Social Media as an OSINT tool

It is that time of the year again, the one that is particularly annoying for people who have lots of friends with small children.

It is the ‘back to school’ or ‘stand by the front door’ week. Many parents do this, I have been guilty of it myself and this year it will be even more prominent as due to Covid the majority of children ended the summer term without meeting the annual leaving milestone as expected, which was especially hard for those reaching the end of their primary schooling or even completing their first year in reception. This year going back to school is a bigger deal for most than ever before and this will be accurately reported on social media and with various versions of #backtoschool and #firstdayatschool

So what? you might ask. What is wrong with uploading a photo of my child looking super cute in their new school uniform?

For many people, nothing at all. I don’t aim to scaremonger with this post, many people have a Facebook or Instagram account with locked down privacy settings and they only share this sort of picture with their close friends and family.

However, in times where employees are manipulated via social engineering to give away confidential information or access such as was initially suspected in the recent twitter hacking breach, people need to be aware of what they are posting on social media and to have a good awareness of what could be compromised if they were manipulated.

Sloane Risk Group specialise in identifying and preventing vulnerability’s which enable malicious access to information security, this is both the physical security of buildings, offices and systems and the access which is obtained through hacking people, by manipulating them to give away vital information leading to data loss or physical breach.

We have worked with clients in businesses that specialise in software development, pharmaceuticals, and research all with their own reasons to be targets of malicious attackers, some of which have experienced campaigns against them including threats of direct violence towards the family members of their staff.
When we look at an organisations staff and their attitude towards security, we frequently find links between accounts such as linked-in and various social media platforms which inadvertently give away far more personal information than can be recommended from a security aspect. We find that people often take measures not to show their address but then they miss other exploitable personal identifiers. This is especially prevalent in spouses who do not realise the access to information or development that their partners may have.

If a malicious attacker is able to trace your children to a local primary school it would not take long to identify them being dropped off, your vehicle and from there your home address. This could be to place you under further surveillance, plant audio devices at your address, search through your rubbish, place tracking devices on your vehicle or even to directly threaten you.

If you are not in the category of people who could be exploited for criminal or competitor gain, the general security of your children should always be a cause for concern. In many child abduction incidents, the perpetrator has conducted some sort of research around that child first especially in kidnap for ransom cases.

What steps should I take to stay safe?

Before you or your spouse post anything with details such as school jumpers with emblems stating exactly where that school is, consider the following:

• Am I in a position where I could be bribed, blackmailed or tricked into giving away company secrets?

• Could the organisation that I work for be a target for hackers, scammers, criminals or protestors?

• Is the company information so valuable that someone could even threaten me or my family to get it?

• Am I giving away too much information about my family and our routines?

This is extreme but unfortunately not unheard of. If you feel that you should maintain the freedom to post about your family life, consider blacking out emblems or logos on uniform, think about the wording you use when you make your posts, and what other information you may be giving away in the picture such as door numbers or car number plates.

If you would like more information regarding counter espionage, a company security assessment, security audit, black team/physical penetration test, staff security awareness training or an employee security profiling test then please contact us.

Applying the Consultancy Cycle to a Black Team Assessment

Security consultancy

A UK tech company requested our services to review their current security strategy, they stipulated a focus on improving staff attitudes towards physical security.

The client was satisfied that their outward facing cyber security was very strong but they were concerned about the damage which could be achieved by insider threat or by an attacker who might gain internal physical access

Stage 1 - Entry and Primary Analysis

We visited the client at their London HQ and ascertained that their main threat was commercial espionage by competitors.

Their need was to develop long term security resilience rather than to see a quantitative regain on their investment. Our pitch focused on the fact that as a black teaming specialist we provide a unique service involving accessing the buildings using the resources of a hostile attacker. This quickly detects the grass roots vulnerabilities faced by the client and creates the starting place for an advanced security strategy to be developed.

Stage 2 – Contracting

Our proposal stated the set times we would allow for each step such as the black team deployment, use of gap analysis and how we planned to work across the spectrum of people within the business, tackling policy and procedure problems as well as identifying the staff shortcuts.

We explained how we would identify the range of security threats and vulnerabilities to the business and use existing framework to strategize ways to reduce them.

Stage 3 – Gathering Data

The first step was the specialist activity of the black team, this enabled us to rapidly ascertain the main human based problems facing the business. For instance, the staff were extremely polite and held access-controlled doors open for each other, by fumbling with a similarly looking badge or by holding multiple cups of coffee our testers found entry was easily obtained. Once inside they were accepted as people who should be there. This stage also enabled us to assess the security hardware of the buildings and the perimeter defence zones.

The next step was to create an asset register and to place a value to the things that were important to the business. We reviewed the policy and processes and interviewed staff informally to establish the security-based strengths and weaknesses throughout the organisation.

Stage 4 – Diagnostics

We identified the majority of the client’s problems during the first stage of the assessment. Our Black Team are experts at finding the holes in physical security and identifying how human nature can be exploited to gain access or to encourage staff to perform an action such as clicking on a phishing link.

We assessed that the physical security was generally to a high standard except for an RFID weakness, however due to us managing to breach the building and remain inside for prolonged periods on five separate occasions the human element needed improvement. There were also some policy and contract points which we considered to require amendment.

Stage 5 – Generate Options

For the outlay of the cost, the client expected to see the implementation of a tougher security strategy and a clear improvement in their security culture.

Our shared vision was to achieve this by investing in the organisations people, showing them why security is important and teaching them to recognise and avoid the manipulation tactics used by hostile attackers such as impersonation, phishing, pharming, vishing and smishing.

We presented the client with a range of options which addressed both the quick fixes and long-term goals needed to improve their security resilience which included;

a, doing nothing
b, developing the security strategy by investing in all business departments with business wide initiatives, improvement of the RFID issue, advice regarding contract and policy changes and using our results to deliver an informal staff security awareness session.
c, the additional option of a more in-depth training feature and ongoing staff security culture testing program with measurable results.

Stage 6. – Implement Actions

The client chose the most in-depth option which involved ongoing staff training and subsequent testing. Our consultant led the project with a team of our training consultants and an external partner organisation who implemented an RFID frequency upgrade.

Stage 7- Disengagement

The scope of the work that we conducted was clearly defined and easily measurable. The client was extremely happy with our service and asked us to re-contract to provide quarterly security spot checks and annual training for new staff members.

For black team/physical penetration testing assessments, security awareness training packages for staff and executives and for corporate surveillance investigations contact us:
0203 897 22 72

71-75 Shelton St, Covent Garden, London, WC2H 9JQ