OSINT Security Assessment
OSINT Security Assessments entail a number of different approaches to ensure that your company is not leaking sensitive information to the public. This could include API keys, personal information, passwords, email addresses and much more information that could leave your company or customers vulnerable to attack. We use publicly accessible information and a number of dark web sources to ensure that your company’s data is safe, and ensure that your company’s private information remains private. The defining feature of an OSINT assessment is that the information is collected from public sources meaning that anyone can find this information and use it against the company.
What do we test for?
We test for any information leaked online which would be protected by GDPR, as well as information that could be useful to an attacker if they were planning an attack. This can include software versions used, API keys, GitHub repositories and collection of information like this can build a profile about the organisation and its associates. Data is often collected without the knowledge of the company being attacked. We also create a footprint of any services or infrastructure that can be found on a company allowing you to know the footprint of your organisation and better protect that information so that it cannot be used against you.
What are the risks?
APTs(Advanced Persistent Threats) often start by doing large amounts of public reconnaissance on organisations they mean to attack. This allows them to build out a footprint for an organisation and use that against them to compromise their security. This can take the form of spear-phishing with information that shouldn’t be public or learning about insecure resources which are more easily exploited. The information collected can lead to loss of customer data, doxxing of important shareholders and compromise of essential information and infrastructure in a way that could have been prevented.
How we can help
We work with organisations to secure their digital assets and footprint using an OSINT assessment. The removal of information and the hiding of confidential information can ensure that an attacker does not get the chance to use it against an organisation. Preventing a vital part of the attacker’s attack chain and removing information that could be used by a hacker to compromise a company. Companies are often unaware of the information they are leaking online, and without help and a comprehensive report, it allows our clients to ensure that they are aware and take steps to protect themselves and their customers.
What are the next steps?
Contact a member of our consulting team either by phone, email, or pigeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
In the scoping meeting, our expert consultants will discuss and finalise which digital assets you need testing. We will then put together a project proposal and quote based on the requirements and agree on a schedule for conducting the security assessment.
The testing starts. A member of our penetration testing team will liaise with a member of your company throughout the entire testing process. If we have any questions or concerns, you will be the first to know.
Report & Remediate
A penetration test is useless without a well-written report. Our reports are written in plain English, concise and thoroughly documented. Each report will detail an executive summary, risk ratings, a business risk summary and all of the issues we found throughout the engagement.
Book your retest.
Here at Sencode we offer free retesting with every penetration test we conduct.
You fix the issues, then we will verify they can no longer be exploited by an attacker.
Get a security certificate for your business.
Just a PDF document with a list of issues? No way.
Our clients receive a testing certificate that can be shared with partners and customers alike. Showing that your company takes security seriously.
Frequently Asked Questions
If your company has an online presence, you should consider getting an OSINT assessment. The requirement for an assessment grows in proportion to the size of the company and the amount of data it collects.
Hackers will frequently automate the process of data collection, targetting large amounts of companies in the process.
Unfortunately, data leakage is a common occurrence, and even with safe data management policies in place, it can go undetected and have disastrous consequences.
OSINT (Open-source intelligence), is the term given to denote the process of data collection and reconnaissance of publically available data on a specific target. It often involves the use of social media and more technical searches.
OSINT falls into 3 different categories:
– Passive data collection, where the attacker has no contact with the organization.
– Semi-Passive, where an attacker disguises their activities within what is typical network traffic.
– Active data collection, where an attacker actively collects data from a target infrastructure with no regard for detection.
In penetration testing, reconnaissance is the process of gathering usefuldata about a target that can be used later in the attack. This usually entails retrieving the IP addresses of the servers that are being attacked, as well as understanding which software versions are installed on the host machines using a variety of techniques.
This stage is critical for an attacker since it provides a foundational understanding of a target’s infrastructure, which they may then attack and exploit.
Get a free, no obligation quote from one of our expert staff.