In fact, some suss that out and prohibit ads containing questionable content. But the bad guys have an answer for that, too. They pay for a particular number of ad impressions and initially send ads with links to legitimate products. The ad network approves the link, and after a while, the originator swaps out the good link for the rogue one. Again, if the ad agency responds to reports of a bad page, it will be redirected to the original, legitimate ad. It's a classic game of cat and mouse in the digital age.
The real problem is not just compromised ad networks -- it's potentially any link on a Web page. Popularly visited websites often have dozens or hundreds of objects; usually a large proportion of those objects include links to objects and code outside your organization. External linkage is an area of potential abuse you must evaluate.
In general, the concept is known as transitive trust. If you trust A and A trusts B, then you implicitly end up trusting B, even if you don't know anything about B.
Map your transitive trusts
All your Web developers and managers should be familiar with the risk of ad network compromise -- and the risk of malicious links in general. Education is key. They must understand that each indirectly managed link is an area for potential abuse. But awareness is not enough. Here are four best practices to keep you out of trouble:
1. Create a trust map. Require that all websites under your control have transitive trust maps. That is, every website linking to external content should have that linkage documented and managed. This sort of documentation is best based in a database or spreadsheet so that managers can easily pivot between particular websites and the sites to which they link.
2. Screen your suppliers. Make sure every external link comes from a site or company known to use good security practices. Some companies go so far as to require external security audits or at least send the external party a security checklist to which they must respond.
3. Know your emergency contacts. Establish a contact at the ad agency or external link provider who you can call if malicious behavior is reported. You don't want to scramble for that phone number in the middle of the compromise. You want a person or department you can contact for investigation and remediation 24/7. This one step can be a lifesaver.
4. Seal it with a contract. Add appropriate legal language to contracts with external linkers. Make sure those parties understand what security measures you require and set expectations as precisely as feasible. If possible, include penalties for noncompliance or damage to your own customers or employees that result from malicious compromise that should have been foreseen.
The truth is that nearly all, if not all, ad networks have been compromised and will likely endure compromises in the future. Simply saying you won't do business with them if they suffer a single compromise is like saying you won't use the Internet if your computer gets a virus. The likelihood of compromise is a fact of life. But if you take a few sensible steps, you can reduce the risk to you and your customers substantially.
This story, "Don't fall prey to ad networks peddling dicey links," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.