

    • Ensures that infrastructure is provisioned and configured consistently across environments.
    • Reduces the risk of configuration drift and security misconfigurations.
  2. Scalability

    • Enables scalable deployment of secure infrastructure.
    • Simplifies management of large-scale environments.
  3. Version Control

    • Treats infrastructure configurations as code, allowing version control and change tracking.
    • Facilitates rollback to previous configurations if issues arise.

Best Practices for Secure IaC

  1. Use Trusted Modules

    • Use trusted and verified modules or templates for infrastructure provisioning.
    • Avoid using unverified or outdated modules that may contain vulnerabilities.
  2. Implement Least Privilege

    • Ensure that infrastructure components have the minimum necessary permissions.
    • Use role-based access control (RBAC) to manage permissions.
  3. Automate Security Scans

    • Integrate security scanning tools into the IaC pipeline to automatically detect and remediate vulnerabilities.
    • Use tools like Checkov, tfsec, and Terrascan to scan Terraform configurations for security issues.
  4. Encrypt Sensitive Data

    • Encrypt sensitive data at rest and in transit within the infrastructure.
    • Use managed encryption services provided by cloud providers.
  5. Regularly Update IaC Templates

    • Keep IaC templates and modules up to date with the latest security patches and best practices.
    • Regularly review and update configurations to address new security threats.

Tools for Automating Security in IaC

  1. Terraform

    • A widely used IaC tool that allows for the automated provisioning of infrastructure across various cloud providers.
    • Supports integration with security scanning tools like tfsec and Checkov.
  2. AWS CloudFormation

    • An IaC service provided by AWS for modeling and setting up AWS resources.
    • Supports AWS Config rules for automated compliance checks.
  3. Azure Resource Manager (ARM) Templates

    • IaC templates for deploying and managing Azure resources.
    • Integrates with Azure Policy for enforcing security policies.
  4. Ansible

    • An open-source automation tool for configuration management and application deployment.
    • Supports security roles and playbooks for automating security configurations.

Compliance Checks

tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE]

Automating compliance checks helps projects ensure that they adhere to security policies, standards, and potential regulatory requirements consistently. Automated compliance tools can continuously monitor, assess, and report on the compliance status of systems and applications.

Benefits of Automated Compliance Checks

  1. Continuous Monitoring

    • Automated tools provide continuous monitoring of systems to ensure ongoing compliance.
    • Reduces the risk of non-compliance due to configuration drift or changes.
  2. Efficiency

    • Automates repetitive compliance tasks, freeing up security teams to focus on more strategic activities.
    • Speeds up the compliance assessment process.
  3. Accuracy

    • Reduces human error in compliance assessments.
    • Provides consistent and repeatable compliance checks.

Tools for Automated Compliance Checks

  1. AWS Config

    • A service that continuously monitors and records AWS resource configurations and allows automated compliance checks based on predefined rules.
    • Pros: Deep integration with AWS services, customizable rules.
    • Cons: Limited to AWS environments.
  2. Azure Policy

    • A service that enables the creation, assignment, and management of policies to enforce organizational standards and assess compliance at-scale.
    • Pros: Integrated with Azure services, supports custom policies.
    • Cons: Limited to Azure environments.
  3. HashiCorp Sentinel

    • A policy-as-code framework for defining and enforcing policies across infrastructure as code and cloud environments.
    • Pros: Flexible and extensible, integrates with Terraform and other HashiCorp tools.
    • Cons: Requires knowledge of policy language.
  4. OpenSCAP

    • An open-source tool for implementing and enforcing security policies and compliance checks.
    • Pros: Supports various compliance frameworks (e.g., NIST, CIS), open-source.
    • Cons: Requires configuration and management.

Best Practices

  1. Integrate compliance checks into the CI/CD pipeline to ensure that code changes and deployments comply with security policies.

Threat Modeling

tag: [Engineer/Developer, Security Specialist]

Threat modeling is a structured approach to identifying and mitigating security threats to a system. It involves understanding potential threats, vulnerabilities, and attack vectors, and developing strategies to mitigate them.

Standard Operating Environment

tag: [Engineer/Developer, Security Specialist, Devops]

Identifying and mitigating threats is a crucial part of the threat modeling process. By understanding potential threats and developing strategies to address them, projects can help protect their systems and data from security incidents.

