Selcouth Cyber Security Services Private Limited

Social Engineering & OSINT

Background

What is Social Engineering?

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.


What is OSINT?

Open Source Intelligence (OSINT) refers to all information that can be found publicly available on the internet. Under this definition, a wide array of sources can be considered a part of OSINT. For instance, information posted publicly on social media websites, posts on discussion forums and group chats, unprotected websites directories and any piece of information that can be found.


The Need of Social Engineering & OSINT Assessments

Social Engineering

Social engineering assessment allows you to see where your employees are weakest, while simultaneously giving them the opportunity to get real-life experience with threats such as phishing emails or pretext phone calls.

Demonstrates how well employees are complying with organizational security procedures and processes.

Test incident detection, reporting, and response mechanisms at your organization.

Provide valuable data that can be incorporated into ongoing security awareness programs.

OSINT

Accidental leaking of sensitive information on social media sites. For example, an unaware employee may post a personal photo in the server room showing the type of security devices used to secure corporate network.

Open ports and insecure services running can be discovered when scanning the subject network for vulnerabilities using specialized tools.

Outdated operating system versions, software and any content management systems already in use.

Leaked information found on data leak repositories or across the darknet.


Approach to Social Engineering & OSINT Assessments

Social Engineering

Training for security awareness.

Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.

Providing a detailed briefing on the latest online fraud techniques to key staff.

Remember that many of the true stories involving fraud occur with lower-level staff who get tricked into believing that an executive is asking them to execute an urgent task/action — usually allowing bypass of standard organizational procedures and/or controls.

Review, refine and test your incident management and phishing reporting systems.

Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

OSINT

Discovering public-facing assets

Their most common function is helping IT teams discover public facing assets and mapping what information each possesses that could contribute to a potential attack surface. The main job is recording what information someone could publicly find on or about company assets.

Discover relevant information outside the organization

A secondary function that some OSINT assessment include is looking for relevant information outside of an organization, such as in social media posts or at domains and locations that might be outside of a tightly defined network. Organizations that have made a lot of acquisitions, bringing along the IT assets of the company they are merging with, could find this function very useful. Given the extreme growth and popularity of social media, looking outside the company perimeter for sensitive information is a key point.