Open source intelligence (OSINT) refers to any information that can be gathered from free, public sources about an individual or organization.That tends to mean information found on the internet, but technically any public information falls into the category of OSINT, whether its DNS sinkholes, pastebins, search engines or reports in a public library, articles in a newspaper or statements in a press release. OSINT also includes information that can be found in different types of media, such as information in images, videos, webinars, public speeches and conferences.
First generation cyber scoring tools acquire this publicly available information and use it to provide companies with “risk scores.” This is NOT the ideal representation of cyber risk, as it’s simply OSINT-based risk assessments. This is only a small part of a true measure of risk and can offer a false sense of security. There is much more taken into account with a combination of active, passive and security controls based assessments to achieve a comprehensive, accurate indicator of an organization’s risk posture.
The next generation of assessing risks consists of both active and passives assessment, OSINT-based, and manual assessments across various aspects; not limited to external facing and internal resources, web applications, malicious network traffic, data-driven patching cadence, standard security control status, and compromised data-sets published on the open and dark web. This provides comprehensive insight on exposed risks that is not captured using first generation scoring providers, allowing you to make better decisions on risk mitigation efforts for you and your third parties.
Infrastructure Security Assessments
Network and system layer vulnerability assessments of internet facing infrastructures are vital to accurately scoring your cyber risk. These would include non-intrusive assessments that send transmissions to your third party’s network’s nodes, uncovering weaknesses a potential hacker would spot. This assessment provides insight on your third party’s infrastructure security risks, allowing them to quickly and accurately identify, investigate, and prioritize vulnerabilities and misconfigurations.
Web Application Security Assessments
Web application attacks are a leading cause of data breaches. Web application specific assessments are critical in understanding the levels of threats your third party is exposed to, allowing them to safely manage and develop applications. Such assessments must include checks for cross-site scripting (XSS), misconfigurations, broken authentication and more.
Patching Cadence Assessments
All too often, recommended patches go ignored. At the same time, your third-party vendors may find it difficult to ensure all systems are adequately patched. But software patches and updates are of utmost importance, as they control the prevention of software and systems from being easily compromised. Patching outdated software is one of the quickest methods to begin securing an environment. Monitoring the process developed to patch in a timely manner is critical, because when done right, it can significantly reduce the exposure time of a security flaw.
Security Control Gap Assessments
Whether it is industry mandated or part of your traditional third-party due diligence process, there are numerous reasons why surveys, questionnaires and compliance reviews are critical to augmenting the technical assessments listed above. They provide visibility on administrative and process related controls needed to manage technology risks identified with the other assessments. Such assessments should leverage security standards such as PCI, SIG, HIPAA, SOC 2, ISO 27001, NIST, 23NYC500, etc. Factoring gaps with these controls validates the adequacy of administrative controls present to help your organization reduce inherent risks.
While OSINT-based data can help determine active threats, it should never be used to represent the risk profile of any organization. Only next generation scoring products, like FortifyData, leverage OSINT data as one data point to augment other data from automated active, passive and manual assessment methods, such as those listed above, to determine the true level of risk associated with any company.