Many moons ago I tried a brief change of career as a resourcer for a recruitment company. My role was essentially to compile contact lists for potential candidates to fill the senior recruiters roles. I would gather as much information on a candidate as possible and develop profiles based on experience, tenure, professional networks, commendations, accreditation and social media activity.

My weapon of choice at the time was LinkedIn.

I would scour LinkedIn for hours, building complex profiles of potential candidates based on the data which they openly published on LinkedIn. It was incredibly easy. I had no formal training beyond my own social media presence, which at the time was limited to my own limited LinkedIn profile and a MySpace page where I mostly posted pictures of my cat and made fun of Emo music. That little bit of knowledge about how social networks can be used was enough for me to be a very skilled resourcer. But I found it boring and quickly jumped back into a technology role.

This extraction of data from public information is known as OSINT. It stands for open source intelligence, which refers to any information that can legally be gathered from free, public sources about an individual or organization. It’s the same method that malicious types use to build a list of targets for their attacks. With what is freely available they can build a profile on who to target, what their interests are, what their vulnerabilities might be. With one little thread of information a whole lot about you can be unraveled from LinkedIn, Facebook, Instagram and the like.

This is how malicious agents know that the new guy in accounts who has access to critical financial information just got out of a messy break-up and is going down the coast for three days without his laptop and won’t notice any suspicious activity until Monday morning, in which case he might not even say anything as he’s trying to make a good impression and doesn’t want to get in trouble. It was all out there for anybody to see.

Another attack vector comes in the form of the classic confidence game, where a malicious agent will build a rapport with a member of your staff, either as an industry peer or by impersonating someone within the organisation, asking for sensitive intellectual property or for assistance in accessing network credentials. Consider how a junior employee may feel after the branch manager from a different office who they have had casual banter with over days/weeks/months sends them a message saying “Tony from IT (who’s name I looked up on LinkedIn) still hasn’t fixed my VPN access. Can you help me out with your VPN details for just a moment?”

In 2020 ASIO launched a Think Before You Link campaign to highlight the real threat of espionage and targeted attacks and when Director-General of Security, Mike Burgess, makes this face you know it’s serious.

It is completely natural to want to be proud of accomplishments, boast about your achievements and build a professional network. Just remember that everything that’s out there can be used for any old random person in the world to know that little bit more about you than you might be comfortable with.

We run training campaigns for cyber security threats, and make available internal marketing and education pieces for our Managed Cyber Security clients. If you’re as serous about cyber security as Mr Burgess up there you should give us a call on 1300 520 364.