Identifying Threats

  1. Threat Enumeration

    • Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to systematically identify potential threats.
    • Consider various threat actors, including insiders, external attackers, and automated threats.
  2. Attack Surface Analysis

    • Analyze the attack surface to identify all potential entry points for attackers.
    • Include smart contracts, wallets, external interfaces, APIs, third-party integrations, and user inputs in the analysis.
  3. Adversary Modeling

    • Develop profiles of potential adversaries, including their capabilities, goals, and motivations.
    • Consider different threat actors, such as black hats and nation-state actors.
  4. Historical Data

    • Review past security incidents and vulnerabilities to identify common attack patterns and weaknesses.
    • Use vulnerability databases and threat intelligence feeds to stay informed about emerging threats.

Mitigating Threats

  1. Security Controls

    • Implement security controls to mitigate identified threats. These can include technical controls, administrative controls (e.g., policies, procedures), and physical controls.
  2. Defense in Depth

    • Apply the principle of defense in depth by implementing multiple layers of security controls.
    • Ensure that if one control fails, additional controls are in place to provide protection.
  3. Least Privilege

    • Follow the principle of least privilege by granting users and systems the minimum level of access necessary to perform their functions.
    • Regularly review and adjust access permissions to reduce the risk of privilege escalation.
  4. Security by Design

    • Incorporate security into the design and development processes from the outset.
    • Use secure coding practices, perform regular code reviews, and conduct security testing throughout the development lifecycle.
  5. Monitoring and Detection

    • Implement continuous monitoring to detect and respond to security incidents in real time.
  6. Incident Response

    • Develop and maintain an incident response plan to quickly and effectively address security incidents.
    • Train team members on incident response procedures and conduct regular drills to ensure readiness.

Create and Maintain Threat Models

tag: [Engineer/Developer, Security Specialist]

Creating and maintaining threat models help identify potential security risks and develop mitigation strategies to protect the project.

Steps to Create a Threat Model

  1. Define the Scope

    • Identify the contract, system, application, or component to be analyzed.
    • Determine the boundaries and interfaces of the it.
  2. Identify Assets

    • List all critical assets that need protection, such as funds, data, credentials, and infrastructure components.
    • Prioritize assets based on their importance and sensitivity.
  3. Identify Threats

    • Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to identify potential threats.
    • Consider various attack vectors and threat actors that could target the system.
  4. Identify Vulnerabilities

    • Analyze the system for potential vulnerabilities that could be exploited by threats.
    • Use vulnerability databases, past incident reports, and security assessments to identify common weaknesses.
  5. Create Attack Scenarios

    • Develop detailed attack scenarios that describe how threats could exploit vulnerabilities to compromise assets.
    • Use diagrams and flowcharts to visualize the attack paths.
  6. Evaluate and Prioritize Risks

    • Assess the likelihood and impact of each identified threat.
    • Prioritize risks based on their potential impact on the system and organization.
  7. Develop Mitigation Strategies

    • Identify and implement controls to mitigate the identified risks.
    • Consider technical, administrative, and physical controls to reduce the risk.
  8. Document the Threat Model

    • Create detailed documentation of the threat model, including all identified threats, vulnerabilities, attack scenarios, and mitigation strategies.
    • Use templates and standardized formats to ensure consistency.

Maintaining Threat Models

  1. Regular Updates

    • Update the threat model regularly to reflect changes in the system, new threats, and emerging vulnerabilities.
    • Schedule periodic reviews to ensure the model remains current.
  2. Continuous Monitoring

    • Implement continuous monitoring to detect changes in the threat landscape and system environment.
    • Use automated tools to monitor for new vulnerabilities and threats.
  3. Collaboration

    • Foster collaboration between development, security, and operations teams to keep the threat model up to date.
    • Encourage feedback and contributions from all stakeholders.
  4. Training and Awareness

    • Provide training for team members on threat modeling concepts and techniques.
    • Raise awareness about the importance of threat modeling in maintaining security.

Tools for Threat Modeling

  1. Microsoft Threat Modeling Tool

    • A free tool that helps create threat models using the STRIDE framework.
    • Pros: Easy to use, integrates with Microsoft technologies.
    • Cons: Limited to Windows platforms.
  2. OWASP Threat Dragon

    • An open-source threat modeling tool for creating diagrams and identifying threats.
    • Pros: Free, web-based, supports multiple platforms.
    • Cons: Limited features compared to commercial tools.

Identity and Access Management (IAM)

tag: [Engineer/Developer, Security Specialist, Operations & Strategy]

Identity and Access Management (IAM) is defined as managing who has access to your systems and data, and ensuring that access is secure and appropriate. Effective IAM practices help prevent unauthorized access, reduce the risk of insider threats, and ensure that users have the necessary access to perform their roles efficiently.

