Construction

Summary

This vertical suffers from Web App attacks and social engineering, and the use of stolen credentials remains a problem. However, it boasts a better-than-average click rate and exhibits a surprisingly low number of employee errors.

Frequency

37 incidents, 25 with confirmed data disclosure

Top Patterns

Everything Else, Web Applications and Crimeware represent 95% of all incidents.

Threat Actors

External (95%), Internal (5%) (incidents)

Actor Motives

Financial (84% - 100%), Grudge (0% - 16%) (incidents)

Data Compromised 

Personal and Credentials

Top Controls

Secure Configurations (CSC 5, CSC 11), Boundary Defense (CSC 12), Account Monitoring and Control (CSC 16)

Data Analysis Notes

Actor Motives are represented by percentage ranges, as only 10 breaches had a known motive. We are also unable to provide percentages for Data Compromised.

Rob the builder

Having delved a bit deeper into our data, we were able to build sections on several new industries this year, and construction is among them. Although the construction industry may not be the first thing that comes to mind when you think of data breaches, it is a critical industry that generates a great deal of economic growth and helps to sustain the nation’s infrastructure. When viewed from that perspective, one question that may come to mind is, “What motivates the attacks in this industry?” Most cases were financially motivated and were typically carried out by organized criminal groups. The majority of these attacks were opportunistic in nature, which means that the actors who perpetrated them had a very well-calibrated hammer they knew how to make work, and were just looking for some unprotected nails.

Since this is the first time we’ve all sat down together at the Construction industry table, we should take a moment to talk about the top attack patterns from the Summary table on the left. The Everything Else pattern is basically our bucket for attacks that do not fit within the other patterns. There are quite a bit of social engineering attacks in it, and they frequently come in the form of either a pretext attack (invented scenarios to support the attacker’s hope that the victim will do what they are asking them to do) or general phishing, for the less industrious criminal who doesn’t want to expend all that effort. Web Application attacks are what they sound like: people hacking into websites to get to the data. Crimeware is your basic malware attack; ransomware falls in here and is increasingly popular. While a ransomware attack usually doesn’t result in a data breach, threat actors have been moving towards taking a copy of the data before triggering the encryption, and then threatening a breach to try to pressure the victims into paying up.

How they do that voodoo they do

We mentioned social engineering as a common approach in this industry (and in the dataset as a whole). The bad guys use this approach simply because it works. Whether the adversary is trying to convince the victims to enter credentials into a web page, download some variety of malware or simply wire them some cash, a certain percentage of your employees will do just that (Figure 61). What is a proactive security person to do? We’ve talked about how important it is to know you’re a target—and while the click rate shows that people in this industry fall for the bait slightly more often than the average Joe, it is important for them to report that they’ve been targeted. While the submission rate after clicking is quite low for the sector, so is the reporting rate. You can tell by all the stacked companies at 0% in the Figure 62 dot plot.

For the Web Applications attacks, the most common hacking variety was the use of stolen credentials. Sometimes these were obtained from a phishing attack, and sometimes they were just part of the debris field from other breaches. Employees reusing their credentials for multiple accounts (both professional and personal) increases risk for organizations when there are breaches and the stolen credentials are then used for credential stuffing. The key to reducing this risk is to ensure that the stolen credentials are worthless against your infrastructure by implementing multifactor authentication methods.