If you’re evaluating a partner in the data space, there are many considerations. The topic of privacy is probably top of mind, with Apple’s IDFA opt-in enforcement. Yet while privacy is no doubt paramount, it goes hand in hand with a less sexy but equally important consideration: security. 

Data Protection Elements To Consider

In your evaluation, it’s critical to answer the question: How well is the partner equipped to protect their data? There are several key elements to consider. First, it’s important to identify whether the partner has its own internal security team, and thus places an emphasis on data protection. Next, you can assess the security team’s protocol. Finally, it’s essential to determine whether the security team routinely tests their security products to find any flaws — before hackers do! 

By assessing these criteria, you can better understand whether your data will be safe and secure when you select a given partner. You’ll also avoid the significant risk of a data breach that could come with working with a nonsecure partner. In this way, the conversation about security directly relates to that of brand safety — data breaches can be extremely detrimental to brand reputation and have lasting consequences. As follows, security is the key to protecting your brand.

Cuebiq’s Stance on Security

At Cuebiq, we exhibit a security-first mindset, born out of our respect for the value and sensitivity of the assets we manage. Cuebiq follows all security best practices and International Standards, such as NIST and CIS Critical Security Controls. Additionally, Cuebiq’s core systems are hosted on Amazon Web Services, ISO27001 certified, and are PCI DSS Level compliant.

Paired with our strong privacy framework, our security practices will ensure your data remains safe and secure. To learn more about our privacy practices and our outlook on data sharing, check out this blog from our Chief Privacy Officer.

The post Data Security: The Key To Your Brand Safety appeared first on Cuebiq.

As with any tech-driven company, here at Cuebiq, security and privacy are imperative to our everyday success. What sets us apart from the rest, though, is that privacy has been a core value we’ve embraced since day one. We truly believe it's our duty to keep all data secure and, in doing so, provide our clients with top-notch security and privacy practices.

But, Cuebiq’s Security Team doesn't just settle on merely following industry best practices — our goal is to set the bar higher.

One of the many ways we do this is by constantly testing our security framework and tools. We do this by routinely performing advanced red-teaming and evasion tests. We want to make sure that we aren’t just “checking a box” when it comes to security, but rather investing in the right kinds of security products  and tactics that elevate Cuebiq’s security in the industry.

So, let’s talk about one of our tests… 

Specialized Testing Scenario  

One of the very first scenarios we tried to simulate was a typical endpoint protection evasion test. Simply, we wanted to test a current security product we use for protecting our endpoints.

In short, this test started by acquiring a basic malicious payload which we then embedded into a script. We did this to understand if our endpoint protection tool was able to flag it as malicious.  

We use one of the industry’s “top tools” for detecting in-memory and behavioral malicious artifacts. And we thought this would be an easy test, but we soon realized that even with the latest version of the anti-malware engine, the payload was not detected. 

In fact, after the execution of the payload (and the evasion of the product), we expected that the anti-malware engine would at least be able to detect the malicious behavior we were also testing on some other targets; unfortunately, none of the following actions were spotted:

• remote enabling the mic and recording the environmental audio
• remote screenshot capture and data exfiltration

We were concerned by our findings, but also happy that our consistent security efforts worked. After the test, we reported this anomaly/vulnerability to the vendor and requested a technical call to reproduce the issue to better understand the situation. 

After identifying this vulnerability and working with the vendor, about a month later a new update was issued to the product that should have corrected the flaw we helped discover. After the analysis of this new version, the problem was still in place, so we contacted the vendor again to provide further information. Another version was then released, and here’s the great news: After performing another analysis, our Security Team realized that the vulnerability was not in place anymore, and the payload was correctly detected!

In response, we are working with the vendor to recognize our finding as a vulnerability, so that we can open the CVE (also as a recognition for our work and Security Team!)

Tying It All Together: What We Learned From This Analysis

So, what lesson did we learn from all this? Never take for granted the effectiveness of any product or security framework. It’s imperative that all security teams routinely test their security products to find any flaws (before hackers do!)

Putting our security tools and framework through our rigorous testing not only enhanced overall security at Cuebiq but also contributed to helping the industry build better security products — setting the bar higher for security teams around the world!

Does this sound like a company you want to work for? 

Check out Cuebiq’s career page.

The post Setting Industry Standards: An Inside Look at Cuebiq’s Security Team appeared first on Cuebiq.

As consumers, we’re all on the lookout for the newest product and/or service that can make our lives easier — and that same sentiment is true for brands. As the advertising ecosystem continues to evolve, brands have raced to keep up with new technology and trends by enhancing their tech stacks with new data sets and partners. In today’s data-driven landscape, media success and ROI depend on how well your tech stack is built and how well you can use it to not only measure ROI but improve it with your next campaign.

However, brand safety is not just tied to the environments where your ads may run but also to the data behind your advertising decisions. Because most brands are running frequent media campaigns, it’s vital that brands and their agencies be aware of and screen their partners’ data collection practices to ensure that they themselves are in a safe position.

As you evaluate new and current partners on privacy, it is also important to understand how well they are equipped to protect their data. When choosing a new data provider, it’s fundamental to ask the right questions. Lucky for you, we’ve developed a set of questions for you to ask as you RFI new partners and audit current ones.

Below please see the five security questions to ask in your next RFI. Happy reading!

1. Do you have an internal security team?

This is a question a lot of us may simply forget. While it’s important to ask about security when evaluating new partners, it's even more important to find out if there is an actual team in place. If so, the next thing to know is the size of the team and how it compares to the size of the company as a whole. If data partners have a good-sized security team in place, it means they take security very seriously (which is a very good sign!)

2. Cloud vs in-house data centers — which one do you use?

The main difference between the cloud vs data center is that a data center refers to on-premise hardware, while the cloud refers to off-premise computing. When it comes to security, this question is pretty important. While some companies leverage in-house data centers, it can be argued that cloud partners have better security solutions and technology. Because of this, it's imperative to ask this question so you can understand what they use and why.

3. Can you share a vulnerability analysis/penetration testing executive summary?

Vulnerability analysis/penetration testing (VA/PT) is an active process of identifying existing vulnerabilities and available exploits in a security implementation, to penetrate susceptible systems on the basis of this information. A penetration test is useless, unless paired with a well-drafted technical report. By asking partners to share these summaries, you will see whether or not they perform these routine assessments. You will also get a chance to review the findings to see if their efforts meet your criteria.

4. Does your security team perform routine red/blue teaming exercises?

Red team/blue team exercises take their name from their military antecedents. The idea is simple: one group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used to test force-readiness. These kinds of exercises in terms of security are fundamental, as they help reduce risk and enhance a company’s ability to detect breaches.

5. Can I speak directly with your security team?

There's no better way to understand how a provider approaches security than speaking directly with the team. There is no a checklist big enough or certification high enough that could provide better insight into a company’s approach to security.

To learn more about how to evaluate a potential offline partner, check out our blog.

The post 5 Security Questions You Need to Ask in Your Next RFI appeared first on Cuebiq.