Contents

  1. Role-Based Access Control (RBAC)
  2. Secure Authentication
  3. Access Management Best Practices

Role-Based Access Control (RBAC)

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]

Role-Based Access Control (RBAC) is a method of regulating access to systems and data based on the roles assigned to individual users within an project. RBAC ensures that users have the minimum access necessary to perform their job functions, reducing the risk of unauthorized access.

Key Principles of RBAC

  • Role Definition: Clearly define roles within the project based on the team member's job responsibility. Each role should have a specific set of permissions, for example a community manager could potentially not require administrative permissions to the project's github repository.
  • Role Assignment: Assign roles to team members based on their job responsibilities. Ensure that users only have access to the resources they need.
  • Permission Management: Regularly review and update role permissions to ensure they are aligned with current team functions and security requirements.
  • Separation of Duties: Implement separation of duties to prevent conflicts of interest and reduce the risk of threats.

Secure Authentication

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]

Secure authentication is essential for verifying the identity of team members and ensuring that only authorized individuals have access. By implementing strong authentication mechanisms you can protect your project against unauthorized access and lower the risk for potential security breaches.

Key Authentication Methods

  • Multi-Factor Authentication (MFA): Require multiple forms of verification (e.g., something you know, something you have, something you are) to enhance security. It is strongly suggested that one does not use SMS as a form of multi-factor authentication, but instead utilizes hardware tokens such as Yubikeys.
  • Single Sign-On (SSO): Enable SSO in services you use to allow team members to authenticate once and gain access to multiple systems without re-entering credentials, but make sure that the account connected to SSO is secured by strong Multi-Factor Authentication.
  • Password Management: Enforce strong password policies and encourage the use of password managers to generate and store complex passwords.

Best Practices for Secure Authentication

  1. Require MFA for all team members, especially for accessing sensitive systems and data. Encourage the use of hardware tokens (e.g., Yubikeys) over SMS-based MFA.
  2. Implement monitoring and alerting for suspicious authentication attempts, such as repeated failed logins or logins from unusual locations.
  3. Provide training on secure authentication practices and the importance of protecting authentication credentials.

Secure Software Development

tag: [Engineer/Developer, Security Specialist, Devops]

Secure software development is the practice of integrating security measures throughout the entire software development lifecycle (SDLC). This approach ensures that software is designed, developed, and maintained with security in mind, protecting against vulnerabilities and threats. This section provides guidelines and best practices for secure software development, including code reviews, secure coding standards, version control, and threat modeling.

Secure Coding Standards and Guidelines

tag: [Engineer/Developer, Security Specialist]

Using secure coding standards and guidelines increases the likelihood of you being resilient to security threats. Having these type of standards can help developers avoid common vulnerabilities, and help ensure that security is considered at every stage of development.

Secure Coding Standards

  1. Input Validation

    • Validate all inputs to ensure they conform to expected formats and ranges.
    • Use whitelisting (allowing only known good inputs) rather than blacklisting.
  2. Output Encoding

    • Encode output data.
    • Use libraries and frameworks that provide built-in encoding functions.
  3. Authentication and Authorization

    • Implement strong authentication mechanisms to verify user identities.
    • Ensure proper authorization checks are in place to control access to resources based on user roles.
  4. Error Handling

    • Handle errors gracefully without revealing sensitive information.
    • Log errors securely and provide generic error messages to users.

Guidelines for Secure Coding

  1. Use Secure Libraries and Frameworks

    • Use libraries and frameworks that have been vetted for security and are regularly updated.
    • Avoid using deprecated or unmaintained libraries.
  2. Follow Principle of Least Privilege

    • Grant the minimum level of access necessary for code to function.
    • Avoid running code high privileges.
  3. Secure Data Storage

    • Encrypt sensitive data both at rest and in transit.
    • Use secure storage mechanisms for credentials and secrets.
  4. Regular Code Reviews

    • Conduct regular code reviews to identify and fix security vulnerabilities.
    • Use automated tools to complement manual code reviews.
  5. Continuous Security Training

    • Provide ongoing security training for developers to keep them informed about the latest threats and best practices.
    • Encourage participation in security communities and events.

Threat Modeling and Secure Design Principles

tag: [Engineer/Developer, Security Specialist]

Threat modeling and secure design principles help identify and mitigating potential security threats during the design phase of software development. T

Threat Modeling

  1. Identify Assets

    • Determine the valuable assets that need protection, such as user funds, sensitive data, user credentials, and intellectual property.
  2. Identify Threats

    • Identify potential threats to the assets using models like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).
  3. Assess Risks

    • Evaluate the risks associated with each identified threat based on its likelihood and potential impact.
  4. Develop Mitigations

    • Design and implement security controls to mitigate the identified threats. Prioritize mitigations based on the assessed risks.
  5. Validate and Iterate

    • Regularly validate the threat model and update it as the application evolves. Continuously assess and improve security measures.

Secure Design Principles

  1. Principle of Least Privilege

    • Grant users and systems the minimum level of access necessary to perform their functions. Reduce the attack surface by limiting permissions.
  2. Defense in Depth

    • Implement multiple layers of security controls to protect against different types of threats. Ensure that security is not reliant on a single control.
  3. Fail Securely

    • Design systems to fail in a secure manner. Ensure that errors and failures do not expose sensitive information or create security vulnerabilities.
  4. Secure Defaults

    • Configure systems with secure default settings. Require users to opt into less secure configurations rather than opting into secure ones.
  5. Separation of Duties

    • Separate critical functions to prevent a single individual or system from having excessive control. Implement checks and balances.
  6. Secure by Design

    • Integrate security into the design and architecture of the application. Consider security implications during every stage of the design process.

Code Reviews and Peer Audits

tag: [Engineer/Developer, Security Specialist]

Code reviews and peer audits help identifying and mitigating security vulnerabilities in software. They involve systematically examining code to ensure it adheres to the security standards and best practices of the project.

Best Practices for Code Reviews

  1. Regular Reviews

    • Conduct code reviews regularly to identify and fix security vulnerabilities early in the development process.
    • Integrate code reviews into the development workflow to make them a routine part of the process.
  2. Review Checklists

    • Use review checklists to ensure that all security aspects are covered during the review.
    • Checklists should include common security issues such as input validation, error handling, and authentication.
  3. Automated Tools

    • Use automated code analysis tools to assist in identifying potential security vulnerabilities.
    • Tools like SonarQube, Checkmarx, and Snyk can help in detecting issues that might be missed during manual reviews.
  4. Peer Audits

    • Encourage peer audits where team members review each other's code.
    • Peer audits provide a fresh perspective and can help identify issues that the original developer might overlook.

Conducting Effective Code Reviews

  1. Focus on Security

    • Prioritize security issues during code reviews.
    • Ensure that code follows secure coding standards and guidelines.
  2. Collaborative Approach

    • Foster a collaborative environment where reviewers and developers work together to improve code quality.
    • Provide constructive feedback and encourage open communication.
  3. Document Findings

    • Document all findings from code reviews and track their resolution.
    • Use issue tracking systems to manage identified vulnerabilities and ensure they are addressed.
  4. Continuous Improvement

    • Continuously improve the code review process based on feedback and lessons learned.
    • Regularly update review checklists and practices to keep up with evolving security threats.

Secure Code Repositories and Version Control

tag: [Engineer/Developer, Security Specialist, Devops]

Managing secure code repositories and having version control practices helps protect your project from unauthorized access and ensuring the integrity of your project.

Best Practices for Secure Code Repositories

  1. Access Control

    • Implement strict access controls to limit who can view, modify, and commit code.
    • Use role-based access control (RBAC) to grant permissions based on the user's role within the organization.
  2. Multi-Factor Authentication (MFA)

    • Require MFA for all users accessing the code repository to add an extra layer of security.
    • Use hardware tokens or authentication apps for stronger security.
  3. Branch Protection

    • Enable branch protection rules to prevent unauthorized changes to critical branches such as main/master.
    • Require code reviews and approvals by another person before changes can be merged into the main/master branch.
  4. Audit Logs

    • Enable audit logging to track all activities within the repository.
    • Regularly review logs to detect any suspicious activities or unauthorized access attempts.

Secure Version Control Practices

  1. Commit Signing

    • Require developers to sign their commits with GPG keys to verify the authenticity of the code changes.
    • Enforce commit signing policies in the version control system.
  2. Regular Backups

    • Regularly back up the code repository to prevent data loss.
    • Store backups in a secure, offsite location.
  3. Continuous Integration/Continuous Deployment (CI/CD)

    • Integrate security checks into the CI/CD pipeline to automatically scan code for vulnerabilities.
    • Ensure that only tested and approved code is deployed to production.

Security Testing

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, SRE]

The objective of Security testing, while most likely impossible, is to ensure that applications and systems are resilient to attacks and free from vulnerabilities. This section covers various security testing methodologies, including dynamic and static application security testing, fuzz testing, and security regression testing.

Dynamic Application Security Testing (DAST)

tag: [Engineer/Developer, Security Specialist]

Dynamic Application Security Testing (DAST) is a security testing method that involves evaluating applications in their running state. DAST tools simulate attacks against the application to identify vulnerabilities that could be exploited.

