Security

Regarding scientific developments and deep integration of various technologies in societies and people’s life, security has become an important factor in these innovations. One of the most novel of these technologies are cryptocurrencies of which a high level of global demand has led to their rapid growth and expansion. However, this level of adoption has opened new doors to fraudsters to deploy new scam plots.

In fact, crypto users can protect themselves to an extent; Hence, OMPFinex team with regard to this issue has decided to provide a secure platform to its users in which the security-management cycle runs by the security team so that users can engage trading with a peace of mind.

Security in OMFinex Vital Infrastructures

The infrastructure security framework which the company has decided to implement entails five major stages including data collection, protection, identification, response and recovery through which the system can be protected in the most standard condition.

The process explores and evaluates various sectors of which the most important are:

  • Security Analysis

    Through this, the system is able to gather a complete list of threats and analyses them to identify malfunctions.

  • Breach Detection

    The system begins to transfer data from sub-systems to the server for investigation (Agentless), so the malwares and suspicious activities are detected.

  • Log Data Analysis

    The system periodically submits all the log data to evaluate them if needed.

  • File Integrity Monitoring

    This system inspects changes on the operating system. In case of a change, addition or removal of a file, it must be reported to the server to be investigated by the security director.

  • Vulnerability Detection

    The system is designed to check and detect different vulnerabilities which is monitored by MITRE ATT&CK project.

  • Configuration Assessment

    Based on security standards, the system periodically checks for insecure OS configurations.

  • Acute Response (Incident Response)

    This section contains several scripts gathered by the security team to provide the correct response for the event that any bad behavior comes up.

  • Regulatory Compliance

    This system checks the compliance of required security controls with global standards and regulations.

  • Cloud Security

    The system tries to identify possible vulnerabilities through collecting various modules’ security data from cloud services such as Google, Microsoft and Amazon.

  • Containers Security

    The system provides the capability to identify threats, vulnerabilities and malfunctions based on Docker.

Infrastructure Security of Cryptocurrency Platform

Cryptocurrency Security Standard (CCSS) defines a set of requirements for information systems utilizing cryptography. It involves crypto exchanges, web applications and blockchain-based storage solutions.

This standard aims to protect cryptocurrency related data from unauthorized access, loss of sensitive data and data breaches. Currently, CCSS is a standard specified for every institution managing crypto wallets as part of their business logic and it considers 10 aspects in security which are categorized in three levels. The company has adjusted its security measures according to this standard to prevent various fraud schemes. It is worth noting that all the users’ assets are stored on “cold storage” in an isolated system of which backups are regularly collected; These backups are stored on a different location, so in case of a total breach to the system or natural causes such as fire and etc., users’ assets will not be exposed to the risks.

ارزیابی امنیتی دوره‌ای

Security Assessment involves stages of periodic tests on platform security and the sections which are exposed to threats. The process applies OWASP and OSSTMM standards. Also, different scenarios are taken into consideration, most of which are related to Cyber Kill Chain attacks.

Iran-Based Servers

All OMPFinex services containing users’ data and notably, financial and users’ digital assets confidential data are fully hosted by domestic servers. Hence, there is no risk to asset freezing or similar issues due to financial sanctions posed on the Iranian citizens.