Technology Record - Issue 23: Winter 21/22

171 essence, it is software that prevents scripts being loaded directly from the browser, which is the primary way malware is delivered to the ultimate victim. Cybercriminals have long understood that the retailer will have security routines, sandboxing and anti-malware detection that will look for malicious scripts and harmful content. Attacks are built to elude these defences. But client-side protection is different. First, companies can leverage solutions that automate Configuration Service Provider (CSP) and Subresource Integrity (SRI) configurations which will trap many such attacks – instead of gaining the keys to the network, the attackers find themselves locked in an empty vault. SRI is a security feature that allows an organisation’s browser to distinguish if the files being retrieved have been maliciously altered. While methods such as HTTP Strict Transport Security or Transport Layer Security help keep the server secure, they don’t do the same for content. A content security policy helps improve security by defining which content sources are approved and can be loaded by the browser. However, SRI differs from CSP in that it provides a cryptographic hash that the fetched file is required to match. This can be useful if an attacker gains access to web files delivered through a third-party service and injects arbitrary content. That injection will still get trapped, as it lacks the cryptographic hash which the network is expecting. Not all web application firewalls include client-side protection, so it may be time for retail organisations to examine their web app security posture to determine if they have the right tools in place to deter attacks. With a growing number of successful cyberattackers, the assumption should always be when, not if, an attack will occur – and preparedness is the best remedy. Chris Hill is regional vice president of public cloud and strategic partners international at Barracuda Networks R E TA I L & C PG