Benefits of DAST

  1. Real-World Testing

    • Tests applications in their real-world operational state, identifying vulnerabilities that static analysis might miss.
  2. Broad Coverage

    • Detects a wide range of vulnerabilities.
  3. No Access to Source Code Required

    • Can be performed without access to the application's source code.

Best Practices for DAST

  1. Automate Scanning

    • Integrate DAST tools into the CI/CD pipeline to automatically scan applications during development and deployment.
  2. Regular Testing

    • Perform regular security testing on running applications to identify new vulnerabilities introduced by code changes.
  3. Comprehensive Coverage

    • Ensure that all parts of the application, including APIs and web services, are tested.
  4. Use Multiple Tools

    • Use multiple DAST tools to increase coverage and improve detection accuracy.

Web2 DAST Tools

  1. OWASP ZAP (Zed Attack Proxy)

    • Open-source web application security scanner.
    • Pros: Free, extensive community support, powerful features.
    • Cons: Can be complex to configure for advanced use cases.
  2. Burp Suite

    • Comprehensive web application security testing tool.
    • Pros: Powerful, extensive features, active development.
    • Cons: Commercial tool with a significant cost.
  3. Acunetix

    • Automated web application security scanner.
    • Pros: Easy to use, wide range of vulnerability checks, detailed reports.
    • Cons: Commercial tool with a significant cost.
  4. Veracode Dynamic Analysis

    • Cloud-based DAST solution.
    • Pros: Integrates with CI/CD pipelines, detailed reporting.
    • Cons: Requires a subscription.

Solidity DAST Tools

  1. MythX

    • A security analysis service for Ethereum smart contracts.
    • Pros: Detects common vulnerabilities such as reentrancy, integer overflows, and underflows.
    • Cons: Commercial tool with a subscription fee.
  2. Echidna

    • A DAST tool specifically designed for Ethereum smart contracts.
    • Pros: Effective for finding vulnerabilities in Solidity code, integrates with other Ethereum testing tools.
    • Cons: Can potentially be seen as complex.

Static Application Security Testing (SAST)

tag: [Security Specialist]

Static Application Security Testing (SAST) is a method of analyzing source code for security vulnerabilities without executing the program. SAST tools examine the codebase to identify potential security issues, enabling developers to address vulnerabilities early in the development lifecycle.

Benefits of SAST

  1. Early Detection

    • Identifies security vulnerabilities early in the development process, reducing the cost and effort required to fix them.
  2. Comprehensive Analysis

    • Provides a detailed analysis of the codebase, uncovering vulnerabilities that might be missed during manual reviews.
  3. Automated Scanning

    • Automates the process of security analysis, providing consistent and repeatable results.

Best Practices for SAST

  1. Integrate into CI/CD Pipeline

    • Integrate SAST tools into the CI/CD pipeline to automatically scan code changes for vulnerabilities.
    • Ensure that all code is scanned before it is merged into the main branch.
  2. Regular Scanning

    • Perform regular security scans on the codebase to identify new vulnerabilities introduced by code changes.
  3. Prioritize Findings

    • Prioritize vulnerabilities based on their severity and potential impact.
    • Focus on fixing critical and high-severity issues first.
  4. Provide Developer Training

    • Provide training for developers on how to interpret SAST results and fix identified vulnerabilities.
    • Encourage secure coding practices to prevent vulnerabilities from being introduced.

SAST Tools

Web2 SAST Tools

  1. SonarQube

    • An open-source platform for continuous inspection of code quality.
    • Pros: Supports multiple programming languages, integrates with CI/CD pipelines.
    • Cons: Requires configuration and management.
  2. Checkmarx

    • A commercial SAST tool for identifying security vulnerabilities in source code.
    • Pros: Comprehensive analysis, supports multiple programming languages, detailed reports.
    • Cons: Commercial tool with a significant cost.
  3. Veracode Static Analysis

    • A cloud-based SAST solution for analyzing source code.
    • Pros: Easy to use, integrates with CI/CD pipelines, detailed reporting.
    • Cons: Requires a subscription.
  4. Bandit

    • An open-source tool for static analysis of Python code.
    • Pros: Free, easy to use, integrates with CI/CD pipelines.
    • Cons: Limited to Python applications.

Solidity SAST Tools

  1. MythX

    • A security analysis service for Ethereum smart contracts that includes static analysis capabilities.
    • Pros: Comprehensive analysis, integrates with other Ethereum tools.
    • Cons: Commercial tool with a subscription fee.
  2. Slither

    • A static analysis tool for Solidity code.
    • Pros: Provides detailed analysis of potential security issues and code quality, integrates with CI/CD pipelines.
    • Cons: Limited to Solidity code.
  3. Solhint

    • An open-source project for linting Solidity code.
    • Pros: Helps enforce coding standards and detect potential issues early, integrates with CI/CD pipelines.
    • Cons: Limited to Solidity code.

