James Dale, cyber security expert at PA Consulting, discusses open source intelligence (OSINT) and why this is a valuable tool for raising security awareness.
What is OSINT?
OSINT is intelligence “drawn from publicly available material”, according to the CIA. Most intelligence experts extend that definition to mean information intended for public consumption.
OSINT is information that can be accessed without specialist skills or tools, although it can include sources only available to subscribers, such as newspaper content behind a paywall, or subscription journals.
The CIA says that OSINT includes information gathered from the internet, mass media, specialist journals and research, photos, and geospatial information. Most of these sources were used in the Bellingcat MH17 investigation.
OSINT does not require its exponents to hack into systems or use private credentials to access data. Viewing someone’s public profile on social media is OSINT; using their login details to unearth private information is not. In intelligence agency terms, OSINT is also information drawn from non-classified sources.
OSINT in the open – examples of open source intelligence
Pentest People’s Follin recalls an OSINT engagement that found floor plans of a sensitive location online, and another where an online photo contained enough information to copy a keycard. Both could compromise the physical security of an organization.
This shows why OSINT is a valuable tool for raising security awareness, as well as a technical tool for identifying security risks. James comments: “Organizations are potentially enabling cyber-attacks against themselves through the information they publish online.”
James continues: “OSINT is harvesting data from legitimate sources such as online search engines, websites, and professional social networks. But our cybersecurity experts have conducted client OSINT assessments and discovered information such as versions of software, names of devices used to print documents, and email addresses.
“Along with obvious sources, such as a company website and LinkedIn, this information can also be gathered through metadata stored within files created and published by an organization.”
However, even fairly trivial information can have big security consequences, warns James: “A pet’s name, or the version of Office used to create a document, may seem insignificant, but it can be used to inform a potential cyber-attack.”