The Monitoring and Enforcement Episode
Transcript
Introduction to the Guest and Topic:
Host Allie Krings introduces Duncan Wooley, a penetration tester at Kirkpatrick Price. The conversation focuses on OSINT (Open Source Intelligence) and how it is used in penetration testing to identify vulnerabilities. Duncan shares his background, explaining that as an ethical hacker, his role is to simulate real-world attacks by identifying and exploiting weaknesses in systems to help organizations better understand their security risks.
What Is OSINT?:
OSINT, or Open Source Intelligence, refers to information that can be gathered from publicly available sources without needing authorized access to systems. This includes data found across the internet, such as social media, websites, and other public platforms.
Unlike traditional reconnaissance, which actively interacts with systems (like scanning networks), OSINT focuses on passively collecting information that can later be used to support an attack or security assessment.
What Does OSINT Look Like Up Close?:
For Individuals: OSINT often involves analyzing publicly shared content, such as social media posts, profile information, and online activity. Even small details—like photos, locations, or comments—can reveal sensitive information unintentionally.
For Companies: Organizations are exposed through employee activity, public-facing content, and digital footprints. Information like employee directories, company events, or partner relationships can be pieced together to create opportunities for attackers.
What Are the Biggest Gaps in Compliance?:
One major gap is the lack of oversight on publicly shared information. While many companies have social media policies, they often fail to actively monitor or enforce them.
Another gap is underestimating how much information is available online. Organizations may secure their internal systems but overlook the risks created by publicly accessible data that attackers can easily exploit.
How Is Social Media Used in OSINT?:
Social media is one of the most valuable tools in OSINT because of the volume of data and limited control over what is shared. Attackers can use posts, photos, and employee profiles to gather intelligence.
For example, a simple post showing an office environment can unintentionally expose sensitive information, such as credentials written on sticky notes in the background. Social media can also be used to build trust in social engineering attacks by referencing real details about individuals or organizations.
What Are Common OSINT-Based Attacks?:
Phishing: Attackers can gather employee information from platforms like LinkedIn, create email lists, and send targeted phishing campaigns designed to look legitimate.
Spear Phishing: More advanced attacks target specific individuals using detailed personal information. For example, attackers may impersonate trusted organizations or contacts to trick someone into opening malicious files.
Physical Social Engineering: OSINT can even be used to gain physical access. Attackers may impersonate vendors or service providers based on publicly available information and gain entry into secure facilities.
How Should Organizations Assess Their Exposure?:
Organizations should regularly evaluate what information is publicly available about them online. This includes reviewing employee social media activity, company profiles, and any publicly accessible systems or data.
They should also consider how attackers could combine small pieces of information—such as names, job roles, and email formats—to create larger risks.
What Are the Risks of Breach Data?:
Breach data significantly amplifies OSINT risks. When companies experience data breaches, exposed information—such as email addresses and passwords—can be reused in attacks.
Attackers often combine breach data with OSINT to identify employees, discover password patterns, and attempt access to corporate systems. This interconnected data can quickly build a detailed profile of an organization’s vulnerabilities.
What Are the Biggest Misconceptions About OSINT?:
A common misconception is that OSINT is the same as traditional reconnaissance. In reality, OSINT is much broader, pulling information from across the entire internet rather than just interacting with target systems.
Another misconception is that publicly available information is harmless. In practice, even small details can be combined to create highly effective attack strategies.
How Can Companies Protect Themselves?:
Monitor Public Information: Regularly review what employees and the organization are sharing online.
Enforce Policies: Ensure social media and data-sharing policies are not only written but actively followed and enforced.
Train Employees: Educate staff on how attackers use publicly available information and why seemingly harmless actions—like tagging locations—can introduce risk.
Strengthen Authentication: Use strong, unique passwords and avoid reuse, as breach data can be leveraged to gain access to systems.
How Can Companies Ensure Compliance?:
Compliance starts with understanding the full scope of exposure, including publicly available data. Organizations must integrate OSINT awareness into their security programs, ensuring policies, training, and monitoring all address this risk.
Penetration testing that includes OSINT provides valuable insight by showing not just what information exists, but how it can be used in real-world attacks. Ultimately, organizations must proactively identify and mitigate these risks before attackers exploit them.
Notes
In this episode, host Allie Krings sits down with Duncan Wooley, a penetration tester at KirkpatrickPrice, to dig into OSINT — open source intelligence. What can attackers really learn about your organization just from what’s already public? Duncan walks through how social media, employee directories, and even something as small as a background detail in a photo can become the foundation of an attack, including real stories of spear phishing an executive and physically talking his way into a building disguised as a delivery driver. They also dig into breach data, password reuse, and why staying on top of OSINT tools and techniques is practically a full-time job on its own. It’s a fascinating, slightly unsettling look at just how much information is out there — and how easily it can be used against you.
At KirkpatrickPrice, we’re on a mission to help 10,000 organizations raise the bar for cybersecurity and compliance. Join Our Cybersecurity Mission. If you’re going to invest in an audit, it should deliver real value. That’s why we partner with you from audit readiness to final report, ensuring you get the assurance you deserve.
Ready to strengthen your security and compliance posture? Connect with an expert today and learn how we can help you meet your toughest goals.
Monitoring Best Practices
• Monitoring Employee Records and Communicat…
Improper Disclosures
• Monitor and Provide Enforcement for Improp…
Tools and Techniques https://kirkpatrickprice.com/blog/5-n…
Internal Monitoring https://kirkpatrickprice.com/blog/web…
Send a Question
Do you have a question for our podcast? Send it to us here.