Financially motivated attackers continue to steal credentials and leverage them against web application infrastructure. Social engineering in the form of phishing and pretexting is a common tactic used to gain access. This industry also suffers from Denial of Service attacks regularly.
7,463 incidents, 326 with confirmed data disclosure
Web Applications, Everything Else, and Miscellaneous Errors represent 79% of breaches
External (75%), Internal (22%), Partner (3%), Multiple (1%) (breaches)
Financial (93%), Espionage (8%), Ideology (1%) (breaches)
Personal (75%), Credentials (45%), Other (32%), Internal (27%) (breaches)
Secure Configuration (CSC 5, CSC 11), Implement a Security Awareness and Training Program (CSC 17), Boundary Defense (CSC 12)
This industry is made up of a wide range of companies primarily offering service directly to customers. They range from Lawyers, Accountants and Architects to Research Labs and Consulting firms. They share some common traits—Their Internet presence is very important to the livelihood of the organization, and their employees are human and make mistakes.
We mentioned the importance of their Internet presence to the members of this industry. This is why the Web Application attack pattern was seen so frequently this year (Figure 85). These attacks are driven by the use of stolen credentials (frequently obtained in phishing attacks, but also may be laying around on the web from another company’s breach, just waiting for some enterprising hacker to find). These attacks drive the theft of personal data in the sector, and given that there are always people willing to try their luck at using stolen credentials against whatever web infrastructure they encounter, are unlikely to end anytime in the near future.
- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Accommodation and Food Services
- Arts, Entertainment and Recreation
- Educational Services
- Financial and Insurance
- Mining, Quarrying, Oil & Gas Extraction + Utilities
- Other Services
- Professional, Scientific and Technical Services
- Public Administration
- Real Estate and Rental and Leasing
- Transportation and Warehousing
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
I Feel Attacked
Why would organizations in this sector be targets of attacks? You have heard the term “Location, location, location"? This sector is the location of lots of useful personal data (in fact, apart from Credentials, Personal information is the most targeted data type in these breaches). This isn’t necessarily an industry full of financial information or payment card records, but personal information can be quite lucrative for a number of different kinds of financial fraud, hence the attraction. Figure 86 shows the continued growth of Financially motivated breaches at the expense of Espionage (and even Errors).
The Everything Else pattern is our scrap bin of unwanted attacks—if they do not fit the criteria of the other patterns, they end up here. They are largely low-detail phishing attacks, but sometimes the social engineering perpetrator puts a bit of actual effort into their work and invents a likely scenario to entice their prey. If you’re familiar with the business email compromise, this is where that lives. Professional Services is middle of the road when it comes to being on the receiving end of phishing attacks. But this attack isn’t just about receiving the attack—it is about whether the victim clicks, and if they submit their data. It is also about whether they raise a flag with their internal security people to let them know “what they done did.”
The news about phishing in this sector is a bit of a mixed bag. In Figure 87, we see that click rate is right on the overall median. You can also see in Figure 88 that submit rates are low (notice the large stack of companies on the 0% of the right chart – Submit rate), which is the good news—you want the number of people giving out their credentials to be low. Sadly, the bad news is that the reporting rate is low as well (there is also a large stack of companies on the 0% of Report rate)—your people are not telling you they’ve fallen victim to a phish. That second measure—the Report rate is critical so that the organization’s security response team can mitigate the effects of the breach.
I Should Not Have Done That
Miscellaneous Errors figure prominently in this industry, but really any industry is susceptible to their employees' mishaps causing a breach. Figure 89 shows the errors that are on top in this industry—namely Misconfiguration, Misdelivery and Loss. Misconfiguration has become increasingly reported, primarily because there are people out there actively looking for this type of breach. This happens when someone drops some of their data into a cloud database instance but fails to put any protective measures in place. We mentioned people are actively searching for this, right? Yeah, then hilarity ensues—not really.
Misdelivery is frequently via paper documents in the mail, when person A gets person B’s paperwork, but it can also happen via email when people are careless about addressing emails and what they attach. Loss is a bit of a different animal. When the item lost is electronic, like a laptop, this would not be counted as a breach in our dataset. For it to be counted, there must be a confirmed compromise of the confidentiality aspect of the data—and confirming access is difficult when you don’t have the asset anymore. While the Loss error appears in our dataset, it is most frequently an incident, not a breach. However, here it is a breach, so what gives? Well, it would have to be an asset that is in human-readable format, like paper documents. We count them as a breach since there are no protections at all on printed matter. This is why people put caution signs on printers to give people an extra heads-up that, once printed, documents need to be treated carefully if they contain sensitive information.
Left out of the breach patterns is Denial of Service, since it also does not typically result in an actual confidentiality breach. DDoS was over 90% of incidents in Professional Services and Figure 90 shows us that this sector has slightly above average DDoS bits per second.
To wrap up with some good news, Figure 91 shows that Professional Services has a better-than-average patch rate, completing 67% of patches in the first quarter from those being first made available from the manufacturer. If you’ve read the Results and Analysis – Action - Hacking section you know that it’s not the slow patching that’s the problem – it’s the systems in the remaining third that never get patched that are likely to come back to haunt you.