This vertical suffers from Web App attacks and social engineering, and the use of stolen credentials remains a problem. However, it boasts a better-than-average click rate and exhibits a surprisingly low number of employee errors.
37 incidents, 25 with confirmed data disclosure
Everything Else, Web Applications and Crimeware represent 95% of all incidents.
External (95%), Internal (5%) (incidents)
Financial (84% - 100%), Grudge (0% - 16%) (incidents)
Personal and Credentials
Secure Configurations (CSC 5, CSC 11), Boundary Defense (CSC 12), Account Monitoring and Control (CSC 16)
Data Analysis Notes
Actor Motives are represented by percentage ranges, as only 10 breaches had a known motive. We are also unable to provide percentages for Data Compromised.
Rob the builder
Having delved a bit deeper into our data, we were able to build sections on several new industries this year, and construction is among them. Although the construction industry may not be the first thing that comes to mind when you think of data breaches, it is a critical industry that generates a great deal of economic growth and helps to sustain the nation’s infrastructure. When viewed from that perspective, one question that may come to mind is, “What motivates the attacks in this industry?” Most cases were financially motivated and were typically carried out by organized criminal groups. The majority of these attacks were opportunistic in nature, which means that the actors who perpetrated them had a very well-calibrated hammer they knew how to make work, and were just looking for some unprotected nails.
Since this is the first time we’ve all sat down together at the Construction industry table, we should take a moment to talk about the top attack patterns from the Summary table on the left. The Everything Else pattern is basically our bucket for attacks that do not fit within the other patterns. There are quite a bit of social engineering attacks in it, and they frequently come in the form of either a pretext attack (invented scenarios to support the attacker’s hope that the victim will do what they are asking them to do) or general phishing, for the less industrious criminal who doesn’t want to expend all that effort. Web Application attacks are what they sound like: people hacking into websites to get to the data. Crimeware is your basic malware attack; ransomware falls in here and is increasingly popular. While a ransomware attack usually doesn’t result in a data breach, threat actors have been moving towards taking a copy of the data before triggering the encryption, and then threatening a breach to try to pressure the victims into paying up.
How they do that voodoo they do
We mentioned social engineering as a common approach in this industry (and in the dataset as a whole). The bad guys use this approach simply because it works. Whether the adversary is trying to convince the victims to enter credentials into a web page, download some variety of malware or simply wire them some cash, a certain percentage of your employees will do just that (Figure 61). What is a proactive security person to do? We’ve talked about how important it is to know you’re a target—and while the click rate shows that people in this industry fall for the bait slightly more often than the average Joe, it is important for them to report that they’ve been targeted. While the submission rate after clicking is quite low for the sector, so is the reporting rate. You can tell by all the stacked companies at 0% in the Figure 62 dot plot.
- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Accommodation and Food Services
- Arts, Entertainment and Recreation
- Educational Services
- Financial and Insurance
- Mining, Quarrying, Oil & Gas Extraction + Utilities
- Other Services
- Professional, Scientific and Technical Services
- Public Administration
- Real Estate and Rental and Leasing
- Transportation and Warehousing
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
For the Web Applications attacks, the most common hacking variety was the use of stolen credentials. Sometimes these were obtained from a phishing attack, and sometimes they were just part of the debris field from other breaches. Employees reusing their credentials for multiple accounts (both professional and personal) increases risk for organizations when there are breaches and the stolen credentials are then used for credential stuffing. The key to reducing this risk is to ensure that the stolen credentials are worthless against your infrastructure by implementing multifactor authentication methods.
We love our employees
One thing that really stood out when we looked at this sector was how low the Internal actor breaches were. Internal actor breaches come in two flavors: Misuse (malicious intent) and Error (accidental). This sector had very few breaches involving either, as shown in Figure 63.