Malvertising – injecting online advertising with malware – has become one of the most popular types of drive-by attack for cyber criminals. Criminal hackers can easily infect the legitimate ad supply chain, targeting consumers direct, and infecting their machines with malware. You don’t even need to click on the ads to get infected.
As security firm Cyphort Labs’ new report The Rise of Malvertising explains:
“Ad networks, which are not under the control of the host website, decide which ad to send you, but often do not actually deliver the ads. Instead, the ad networks instruct your browser to call a server designated by the advertiser.
Cyphort reports that malvertising campaigns increased 325% in the past year, and “found examples of malvertising on highly-visited sites like Gopego.com and The Huffington Post.” The Association of National Advertisers predicts that ad fraud will cost the industry $6.3 billion in 2015.
Ultimately, combating malvertising threats can only be achieved with the assent of the advertising companies themselves. Organizations that want to take action themselves to address malvertising – and countless other cybersecurity threats – should implement an information security management system (ISMS), as set out in the international standard ISO 27001.
An ISMS provides a risk-based approach to information security, enabling organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes, and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organization actually faces, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions. In the case of malvertising, for example, technological solutions such as ad blockers and security monitoring systems will reduce the organization’s exposure to malvertising campaigns, a rigorous patch management program will ensure software is kept up to date, and staff training will ensure employees don’t subvert these preventive measures by clicking on dubious ads.
IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organizations, whatever their size, budget or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organizations to implement an ISMS with the minimum of disruption and difficulty.