Why We Must Block Advertisements

Blocking advertisements specifically and by category can save your computer from getting infected or otherwise hacked. I have been talking about this fact for years and have been actively blocking advertisement sources since 1997. In 2014, Yahoo advertisements infected an estimated 27,000 computers PER HOUR.

There are many things to learn from this incident that can be summed up into two major categories.

  1. You have no security strategy unless you have multiple modes of filtering protection that is dynamically updated.
  2. You must use every reasonable method, regardless of how redundant it might seem, to block malicious content from getting to your computer.
Category 1 - multiple modes of protection

Here are some examples of multiple modes of protection that dynamically update.

  • Use OpenDNS. They might just have caught something as malicious and in the wild and will just flat out disallow the bad stuff from getting to your computer.
  • Use a custom hosts file on all your systems.
  • Use perimeter filtering defenses such as WatchGuard full security suite bundle properly configured on an XTM firebox. A properly configured firebox is exceptionally effective at preventing the garbage from getting to your computer.
  • Use a properly configured host-based security client.
  • Block ads by category and by explicit domain name
  • Use Trend to search for malicious cookies and delete them
  • Use proxy policies with a custom cookie block to block known ad-related cookies.
  • Use web content filtering in your host-based security client
  • Don't browse the internet or do email as an administrator account
  • Use your edge perimeter defense product to AV scan any downloads
  • Use IDS and IPS signature detection at the perimeter
  • Your host-based security product AND the heuristic defenses associated with perimeter security must dynamically update at least every few hours.
Category 2 - use every reasonable method

The list for category 1 may look to have some redundant protections in it. The AV scan engine that exists in the perimeter defenses may catch something that the host-based security product does not, and vice versa. The same rule applies for web content filtering or application behavior issues. The type of application control that exists via the host based security client is not the same functionality that exists at the perimeter firewall layer. You need both because they do different things.

Since no single method is 100% effective against all threats and in all situations, the more layers of non-conflicting protection that can be used is beneficial. Note the term non-conflicting here means that each layer uses a distinct technology. This means that there is only one perimeter security appliance. This means that there is only one host-based security software.

When all of the layers of security protection are employed together and with correct configurations, the probability of being hacked diminishes dramatically. The largest risk that then would need to be mitigated is physical access.

One additional method that can be used by Firefox users is to use AdBlock Plus, a free plugin for Firefox.

Mobile devices

One big consideration for mobile devices is to not use apps that are paid for by advertisement delivery. Not only does the delivery of those advertisements cost you more in data plan consumption (assuming cellular),  but these ads are another attack vector. Subscribers to Trend Worry Free Business Security Services can install the Trend client on their Android mobile device.

Share this post
Understanding Security Appliances