What's New | Cenzic Security Blog

Amidst the Mobile Pickpockets, Don’t Forget to Guard the Vault

Wed, 22 Feb 2012 19:37:17 -0500

Unfortunately, the industry’s current mobile security focus is like guarding against pickpockets while the bank vaults go unprotected.

Much has been written recently about mobile security: mobile apps surreptitiously uploading users’ contacts, the increase in Android malware, pirated apps adding bogus sms charges, and of course everything Apple is doing to secure their platform – sandboxing, MDM, application access control and security certificates. There are public cries for one-click kill commands that would enable VIPs to delete their contact list in an emergency, insistence for greater control of the distribution of Android applications, and calls for oversight of app developers who may help themselves to more information than their users realize.

Unfortunately, the industry’s current mobile security focus is like guarding against pickpockets while the bank vaults go unprotected. The attention is riveted on device-centric hacks; hacks that, for the most part rely on many individuals being infected or duped to succeed. And while as a consumer and the head of a security company, I applaud all security measures, I’d like to point out that the pot of gold for any motivated hacker is not mobile devices but the backend data and systems they connect to.

If you were a profiteering hacker, where would you aim your sights? Do you want Joe User’s address book, or the backup database with everyone’s address book? Would you make more hijacking mobile credit card transactions one at a time, or hacking a mobile payments authentication and verification database? Sure, it’s a more complex hack, but the payoff is exponential. So while I agree that finding and fixing vulnerabilities in mobile devices is important, I want to make sure it’s clear that it’s all for naught unless the vulnerabilities in the mobile application and how they communicate with the backend are also found, fixed, and monitored for new vulnerabilities.

Most experts agree that over the course of 2011 the sophistication of mobile attacks and malware became more sophisticated. Even still, many of us agree that we’ve only seen the first act. As mobile apps proliferate and mobile hackers gain experience and sophistication, there will be an increase in attacks focused on the big vaults of data, not just the individual pockets.

Cenzic actually has put its money where my mouth is on this. We’ve released our new application security intelligence service mobile offering that focuses on finding mobile app and backend vulnerabilities. More about our product here.

John Weinschenk, President and CEO of Cenzic

Cenzic + WAF = Intelligent Blocking

Mon, 06 Feb 2012 15:27:00 -0500

We have been getting a lot of questions about how to automate online application protection

We have been getting a lot of questions about how to automate online app protection. There are a number of ways to do this, but an easy one is integrating Cezic with your Web application firewall (WAF).

By integrating Cenzic’s continuous online application testing capabilities into a WAF, online app scans can be automatically run through the WAF using Cenzic’s cloud solution. Integrated WAF/Cenzic solutions (like Barracuda, Citrix, F5, Imperva and Trustwave) ensure that vulnerabilities are immediately blocked as they are identified. This means that your organization remains protected and in compliance without interruption to business, and code can be fixed in a resource-efficient manner.

John Weinschenk, President and CEO of Cenzic

Security as Customer Service: The Zappos Hack Starts the Conversation

Tue, 24 Jan 2012 12:39:42 -0500

If you know there is more you should be doing to protect against hacking, you're never going to get a better reason to bring this up than Zappos, the reigning customer service monarch, just gave you.

When was the last time you, or anyone handling digital security at your company, was invited to a meeting about customer service? How many times have you been asked how you can improve the customer experience? How often are your anti-hacking efforts cited as one of the ways your company is customer-first?

If your company isn't truly customer-centric, the answers are likely never, zero and not ever. Even companies who live and breathe customer service don't always equate anti-hacking measures with happy, returning customers.

But that might have changed after online shoe store Zappos' was hacked last week, resulting in a data breach affecting 23 million of its customers. The CEO sums it up well. "We've spent over 12 years building our reputation, brand and trust with our customers," CEO Tony Hsieh said in a blog statement. "It's painful to see us take so many steps back due to a single incident."

Could they have prevented it? Were they lax? Was security part of their culture, just not publicly discussed so as not to become a target? I don't know. We may never know. But if your company hasn't asked your security team these questions, they should. And if you know there is more you should be doing to protect against hacking, you're never going to get a better reason to bring this up than Zappos, the reigning customer service monarch, just gave you.

Sure, they'll survive; after a more than a decade of fabulous customer service – purportedly 75%+ of their sales are from returning customers – they should have enough goodwill to not lose much for long. But what about your company? How many of your sales are from returning customers? What would a customer data breach do to their loyalty?

How we treat customer data is part of how we treat the customer. It isn't the first thing your CEO might ordinarily think of, or the CMO or the head of the call center. But it might be in their top 10 for the next few days. Take advantage of it.

John Weinschenk, President and CEO of Cenzic