Fuzz Testing

tag: [Engineer/Developer, Security Specialist]

Fuzz testing, or fuzzing, is a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a program to discover vulnerabilities. Fuzzing helps identify security issues such as buffer overflows, memory leaks, and input validation errors.

Benefits of Fuzz Testing

  1. Automated Vulnerability Discovery

    • Automates the process of finding vulnerabilities, reducing the need for manual testing.
  2. Uncovers Edge Cases

    • Identifies edge cases and unexpected behavior that may not be detected through other testing methods.
  3. Enhances Security

    • Helps improve the overall security and robustness of applications by identifying and fixing vulnerabilities.

Best Practices for Fuzz Testing

  1. Use Multiple Fuzzers

    • Employ multiple fuzz testing tools to increase coverage and improve the likelihood of discovering vulnerabilities.
  2. Integrate into CI/CD

    • Integrate fuzz testing into the CI/CD pipeline to continuously test code changes for vulnerabilities.
  3. Monitor and Analyze

    • Monitor the application's behavior during fuzz testing and analyze the results to identify and fix vulnerabilities.
  4. Start with Known Vulnerabilities

    • Begin fuzz testing with inputs that target known vulnerabilities to verify the effectiveness of the fuzzing process.

Web2 Fuzz Testing Tools

  1. AFL (American Fuzzy Lop)

    • A popular fuzzing tool for discovering vulnerabilities in binary executables.
    • Pros: Highly effective, widely used, supports various file formats.
    • Cons: Requires manual setup and configuration.
  2. LibFuzzer

    • A library for in-process, coverage-guided fuzz testing.
    • Pros: Integrates with LLVM, efficient, supports sanitizers.
    • Cons: Requires source code instrumentation.
  3. Peach Fuzzer

    • A commercial fuzzing platform for testing software, hardware, and IoT devices.
    • Pros: Extensive features, supports various protocols and formats.
    • Cons: Commercial tool with a significant cost.

Solidity Fuzz Testing Tools

  1. Echidna

    • A fuzz testing tool for Ethereum smart contracts.
    • Pros: Specifically designed for Solidity, integrates with other Ethereum testing tools.
  2. Mythril

    • A security analysis tool for Ethereum smart contracts that includes fuzzing capabilities.
    • Pros: Comprehensive analysis, integrates with other Ethereum tools.
  3. Foundry

    • A fast, portable, and modular testing framework for Solidity.
    • Pros: Integrates fuzz testing, easy to use, and supports a wide range of test cases.

Security Regression Testing

tag: [Security Specialist]

Security regression testing involves retesting previously fixed vulnerabilities to ensure that they remain fixed and that new code changes do not introduce new vulnerabilities.

Benefits of Security Regression Testing

  1. Ensures Consistency

    • Verifies that security fixes remain effective and are not inadvertently undone by subsequent code changes.
  2. Maintains Security Posture

    • Helps maintain the overall security posture of the application by continuously monitoring for regressions.
  3. Automates Verification

    • Automates the process of verifying security fixes, reducing the need for manual retesting.

Best Practices for Security Regression Testing

  1. Automate Testing

    • Integrate security regression testing into the CI/CD pipeline to automatically test code changes for regressions.
  2. Maintain Test Cases

    • Maintain a comprehensive set of test cases that cover known vulnerabilities and common security issues.
    • Regularly update test cases to reflect new vulnerabilities and changes in the codebase.
  3. Use Version Control

    • Use version control systems to track changes to test cases and ensure that they are up to date.
    • Implement automated checks to verify that changes to the codebase do not introduce regressions.
  4. Continuous Monitoring

    • Continuously monitor the results of security regression tests to identify and address regressions promptly.

User (Team) Security

tag: [Security Specialist, Operations & Strategy]

User (team) security involves educating and empowering team members to recognize and prevent security threats, fostering a security-aware culture, and providing regular security training.

Security Training

tag: [Security Specialist, Operations & Strategy, HR]

Regular security training helps keep security top-of-mind and reinforces the importance. It will help create the skills necessary to recognize and mitigate security threats to your project.

