Top 6 Reasons to More Carefully Consider Client-side Security

November 19th, 2019

 


client-side web attacks

Your customer’s browser sessions are at significant risk today. Nearly 80% of consumers transact commerce online. They readily share personal details and financial information on enterprise websites and have a reasonable expectation of being provided a secure experience.  Attackers target this data and increasingly target the highly vulnerable client-side connection.

Although many standards-based security capabilities are available that provide client-side website security, they are infrequently deployed. One of the best known is CSP which allows for the specification of policies that define permissions, behavior, privilege, and access to applications and integrations that power websites. CSP protects websites from malicious code injection attacks like XSS (cross-site scripting). This is one of the most common client-side attack techniques. 

Standards-based security capabilities like CSP, SRI, Referrer-Policy, Trusted Types, etc. utilize the browser as the enforcement agent to apply policies. Nearly every modern desktop and mobile browser includes standards-based security capabilities hard-coded into the browser.  Delivering security from browser-native code ensures near zero performance degradation since no additional overhead is required to power client-side security. A few additional considerations related to often overlooked client-side security are worth consideration.

1. Client-Side Website Attacks are Rapidly Accelerating

Website hacking has increased in numbers. Over 6800 websites are targeted each month according to Symantec. The majority of these are client-side attacks not protected by existing website security capability included WAF and DDoS prevention solutions.

2. Hackers Are Opportunistic

Many attackers, recognizing mass client-side vulnerability, leverage JavaScript compromise kits readily available on the Dark Web for surprisingly low prices. It doesn’t matter how small or large an enterprise is. All that matters is whether or not there’s a vulnerability to exploit. Again, this is most often a client-side vulnerability this is why preventative measures like CSP are critical. Website owners that are diligent with securing the experience stand the best chance of not suffering an attack.

3. Consumer Trust is at Stake

Attackers are targeting client-side vulnerability to steal customer data such as credit card information and contact details. Having your customer’s personal or financial data stolen from your website is a recipe for disaster. Frequently, client-side compromises operate undiscovered for weeks and months before discovery because the website owner continues to get paid and the website visitor receives requested goods or experience. Unfortunately, the attacker also makes off with targeted data including PII, financial data or credit card details. The increasing volume of attacks and the surprising lack of effective security are worrisome.

4. Ensure Rich Website Experience

A lot of investment is directed at enhancing website experience. Third-party integrations provide a lot of this richness and capability but also introduce client-side risk. These vendors are increasingly targeted for compromise by attackers because compromising a single website supply chain vendor means the attacker can insert malicious code into every website that is the customer of this now-compromised website supply chain vendor. From economies of scale perspective this is an exceptional opportunity for the hacker to massively scale the attack.

5. Defend Against #Magecart

Magecart is the name of a group of attackers targeting website vulnerability.  Most often client-side vulnerability. The Magecart group is responsible for attacks on British Airways NewEgg, Ticketmaster, and many, many other website breaches. In fact, Dark Reading recently (Oct 6) published an article highlighting that 2 million sites are infected today with online skimmers seeking PII and financial data.  

6. Remediation, Resolution, and Recovery are Expensive

Enterprises spend a great deal of money repairing damage caused by a website breach. The process is lengthy and often requires the expertise of external professionals. Additionally,  businesses incur regulatory fines, reparations for consumer impact and incalculable brand damage. Despite attacks becoming somewhat commonplace the client-side remains largely unguarded.  

Deploy Standards-Based Security

Significant client-side website vulnerability exists. CSP and other standards-based security offer highly effective protection against this rapidly accelerating attack type.