Web Applications attacks utilizing stolen credentials are rife in this vertical. Social engineering attacks in which adversaries insert themselves into the property transfer process and attempt to direct fund transfers to attacker-owned bank accounts are also prevalent. Like many other industries, Misconfigurations are impacting this sector.
37 incidents, 33 with confirmed data disclosure
Web Application, Everything Else and Miscellaneous Errors represent 88% of data breaches
External (73%), Internal (27%) (breaches)
Financial (45%—97%), Convenience/Espionage (0%—40% each), Fear/Fun/Grudge/Ideology/Other/Secondary (0%—21% each) (breaches)
Personal (83%), Internal (43%), Other (43%), Credentials (40%) (breaches)
Top Controls: Secure Configuration (CSC 5, CSC 11), Implement a Security Awareness and Training Program (CSC 17), Boundary Defense (CSC 12)
Data Analysis Notes
Actor Motives are represented by percentage ranges, as only eight breaches had a known motive. Some charts also do not have enough observations to have their expected value shown.
There is nothing quite like that feeling of owning your first home. Moving in, enjoying the smell of fresh paint, and reflecting on all the memories you’ll make. Our data for this vertical indicates that cyber criminals are also being allowed to move right in and make themselves at home. Whether they are attending a showing of your data via Web Applications attacks, utilizing social engineering in the Everything Else pattern or simply being asked to drop in by your employees through an assortment of Miscellaneous Errors, they are certainly being made welcome. As you can see in Figure 95, it is difficult to state conclusively which of these three patters is the statistical leader but we can assert that they are all in the running.
Don’t leave the key under the welcome mat
Although we saw a rather small number of breaches in this sector over the last year, there are some interesting high-level findings to discuss. As in many other sectors, criminals have been actively leveraging stolen credentials to access users' inboxes and conduct nefarious activities. In fact, across all industries, credential theft is so ubiquitous perhaps it would be more accurate to consider them time shares rather than owned. Meanwhile, other external actors are relying on social engineering to get the job done. Some of these activities are simply aimed at stealing your data, but in other cases these attacks can be used to tee up a separate assault, as seen in many of the attacks that leverage pretexting.
- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Accommodation and Food Services
- Arts, Entertainment and Recreation
- Educational Services
- Financial and Insurance
- Mining, Quarrying, Oil & Gas Extraction + Utilities
- Other Services
- Professional, Scientific and Technical Services
- Public Administration
- Real Estate and Rental and Leasing
- Transportation and Warehousing
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
Figure 96 shows how Bad GuysTM 43 exploit the milk of human kindness to dupe well-meaning employees into assisting them to achieve their objectives. They use pretexts to alter someone’s behavior in such a manner that the employee divulges sensitive information, or otherwise unwittingly helps them to commit fraud. One example of this type of social engineering is when the attacker inserts themselves into an email thread regarding the sale or purchase of a new home and convinces the victim organization to transfer funds to attacker-owned bank accounts. It’s worthwhile to make a phone call to confirm details before making this type of significant transaction.
You sent that to who?!
Even though this is the first time we have written an industry section for Real Estate, we have been collecting data on this vertical industry for a number of years. This enables us to analyze how the patterns have evolved over time in this vertical . This year, one of the more interesting findings was the continuity in volume of Errors. These Error-related breaches involve Misconfigurations (forgetting to turn those restrictive permissions on), Misdeliveries (email and/or paper documents sent to the incorrect recipient) and Programming errors (mistakes in code) as seen in Figure (97). These Error actions accounted for 18% of data breaches in the Real Estate vertical. If you do business in this industry we urge you to take time for security awareness training and the implementation of sound policies and procedures.
43 Surely someone has trademarked this, right?