Best Practices for Security Training

  1. Regular Training Sessions

    • Conduct regular security training sessions to keep team members informed about the latest threats and best practices.
    • Schedule training sessions at least quarterly or bi-annually.
    • Don't make the training sessions too long, it's better to make them more frequent compared to a three hour session each year.
  2. Interactive Training

    • Use interactive training methods, such as SEAL Wargames or workshops to engage team members and enhance learning.
  3. Role-Based Training

    • Tailor training content to the specific roles and responsibilities of team members.
    • Provide specialized training for high-risk roles, such as developers and community managers
  4. Real-World Scenarios

    • Incorporate real-world scenarios and case studies to illustrate the impact of security breaches and the importance of preventive measures.
  5. Assessments and Quizzes

    • Use assessments and quizzes to evaluate the effectiveness of training and identify areas where additional training may be needed.
  6. Security Awareness Campaigns

    • Implement security awareness campaigns to reinforce key messages and promote a culture of security throughout the organization.

Topics to Cover in Security Training

  1. Phishing and Social Engineering

    • Educate team members on recognizing and responding to phishing attacks and social engineering tactics.
  2. Password Management

    • Provide best practices for creating and managing strong passwords and using password managers.
  3. Data Protection

    • Teach methods for protecting sensitive data, including encryption, access controls, and secure data handling practices.
  4. Incident Reporting

    • Instruct team members on how to report security incidents and suspicious activities promptly.
  5. Secure Coding Practices

    • For developers, provide training on secure coding practices and common vulnerabilities.

Security-Aware Culture

tag: [Security Specialist, Operations & Strategy, HR]

Fostering a security-aware culture within your project aims to help mitigating security risks and help team members understand the importance of security.

Strategies for Fostering a Security-Aware Culture

  1. Leadership Commitment

    • Ensure that leadership demonstrates a strong commitment to security by prioritizing and investing in security initiatives.
  2. Regular Communication

    • Communicate the importance of security regularly through your communications with the team.
  3. Security Policies and Procedures

    • Develop and enforce clear security policies and procedures that outline expectations and responsibilities for all team members.
  4. Encourage Reporting

    • Encourage team members to report security incidents, suspicious activities, and potential vulnerabilities without fear of retribution.
  5. Recognition and Rewards

    • Recognize and reward employees who demonstrate exemplary security practices and contribute to the organization's security efforts.
  6. Continuous Improvement

    • Continuously assess and improve the project's security culture through feedback, assessments, and audits.
  7. Awareness

    • Ensure that all team members are aware of common security threats and best practices for preventing them.
  8. Responsibility

    • Instill a sense of responsibility for security at all levels of the project.
  9. Collaboration

    • Promote collaboration and information sharing among team members to enhance overall security.
  10. Training

  • Provide ongoing security training to keep team members informed about the latest threats and security practices.

Phishing and Social Engineering

tag: [Engineer/Developer, Security Specialist]

In the dynamic and often nebulous realm of web3 and cryptocurrencies, understanding scams and phishing is critical for anyone venturing into this space. Both terms describe deceptive practices but manifest in distinct ways and require different prevention strategies.

Scams

Scams or Rug-Pulls in the context of web3 and cryptocurrencies typically involve fraudulent schemes designed to swindle individuals out of their digital assets. For example, an enticing new project may promise revolutionary technology and unprecedented returns. However, the project developers quickly vanish, leaving investors with worthless tokens and empty promises.

Phishing

Phishing involves masquerading as legitimate entities to deceive individuals. For example, Crypto Drainers are very common these days, where a threat actor will suggest to a user that they may take part of an airdrop by visiting a provided link. Unsuspecting users who click the link are directed to a counterfeit website, where they are asked to authenticate their wallet and sign a transaction in order to take part of the airdrop. Once signed, the threat actor has access to steal funds on the wallet that signed the transaction.

Recognizing and Preventing Phishing Attacks

  1. Scrutinize URLs

    • Always verify the authenticity of URLs before clicking on links.
  2. Be Skeptical

    • Be skeptical of offers that seem too good to be true. Never sign a transaction unless you are completely sure exactly what you are signing.
  3. Safeguard Information

    • Protect private keys, seed phrases, and sensitive information zealously.
  4. Two-Factor Authentication (2FA)

    • Employ two-factor authentication wherever possible to enhance security.

Check & Remove Token Approvals

There are services available that let you check which smart contracts have approvals to handle funds in your wallet. By regularly checking this and revoking unnecessary approvals you can improve your security posture. Unrekt Etherscan Token Approval Checker

Contribute to the Security Framework

The Security Framework is an open and collaborative project. Whether you are part of the Security Alliance or not, we welcome your contributions! Help us to build the documentation and improve security in the ecosystem.

This mdBook-style handbook is designed for easy collaboration and automatic deployment through continuous integration. If you'd like to join our effort, feel free to fix typos, contribute new sections, or propose enhancements.

