Supply chain data hacks rose 42 per cent in the first quarter of 2021, according to new analysis from the Identity Theft Resource Center. However, most attacks go unreported, especially when it comes to ransomware.
Why is retail a significant target? A lot of this is due to the significant chaos that has engulfed many physical retailers with an online presence that exploded during the pandemic. However, it also goes back further to a time when digital retail changed the purchasing pattern for consumers. Many retail organisations with multiple outlets and branches have been forced to constrict those operations due to a lack of IT in-field resources, putting even more pressure on their digital properties.
But retail has a far more challenging issue, and that is the supply chain. Several factors have stressed supply chains over the past 18 months, including Covid-19, trade wars and goods shortages. To make things worse, few, if any, supply chains are ‘single-country’, so a lot of the components that go into making goods come from other countries, often on other continents. The logistics of this alone is a considerable burden.
Cyberattacks focus on the weaker links in an organisation’s supply chain. Since the supply chain encompasses everything from the delivery of materials from the supplier to the manufacturer, all the way through to the delivery of the product to the end user, it’s a diffuse network of everything and everyone involved in the creation and sale of that product.
When supply chains get disrupted, attempts to fix the disruptions put even more pressure on the weakest link. If the primary supplier of a manufacturer providing goods for a major retailer has a shortage of materials, the manufacturer will look to other suppliers to keep the chain going. Often, the new supplier is vetted quickly – and sometimes not at all. This creates a weak point in the supply chain.
Attackers take advantage of the trust that organisations may have in third-party vendors and target this weak point in the supply chain. The objective is to use the weak link as an entry point because supply chain attacks are a type of island-hopping attack – hackers are ultimately after the retailer.
Supply chain attacks are difficult to detect, as they rely on software that has already been trusted and can be widely distributed. In addition, there is not one dedicated part of an organisation that manages third-party vendors, so risks will get pushed from one team to another.
There is a caveat, however, and that is something called client-side protection. This new form of cybersecurity aims to catch these attacks as they move laterally through the chain and stop them before they compromise the intended victim. So, what is client-side protection? In essence, it is software that prevents scripts being loaded directly from the browser, which is the primary way malware is delivered to the ultimate victim.
Cybercriminals have long understood that the retailer will have security routines, sandboxing and anti-malware detection that will look for malicious scripts and harmful content. Attacks are built to elude these defences. But client-side protection is different. First, companies can leverage solutions that automate Configuration Service Provider (CSP) and Subresource Integrity (SRI) configurations which will trap many such attacks – instead of gaining the keys to the network, the attackers find themselves locked in an empty vault.
SRI is a security feature that allows an organisation’s browser to distinguish if the files being retrieved have been maliciously altered. While methods such as HTTP Strict Transport Security or Transport Layer Security help keep the server secure, they don’t do the same for content. A content security policy helps improve security by defining which content sources are approved and can be loaded by the browser.
However, SRI differs from CSP in that it provides a cryptographic hash that the fetched file is required to match. This can be useful if an attacker gains access to web files delivered through a third-party service and injects arbitrary content. That injection will still get trapped, as it lacks the cryptographic hash which the network is expecting.
Not all web application firewalls include client-side protection, so it may be time for retail organisations to examine their web app security posture to determine if they have the right tools in place to deter attacks. With a growing number of successful cyberattackers, the assumption should always be when, not if, an attack will occur – and preparedness is the best remedy.
Chris Hill is regional vice president of public cloud and strategic partners international at Barracuda Networks
This article was originally published in the Winter 21/22 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription.