Cyber Audit

CyberAudit (AUDIT) is a dedicated smart contract and crypto currency assessment and audit company that offers independent certification.

Welcome to CyberAudit (AUDIT)

Close video

CyberAudit (AUDIT) is allowing new stakeholders to purchase tokens now at pre-ICO prices. Tokens are being sold for $.10 (50M Total/Max Supply) each with tiered bonuses available. Inquire within to learn about how you can acquire AUDIT tokens before they are made publicly available.

CyberAudit is different.

CyberAudit finds the flawed code BEFORE they become exploits.

The crypto currency vertical has been the victim of hackers and associated bad actor activity since its inception. The problem is only getting worse with losses from cryptocurrency crime surging to over $4.52 billion last year.

A primary issue is the insecurity of the smart contract code to begin with. Too many projects are guilty of simply cutting and pasting code from existing projects which are inherently vulnerable. This propagates the risks to new projects and leaves potential investors highly vulnerable to financial loss.

A handful of “auditing” companies exist in the space but they have demonstrated an inability to protect investors assets. The reason is simple: these companies only have a rudimentary understanding of cyber security and miss the lines of code that can be exploited leading to millions of dollars of losses. Summarised, these auditing firms use best practice guidelines which are basic at best and insufficient at worst.

CyberAudit is different.

We incorporate global developers who specialise in crypto development and reverse engineer their code to allow us to realise vulnerabilities pro-actively. In a nutshell, CyberAudit finds the flawed code BEFORE they become exploits. CyberAudit also incorporates our Smart Contract Documentation Tool (SCDT) to allow global collaboration to ensure that smart contracts are being written correctly.

CyberAudit creates markdown-based documentation for Solidity project(s) for the following platforms:

  • Ethereum
  • Ethereum Classic
  • Tron
  • Qtum
  • Wanchain
  • Aeternity
  • Counterparty
  • Rootstock
  • Ubiq
  • Monax

This is just the beginning, however.

CyberAudit

Incorporates manual and automated processes to assess the entire infrastructure of the crypto project and/or exchange.

Once a smart contract has been audited and approved, CyberAudit incorporates manual and automated processes to assess the entire infrastructure of the crypto project and/or exchange. Using Security Scorecard, a partner solution which raised $50M USD in its D Round of funding this year), CyberAudit constantly monitors the infrastructure for the following critical ten (10) areas:

  • Network Security - Detecting insecure network settings
  • DNS Health - Detecting DNS insecure configurations and vulnerabilities
  • Patching Cadence - Out of date company assets which may possess vulnerabilities or risks
  • Endpoint Security - Measuring security level of employee workstations
  • IP Reputation - Detecting suspicious activity such as malware, ransom or spam
  • Application Security - Detecting common website vulnerabilities
  • Cubic Score - Proprietary algorithms checking for implementation of common security best practices
  • Hacker Chatter - Monitoring hacker sites for chatter about a crypto project or exchange
  • Information Leak - Potentially confidential company information which may have been inadvertently leaked
  • Social Engineering - Measuring company awareness to a social engineer-ing or phishing attack

Security Scorecard

One of AUDIT’s flagship VAR products is Security Scorecard. Security Scorecard is a world class cyber security solution that has been funded to the tune of $50M) via a D round in late 2019.

Specifically, Security Scorecard is designed to:

  • Understand and reduce risk with the world’s most expansive & scalable cybersecurity ratings platform.
  • Get a holistic view of any organisation’s security posture based on the collection, analysis, and attribution of millions of critical data points.
  • Discover and remediate your IT Infrastructure risk as well as cybersecurity risk in your vendor and business partner environment.
  • Identify and solve complex cybersecurity, compliance and risk manage-ment challenges.
  • Work collaboratively with third parties to reduce risk and improve security posture.

