Phishing and credential theft associated with cloud-based mail accounts
have risen as the prominent attack types.
670 incidents, 157 with confirmed data disclosure
Top 3 Partners
Web Applications, Everything Else, and Miscellaneous Errors represent
81% of breaches within Professional Services
External (77%), Internal (21%), Partner (5%), Multiple parties
Financial (88%), Espionage (14%), Convenience (2%) (breaches)
Credentials (50%), Internal (50%), Personal (46%) (breaches)
Wide range of services, narrower range of threats
Professional Services is a broad category even by NAICS standards, and the members of its ranks include law offices, advertising agencies, and engineering and design firms to name only a few. Starting with a focus on the data lost in the 157 Professional Services breaches, Figure 56 gives us an idea of the types of data most commonly involved in these cases.
- 2019 DBIR
- A couple of tidbits
- Summary of findings
- Results and analysis
- Unbroken Chains
- Incident Classification Patterns and Subsets
- Data breaches: extended version
- Victim demographics and industry analysis
- Accommodation and Food Services
- Educational Services
- Financial and Insurance
- Professional, Technical and Scientific Services
- Public Administration
- Wrap up
- Appendices (PDF)
We see an overall increase in Personal data and Credentials breached. A lot of this comes from breaches now compromising multiple data types at the same time. Often, credentials are the key that opens the door for other actions. Figure 57 shows that most of the time, it’s on the way to compromise Internal and/or Personal data. This is indicative of gaining access to a user’s inbox via webmail login using stolen credentials.
Sometimes you just have to ask
Credentials compromising email...sounds a lot like Business Email Compromise doesn't it? Figure 58 provides ample evidence that BECs are an issue for Professional Services. Financial staff were the most likely to be compromised in incidents involving fraudulent transactions, but it should be noted that executives were compromised in 20 percent of the incidents and are 6x more likely to be the asset compromised in Professional Services breaches than the median industry. You have to hand it to the attackers. At some point one must have thought “why don’t we skip all the hard hacking and just, you know, ask for the money?”
Paths of the unrighteous
To wrap up, Figure 59 illustrates the single step Misuse and Error breaches, but also shows us the Social and Hacking breaches that take slightly longer to develop. All of it provides excellent immediate teaching moments for any organization.
Things to consider
One is the loneliest number
We don’t like saying it any more than you like hearing it, but static credentials are the keys. Password managers and two-factor authentication are the spool pins in the lock. Don’t forget to audit where all your doors are. It doesn’t help to put XO-9’s on most of your entrances if you’ve got one in the back rocking a screen door.
You know a great way to capture credentials? A social attack. At least we know where it’s coming from. Monitor email for links and executables (including macro-enabled Office docs). Give your team a way to report potential phishing or pretexting.
To err is human
Set your staff up for success. Monitor what processes access personal data and add in redundant controls so that a single mistake doesn’t result in a breach.