To contribute you can either:

  • Fork this repository, switch to the develop branch, and submit a pull request.
  • On each page, you will find a "Suggest an edit" button at the top-right corner. Clicking this sends you to the GitHub.com where you can suggest edits using their web interface.

Contributing

Before you start editing, adding or removing content, please read the [code of conduct]https://github.com/security-alliance/frameworks/CODE_OF_CONDUCT.md and make yourself familiar with the overall structure.

The source is hosted in github repository at github.com/security-alliance/frameworks.

The content of the Frameworks comes from the main branch, and when contributing we would like to you open a PR into the development branch.

Once a new update is warranted, the content from development is merged into main.

You may explore existing issues or open a new one for missing content, although a PR is preferred. If you identify missing or unfinished content, feel free to open a PR. First, check existing PRs or branches to make sure your work is not redundant.

Structure and collaboration

The wiki is supposed to cover all important parts of security for web3 projects. For contributors, we recommend focusing on specific topics contained in corresponding documents. It's best to own a single topic and work out all the details. Create a new document and add the topic to the sidebar if it's not there yet. Join the discord server, let others know what you are working on in the group channel and collaborate with other contributors writing about related topics. If you are working with multiple people on a significant piece of content, you can have a dedicated branch in the repo for easier coordination.

Style guide

Wiki pages follow standard Markdown with some extensions by mdBook.

The audience of this wiki is technical and the content should reflect that. There are many guides on technical and documentation writing you can learn from, for example you can check this lecture to get started.

Here are main guidelines to follow when writing this wiki:

  • Write in an objective, clear and explanatory tone
  • Avoid unnecessary simplifications, describe the technical reality
  • Avoid using too long and complex sentences or paragraphs
    • Use concise and clear statements
    • Break down your text using block-quotes, bullet points or images
  • Always link your resources and verify them
  • Use bullet points or tables for topics which require enumerating
  • Highlight keywords to support scanning and skimming through the article
  • Provide visualizations to explain the topic better
  • When using acronyms or a technical jargon, make sure to introduce it first
  • Web3 is changing fast, write the content to be as much future proof as possible
  • Don't use LLMs to generate the text
    • We don't accept texts fully generated by AI, however we recommend using it to fix grammar or phrasing
  • Consider creating tutorials and hands-on guides documenting technical steps
  • Add recommended reading at the top, point to topics which are dependencies of yours
  • You can use mermaid diagrams for visualizations

Goal is to produce a credible neutral text which is formal, well-structured, and maintains a clear progression of ideas. The content should be purely technical and shouldn't waste space on introducing high level/well known concepts. Introductory topics are necessary and can use comparisons, historical anecdotes, and concrete examples to make complex concepts more accessible.

Content standardization

The wiki uses American English over British spelling. Terminology, capitalization and nomenclature should match across all pages. Use Ethereum.org guide for the reference.

Usage of images and visualizations is encouraged. If you are using an image created by a third party, make sure its license allows it and provide link to the original. For creating your own visualizations, we suggest excalidraw.com.

Feel free to use emojis or icons where it fits, for example in block-quotes.

Linking resources

When adding an external link, you can use it directly in the text or on the bottom of the page in "Resources" section.

When linking resources use descriptive names, such as inevitableeth.com instead of generic phrases like this wiki.

Don't overwhelm reader with too many resources within the text.

When linking a page within this framework, use a relative path and if it references specific topic within the page, use a link to heading IDs.

For other important links, add a section on the bottom of the page with list of resources. Resources should have a name or short description with a link and alternative link to its archived mirror. We strongly suggest adding a link to the latest snapshot from archive.org.

In-page notices

We use block-quote notices at the top of the page to provide readers with appropriate context regarding the content of the page.

Incomplete pages

Pages with minimal content which need more work to cover the topic need to include a notice:

> :warning: This article is a [stub](https://en.wikipedia.org/wiki/Wikipedia:Stub), help the framework by [contributing](/contribute/contributing.md) and expanding it.

Anything else?

This page is also opened for contributors! Suggest improvements to our style and guidelines in the github repo.

Attribution

A lot of the content of this page comes from the Ethereum Protocol Fellows

Contributors

Contributors that made a substantial amount of contribution will be listed below.

Core team

Matías Aereal Aeón (@mattaereal) Fredrik Svantes (@fredriksvantes) Mehdi Zerouali (@zedt3ster)

Collaborations

Jorge de los Santos (@tebayoso)

Feedback

Patrick Collins (@patrickcollins) Sebastián Fernández (@snf)