CISA tells agencies to consider ad blockers to fend off ‘malvertising’

Written by

The U.S. Cybersecurity and Infrastructure Security Agency urged federal agencies on Thursday to deploy ad-blocking software and standardize web browser usage across their workforces in order to fend off advertisements implanted with malware.

“With many agencies greatly expanding telework options, agencies should increase attention on securing federal endpoints, including associated web browsing capabilities,” the Department of Homeland Security’s cyber arm said in a guide for agencies.

With the alert, CISA joins the National Security Agency, which in 2018 likewise urged agencies to adopt ad blockers in response to the threat from “malvertising” that can spread malware.

However, CISA cautioned that ad blockers aren’t a cure-all for the issue of malicious adversiting which in recent months has plagued TikTok and a slew of industries during the coronavirus.

“Some browser extensions are known to accept payment from advertisers to ensure their ads are allowlisted from blocking,” the agency said, citing concerns that Sen. Ron Wyden, D-Ore. raised last year to the Federal Trade Commission.

Wyden nonetheless had urged the White House to use ad blockers, citing at least one media report of Russia using seemingly innocuous advertisements to target a state election agency.

Additionally, CISA said that agencies can safeguard their networks from malvertising by standardizing web browser usage, since multiple web browsers and browser versions give attackers more targets.

Furthermore, CISA said agencies should consider isolating web browsers from operating systems, as the Department of Defense does.

While expensive to implement at the start, “over its lifecycle, browser isolation may have a lower cost, based on reduced costs for maintaining ad blocking software, lower incident response and recovery costs, and bandwidth efficiencies,” the guide said.

Another possible step is using Domain Name System technologies that can protect against malvertising, CISA said.