Security Scorecard is available via:

  1. Annual subscription based model
  2. ATLAS platform

Inquire for more information about how to obtain Security Scorecard info@cyberaudit.io

Security Scorecard
Dashboard Report

As impressive as this comprehensive assessment is, again, it is not the end of all of our capabilities. In fact, we are just getting started. CyberAudit uses Security Scorecard to classify discovered vulnerabilities into severity categories. This is a sample of a real client’s Severity Report:

The following figure provides an example of the dashboard graphic for a sample Telecommunications crypto company for which a Security Scorecard assessment was performed.

Now it should be
starting to resonate.

We have found a problem that would never be discovered during a standard smart contract audit. But what shoes this mean?

What is means is that a simple certificate used to create an encrypted session has expired. The session (which may include the transmission of privacy information like a public key) is now happening in the clear. In other words, a hacker can see and steal EVERYTHING. This certificate expiration could quite possibly provide the “keys to the kingdom” and ulti-mately allow a hacker to steal all of the finds in a wallet…or on an ex-change.

So how does a crypto entity use this information and FIX the problem? Our solutions provide simple remediation action details. For example:

Once a vulnerability has been fixed, the assessment continues in the background and a new score is generated.

Once this has been done for every vulnerability and associated risk, the entity has increased its security posture and can then be monitored 24/7 to ensure that as potential new vulnerabilities and threats emerge, they can be mitigated in real time.

So how does CyberAudit stay informed of new and emerging threats? We use a Threat Information Sharing Portal (T.I.S.P.) which provides realtime feeds of emerging threat data and intelligence. This date comes from numerous partner sources and provides our expert analysts with up to the minute information that can be turned into actionable intelligence. This also feeds the assessment tools which ensures that assessment scans contain the most current database of vulnerability and risk signatures so our clients infrastructure can be assessed and audited in near real time.

There simply is no better or more comprehensive assessment and audit solution out there than CyberAudit.

The purpose of
AUDIT Tokens

AUDIT is a cyber security assessment and continuous monitoring holistic solution for the blockchain which ensures smart contracts and associated transactions are secure. The AUDIT ecosystem incorporates a web portal where CYBR users (the community) submit smart contracts for auditing ensure there are no vulnerabilities. The portal also offers additional capabilities including threat alert provisioning, application downloads and access to a global database of known and emerging threats. This portal provides real-time safeguards, countermeasures and ACTIONABLE threat intelligence to the AUDIT community as well as other blockchain entities.

The purpose of AUDIT Tokens is as follows:

  • To use as a unit of value exchange on Cyber Audit.
  • To use as a reward for people who report threats
  • Coming soon: A smart contract to record the findings of an audit.
  • Coming soon: Cyber Audit portal provides a marketplace and connects clients with auditors to collaboratively audit smart contracts.
  • Coming soon: Cyber Audit portal also performs some basic automated static/dynamic code analysis in the background.

AUDIT’s holistic solutions suite

Provides the company with the capability to monitor any web based site for malicious code and bad actor activity.

Currently, AUDIT monitors over 1.5 MILLION clients. This massive amount of intelligence allows AUDIT to aggregate emerging threat data and share new and existing threats and vulnerabilities in near real-time. AUDIT collects this information and makes it readily available to the general public via its Threat Intelligence Portal (TIP). Additionally, the TIP allows users to enter information into the TIP and share anything they’ve discovered such as crypto scams, phishing attempts, dark web activity and other infor-mation that the community benefits from being aware of. This is a free service offered by AUDIT.

How does AUDIT earn revenue? AUDIT provides cyber security solutions as a prime contractor and a subcontractor to numerous agencies and organizations. The company bills analyst’s time and specialises in high and low level competencies. Some example of our labor categories are:

