Spectre in the Advertising Ecosystem
By Chris Olson, CEO and Cofounder of The Media Trust
Communicated to the world on January 3, Spectre is a troublesome, potentially damaging vulnerability discovered in microprocessors that allows the surreptitious capture of passwords and sensitive data. To put the severity of this problem into perspective, almost every networked device made in the past 20 years is vulnerable to Spectre(1), including those that run the global digital ecosystem-from brands, advertising/marketing technologies to websites and consumer browsers.
Reality of advertising ecosystem compromise
Should bad actors determine how to leverage this vulnerability, they will most likely execute on a large-scale basis, affecting a vast network of hosts as opposed to targeting individual machines. Digital industry participants should adopt a defensive posture and pay close attention to all code flowing through or executing in their digital environments. Upon detection of anomalous code, publishers and their upstream partners need to immediately terminate it. To broaden communication and mitigate an emerging attack, these groups should share all relevant data with their entire digital ecosystem.
Ad blocking: False Security
To defend against a device infection, some researchers have advised users to implement ad-blocking tools(2). However, while these tools may stop the creative from rendering, they don't stop all ad-related code from executing in the background. In addition, some ad blocking tools still serve ads albeit at a less frequent rate.
Antivirus and server-side blocking solutions are almost completely defenseless against Spectre as they rely on blacklists or known malware strings. In the highly-dynamic digital environment, a Spectre-related attack can develop and transform within seconds causing irreparable harm to both the website operator's brand and the consumer's device.
When defense is an offense
While a Spectre attack has not been detected in the digital advertising ecosystem, the ammunition exists, and it can be loaded and fired at any moment. Now, more than ever, organizations need a firm grasp of their website environment, a complex task that is difficult to master. Not only do traditional security products fall flat, but also the security capabilities of various digital providers like tag managers, ecosystem mappers and consent platforms are lacking.
The best digital defense against Spectre and other web-based malware attacks is to prohibit the execution of all unknown code on the corporate website. This means identifying all code and the vendors that bring it, including functionality provided by third parties in the form of content recommendation engines, commenting services, data management platforms, social media widgets, video platforms and more.
Every domain, its activity and relevance to overall functionality, must be analyzed closely. Terminate anything not germane to serving the requested content or advertisement. In addition, if unwanted code is served from a fourth or fifth party provider, they too should be made aware of the situation with a request to have it removed from their environment as well. Otherwise, the malicious code will continue to propagate in the broader ecosystem and wreak havoc for others.
Defensive strategies require control of the corporate digital environment, which can reduce liability while ensuring the integrity of a corporation's brand reputation and customer satisfaction. It also means the Spectre of today won't lead to an even bigger specter tomorrow.