Guest Post By Vitor Jesus, (Cyber Security Expert) – 04-09-2016.
Originally posted @ vitorjesusicsnetwcybersec.blogspot.co.uk,
Shapeshift.io is a startup evolving around Bitcoin (one of my lateral interests and a movement I follow quite closely). Last week they reported a coins having been stolen. More than that, Eric Voorhees writes a fascinating report of how it happened. It is a story I will be using in many talks
My first reaction, shared in a reddit post, is that they actually didn’t do anything fundamentally wrong. They’re a startup so getting the business up and running is the goal. This means they have no cybersecurity office and, worst of all, they are all tech people which unfortunately gives a stronger sense of “we don’t need a cybersecurity programme because we have firewalls”.
I have been working with tech startups with an immensely skilled army of developers and managers; but that show quite an alarming unawareness of many basic concepts of cybersecurity.
As I often say, cybersecurity is 20% about firewalls and 80% about organisational processes. In this case, what failed was the human element:
- Do not leave computers unlocked
- Do extensive background checks on new starts
But who has never left a laptop open and logged in? I keep doing it even on public places. And how thorough and reassuring can background checks be?
There are, of course, many tactical improvements possible: secured critical operations, segregation and air gaps of critical assets, much clearer/crisper separation of duties, much much better auditing, much much much better accounting, etc. Beyond making the system harder to exploit, above all they would make it easier to understand what happened and much faster.
Sharing the story, with care not to reveal too much, was a good thing to do in my opinion. I do have a few unanswered questions but I also feel it was an honest report. It assured customers: everyone will be hacked at some point and cybersecurity is mostly about minimising damage to the least (reasonable) extent when it happens and not preventing it.
The fact that their source code is on the lose is alarming though. They should subject it to a thorough analysis (by a 3rd party!) and setup a bug bounty programme. They are a business that relies on exposure to the public internet and I can only imagine how many people are trying to exploit it.
Finally, in the words of Eric Vorhees, there is also this valuable lesson so well formulated:
“Though it sounds cliché, (…), do yourself a favor and bring in 3rd party professional help very early. We hadn’t needed it at first, because we were small. But growth creeps up on you, and before you know it you are securing significant assets with sub-standard methods”