  • Certified Information Systems Security Professional (CISSP) A professional possessing an independent information security certifica-tion granted by the International Information System Security Certification Consortium, also known as (ISC)²
  • Certified Information Security Auditor (CISA) A professional possessing advanced certification issued by the Infor-mation Systems Audit and Control Association (ISACA). The designation is the global standard for professionals who have a career in information systems, in particular, auditing, control, and security.
  • Certified Information Security Manager (CISM) A professional possessing advanced certification which indicates that an individual possesses the knowledge and experience required to develop and manage an enterprise information security (infosec) program.
  • Senior Cyber Security Analyst (SCSA) A professional possessing a college degree, 10 years of experience in cyber security and/or information assurance. This individual is highly knowledgable of industry standards and best practices and leads the cer-tification and accreditation (C&A) efforts.
  • Senior Cyber Security Engineer (SCSE) A professional possessing a college degree, 10 years of experience in cyber security and/or information assurance along with expert knowledge of information technology (IT) infrastructure. This individual is highly knowledgable of industry standards and best practices and leads the cer-tification and accreditation (C&A) efforts.
  • Smart Contract Auditor (SCA) A niche expertise, this individual specializes in ERC and Solidity standards and best practices. He/she utilizes AUDITs Smart Contract Auditing Suite to ensure that blockchain tokens are issued from a secure and trusted source. The SCA’s assessment and audit functions go far beyond other companies capabilities.

Competition

Numerous companies claim to provide smart contract auditing and other cyber security capabilities.

The reality is that most possess a basic knowledge of Solidity and ERC, but have no experience with holistic and defence in depth methodologies.

Let’s look at a recent case study:

An existing project (bZx) retained Peckshield and Certik to perform smart contract audits. They claimed to have spent over $200k on these assessments. From March 2020 to September 2020, bZx suffered three hacks directly related to smart contract vulnerabilities totalling nearly $9M in losses. So what went wrong?

Sadly in the world of blockchain, there aren’t enough standards established. Best practices are only applicable if the auditor not only under-stands the smart contract programming language, but also possesses the mindset of a hacker to consider all of the possibilities in which a threat might exploit a weakness. In the federal and commercial world, standards and best practices have existed for years such as the National Institute of Standards and Technology (NIST) Special Publication 800-53 series. This comprehensive document series guides the auditor (assessor) through NIST guidelines adopt a multi-tiered approach to risk management through control compliance. SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls which can be used along with the risk management framework outlined in 800-37.

The controls are broken into 3 classes based on impact – low, moderate, and high – and split into 18 different families. The NIST SP 800-53 security control families are:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Risk Assessment
  • Security Assessment and Authorization
  • System and Communications Protection
  • System and Information Integrity
  • System and Services Acquisition

NIST SP 800-53 COMPLIANCE BEST PRACTICES

  • Analyze: The first step in NIST compliance is understanding. Clients need to understand the threats facing your data and information sys-tems as well as where they are currently at risk. Using solutions that can automate the monitoring of NIST 800 series compliance is a good place to start. The leading solutions in this space analyze and protect regulated data such as PII, PHI, and PCI.
  • Educate: Clients should educate its developers and employees about the steps they need to take to become NIST compliant. In particular there are a number of management controls laid out in NIST 800-53 that your management team should be aware of. Similarly, your operations leadership should be made aware of the operational con-trols listed. Elsewhere, there are software solutions that can help you to train your employees in real time on the latest security requirements and best practices. These prompts can keep users on their toes and eliminate those careless actions that threaten organisational security.
  • Assess: Lots of companies talk about how seriously they take data and information security, but, if they have no way to measure securi-ty policies and processes, how can they improve on them? Clients are shown how to deploy solutions and tools that provide a mechanism to measure and assess the security processes. Then, they are able to continuously iterate and improve security standards against the continuously evolving threats that exist.

After these assessments have been conducted, the next piece of the ho-listic cyber security puzzle is Continuous Monitoring. This is equally as important as the initial assessment because a company is a dynamic and fluid entity. Its infrastructure changes with every new laptop, storage de-vice, application or external thumb drive that is introduced into the net-work environment. It is CRITICAL that an enterprise organization monitors its infrastructure 24/7 because hackers work around the clock.

About

Founder

Darron Tate

  • Certified Information Security Auditor
  • Retired United States Air Force
  • 20 years of experience in cyber security, information assurance and information security
  • Nominated for United States Civilian Medal of Honor Award

Partners

  • 21st Century Technologies, Inc.
  • CYBR International