Case Studies for DLT Environments

Distributed ledger technology (DLT) is a digital system for recording the transaction of assets in which the transactions and their details are recorded in multiple places at the same time.

01

Organization:   Confidential Southern European Organization
Industry:   FinTech
Size:   175+ employees
Environment:   AWS
Summary:

A European-based early-stage blockchain technology firm that specializes in B2B and government services. This organization was building a blockchain ledger system for contact and possible government ID services. Even though traditional blockchain technologies, like Bitcoin, have good native security features there are still many threat vectors into a FinTech organization which can lead to compromise​.

The company’s key stakeholders had major concerns with AWS tenant security responsibilities, service security (architecture), and regulations (GDPR, etc.). The scope of the engagement was to review the current organization’s maturity level, AWS security posture, and all endpoints and connections within the blockchain service. Initial findings:

  • No high assurance of traditional best practices. Lack of modern admin controls for privilege accounts, endpoint security, and redundancy of controls you would typically expect in a high assurance design.
  • No cybersecurity program management and a low maturity in modern administrative controls (i.e., policies, standards, procedures, etc.).
Actions:
Throughout 6 months, we assessed, analyzed risk, built business cases, and led meetings with Sr. Mgmt. to lobby for improvements. We also led efforts to improve maturity and hardening of platforms and environments. Hand-selected internal subject matter expertise to build project teams. This led to:
  • A 200% increase in administrative controls which allowed the ability to enforce security enterprise architecture best practices and ensure compliance with GDPR data security requirements and ISO 2700X.
  • 25% improvement in the client’s AWS cloud tenant security posture. Implemented controls for SSH keys, monitoring and three-factor (MFA) for privilege access.
  • Performed assessments of 5+ FinTech service applications.
  • 100% upgrade of data-in-transit security via NSA best practice for end-to-end communications.
  • A 200% increase in administrative controls which allowed the ability to enforce security enterprise architecture best practices and ensure compliance with GDPR data security requirements and ISO 2700X.
  • Created endpoint baseline management processes and requirements for various OS versions. Implemented Endpoint Detection and Response (EDR), patching monitor, and other controls. Overall, there was a significant improvement in endpoint security, 300+%.

02

Organization:   Luxembourg-Based and French-Base Companies
Industry:   European FinTech

Environment:   Partner 1 - Hybrid Public Cloud | Partner 2 - 100% Cloud
Summary:

The two organizations were researching a joint service via blockchain technologies. The client wanted a review of the security best practices of applications and the partner environment the service would use. We used NIST CSF and CSA CCM as a guide for cloud security, virtualization, and program management best practices. Initial findings:

  • Low-security resources had led to a lack of cyber program management beyond basic regulatory compliance.
Actions:
We completed the assessment of the partner environment (i.e., security architecture and core partner service application) within 6 weeks
  • Reviewed over 200+ security requirements; discovering 5+ high risks which led to significant improvements..
  • Uncovered the use of outdated protocol version and led task to correct design.
  • We found a flaw in database location which could have led to a major compromise.
  • 25% improvement in the cyber risk management process.
  • Improved stakeholder communication and risk reporting notifications.
  • Devised an enhanced security architecture review process for improved risk capture

03

Organization:   Confidential U.S. Financial Organization (Digital Services Division)
Industry:   FinTech
Size:   5,000+ employees
Environment:   Google Cloud Platform (GCP)
Summary:

A U.S.-based early-stage division of a global bank was researching and developing multiple blockchain capabilities for B2B services. The organization was considering a centralized blockchain ledger system and other changes instead of the traditional decentralized style. Even though blockchain technologies have good native security features there are many data security concerns. These only increased due to the changes in blockchain methodology.

This division of the company’s IT Sr. Management responsible for development had multiple fears about public cloud, untraditional blockchain method security architecture, and regulations (CCPA, SOX, etc.). The scope of the commitment was to review, research, and provide recommendations.

Actions:
Throughout 3 weeks, we let meetings with interested parties in the R&D of this service to map out the business requirements and security architecture conceptual design. We documented planned security controls and requirements. This led to:
  • 8+ major recommendations related to transportation, API, and network-layer protocols usage.
  • Devised a plan for the use of 5+ new security solutions based on requirements discovery; a mix of both GCP native and third-party.
SOCIAL MEDIA
  • LinkedIn
  • Twitter
Copyrights  2020 by CyberSEC Geek, Inc. All Rights reserved