Ad industry body issues first certificates for anti-malware best practices
The digital advertising industry’s cybersecurity assessment and information-sharing organization has issued its first set of anti-malware certifications, signing off on measures against cyberattacks taken by nine companies who represent as much as half of the digital advertising market.
The Trustworthy Accountability Group, or TAG, issued “Certified Against Malware” seals Monday to AppNexus, DataXu, Google, LKQD, OpenX, Publishers Clearing House, Rocket Fuel, Sovrn, and The Media Trust, TAG CEO Mike Zaneis told CyberScoop in an interview.
Zaneis estimated the nine companies between them probably touched up to half of digital advertising impressions on any given day. “I don’t have an exact percentage,” he added, “but there are major players here … A big chunk of the [digital advertising] supply chain.”
The seal means that the companies have “implemented TAG’s rigorous anti-malware standards,” according to a statement from the group.
Traditionally, ads have been a favorite way for hackers to serve malware and other malicious content, largely because of the complex, interconnected character of the digital advertising ecosystem. Ads from different companies are bundled together by automated platforms (demand side platforms, or DSPs) and sold to other automated platforms (supply side platforms, or SSPs) which in turn distribute them to publishers.
“Half a dozen or more entities … companies of various kinds, might touch an ad” before any consumer sees it, explained Zaneis. As a result, advertisements and the clicks on them may pass through many systems and companies on their way from the advertiser to the viewer and back again. That sprawling, open ecosystem creates a broad attack surface and many opportunities for cybercriminals to inject malicious software.
“When it comes to malware, protecting our supply chain and protecting our customers go hand-in-hand,” said Zaneis. “It’s everybody’s responsibility to harden the ecosystem.”
He said networks like Rocket Fuel, exchanges like AppNexus and DSPs like DataXu represented “bottlenecks in the ecosystem” — single companies that touch millions of ads every day — and were therefore “an opportunity to reach scale.”
The particular anti-malware measures the companies have to implement to qualify for the TAG seal depend on their exact role in the ecosystem, but all of them have to fulfill certain guideline requirements, including:
- Designating an anti-malware contact in their company.
- Documenting appropriate points of contact at partner companies.
- Assigning and documenting malware scanning responsibilities.
- Scanning a reasonable percentage of total advertising inventory.
- Establishing a procedure for defining and handling both standard and “Red Flag” malware incidents.
- Establishing a formal post-mortem process for Red Flag malware incidents and reviewing it semi-annually.
Companies that want to get certified can either self-attest their adoption of the guidelines or have it certified for them by a third party — usually an accounting firm or other auditor. The nine companies certified Monday are a mix of both self-attestation and audited certifications, Zaneis said.
TAG, which is the first and so-far only online advertising business that is registered as a cyberthreat Information Sharing and Analysis Organization, or ISAO, was set up and is run by the titans of the sector, including the top three ad industry associations: The American Association of Advertising Agencies, the Association of National Advertisers, and the Interactive Advertising Bureau.
TAG also already certifies ad companies for their anti-piracy, anti-click fraud and transparency standards.