This is one of the more common types of projects that you will see see while working with private clients and security consultancies alike. As the title suggests, the vulnerability assessment is an analysis through which the client aims to develop detailed, tailored knowledge of the vulnerabilities of a person, campaign, organization or series of assets – usually (but not always) their own. While there are many steps that can be taken to make your life and the lives of your family or team more private, this type of analysis seeks to answer the questions “what am I (or ‘are they) specifically vulnerable to?”, thus allowing for more efficient allocation of your resources towards your project goals.
The scope of work can (and usually does) vary in many ways, from running assessments on incoming senior executives to an almost pure red team style analysis (though without interaction with the target), where the analysts may be asked to identify a number of attack vectors through which any vulnerability can be found.
Generally, the scope of the project defines what a vulnerability could be and narrows the analysts search significantly. However, here are some which can are fairly common across many privacy oriented investigations:
- Online exposure of personal information or credentials
- Information or data which may serve to develop “habits of life” models.
- Public records and filings
- Posts to social media which could be misinterpreted
Additionally, this type of assessment will likely serve as the basis for other efforts by privacy or security consultants, as well as Threat Assessments which are usually generated to developed tailored knowledge of the capabilities of specific organizations or groups.
Through one of my more recent projects, the client was planning to transition from a privately funded entity, to being publicly listed on the NYSE. With this, their head of security had recognized the potential for an increase in each executive’s threat profile, and solicited a vulnerability assessment.
At this point, the reader can probably list a handful of common risks which virtually everyone is subject to, and you’re probably right; though vulnerabilities can take many forms and are sometimes not at all what you would think. One of the executive lived on a major creek with a forest preserve and the running trail wrapping around 2/3 of their back yard. I would normally classify this as a physical risk and their proximity to the trail would make it easily for war-driving on a bicycle or with a done, or for physical surveillance to take place. What is worse is that both the executive and their spouse were constantly publishing their location (unbenownced to them) through their various mobile social media applications.
To illustrate another category, I was able to uncover the another executive’s signature, passwords, DOB, driver’s license number, all license plate numbers, Birth Certificate, home IP address, all email addresses, a number of social media accounts which were still active but not in use, email passwords and much much more. In all cases, I was also able to document habitual variables for the executives and their families which may initially seem benign, but could be utilized without much creativity to adversely impact the stability of the target.
Ultimately, I was able to learn quite a lot of about the end client as well as make some recommendations for mitigating these vulnerabilities – though in the end, I made two professional referrals: one to a group which specializes in privacy consulting and another for penetrations testing, both of which used my report to expedite their efforts. I was also invited back by the end client to run a secondary analysis and while I found a few additional issues, I was happy to find that all vulnerabilities from the initial report were completely removed.
What to Expect
Depending on the scope, this could take quite a bit of time but as a point of reference, you may be looking at roughly 20 work hours for a single family with multiple homes and businesses, or 100+ work hours for an executive team as used in the example above. This includes only the reconnaissance phases of an investigation, and not penetration testing (recommended), Threat Assessment or privacy consulting, but represents a large portion of the initial workload.
Regardless, when you hire an OSINT Analysis to perform a vulnerability analysis, you can expect the following deliverables at a minimum, all consolidated within a few dozen page report:
- Executive summary for the analysis as a whole
- A short overview for each person examined
- A sorted list of findings in order from most to least serious – for each person
- Ranked exposure, from highest to lowest
- Recommendations steps for remediation
- Recommendations for outside resources, if needed
- Appendix files, such as compiled findings, the analysts notes, images, etc.
We can speculate quite a bit here, but the advantages are even more numerous than the use cases. Maybe you’re concerned in a general sense about the amount of information that is out there about you, given the times that that we are heading into, where political activism and mass cyber-bullying is the norm – I know that this is a common concern for my clients and my own family. On the other side of the spectrum, maybe you are a private security contractor and would like to know which attack vectors pose the highest risk to your client, and seek to reduce the overhead of outside contractors. Maybe you are in the advanced phases of the M&A process and would like to know more about the risks posed to a series of real estate assets or team.
In all each of these cases, an experienced OSINT Analyst will be able to quickly bring enhanced definition to the vulnerabilities within your scope.
In the near future, I will dive into some of these use cases and attempt to add some context from my personal experiences. For now, I hope that this post served as food for thought, both for the concerned citizen and aspiring OSINT Analyst.
As always, feel free to reach out through the contact form here or on twitter if you have any questions or want to bounce a specific use-case off the wall. If you think that there may be some training value to other, please consider using the public domain.