Rapid executive and personal exposure assessment

Written By fra juniper

Executive Summary

  • This brief summarises an anonymised case study of a rapid executive and personal exposure assessment conducted for an executive and their family.

  • This case underlines the importance of rapidly assessing exposure risk and hardening online presence. 

  • By identifying online exposure we enabled the executive, their family, and the company to adopt a more informed security posture.

Our Executive & Personal Exposure service provides rapid assessment and mitigation of digital, relational and reputational risk.

Contact us now to arrange a rapid triage and risk assessment. 

Case description

Executives are at a high risk of targeting by criminals and other threat actors. Family and friends can also be targeted as a means of gaining access to executives.

Despite the high risk of targeting, many executives have never conducted a review of their personal and professional exposure risk. This leaves executives, their associates, and companies carrying potentially serious unquantified security risk.  

This brief examines an anonymised engagement with a senior executive at a medium-sized enterprise in the communications sector. The executive had never previously conducted a review of their online presence. Accordingly, we conducted a rapid investigation of the executive’s professional and personal's exposure and assessed associated security risk.

The investigation identified that the executive and members of their family featured in a larger-than-usual number of online data breaches. Criminals and other threat actors can leverage this information to construct personal profiles, determine patterns of life, identify physical location, and conduct identity theft and impersonation.

Digital exposure evaluation approach

At the executive’s direction, we conducted a non-invasive investigation of their online exposure, to rapidly identify critical exposures and assess their overall level of risk. This investigation covered publicly available information across the open, deep, and dark web. Sources covered included official records, social media content, data brokers, and data breaches. 

Written reporting on the investigation provided the executive with a clear and concise assessment. We evaluated digital exposure risk across five areas: personal, family, professional, geolocation, and impersonation. An overall assessment was accompanied by more detailed analysis covering these five areas, including details of key findings and explanations of the risks that these exposures enable.

Significant breach data

The investigation rapidly identified a high level of exposure in breach data. This information can be used to assess the attractiveness of the executive as a target, with greater volumes of data readily available it makes it easier for an attacker to act.

The types of data associated with the executive that we identified online are set out below, along with associated risks. We provided immediate recommendations to mitigate these risks. 

Beyond personal exposure

In addition to personal risk, a high level of breach data presents threat to family members and people in close proximity to the client. This creates a wider attack surface for threat actors and introduces broader ethical considerations.

In this case, our online investigation identified the following information about family members:

  • Names and personal details

  • Email addresses and phone numbers

  • Social media accounts

  • Residential addresses

This information is significant because it can enable threat actors to indirectly gain access to information about executives, or to develop social engineering lures.

The readily available data enabled identification of the subject’s family and their relationship. Again, we took rapid action on critical exposures and provided guidance on account hardening and good digital hygiene.

Lessons identified

Personal online exposure risk scales exponentially

  • High levels of personal exposure enable threat actors to identify colleagues and family members, providing further insights and leads for investigation. 

  • Family members may present a softer target than executives, providing an easier route to compromising an executive’s security.

Rapid assessment is critical when risk is uncertain

  • If an executive’s online exposure has not been reviewed then a rapid investigation is critical.

  • The focus should be on rapidly identifying critical exposures affecting the executive, family members, and the company.

Assessment should be followed by risk mitigation. 

  • Executives should undertake a comprehensive executive exposure management exercise to harden their online presence.

  • Hardening measures should include personalised digital security recommendations, as well as takedown requests and targeted removal of publicly accessible information.

At Tyburn, we specialise at countering evolving threats to risk-sensitive organisations. Our experts bring experience in government, military, and academia to bear in delivering solutions to challenging problems.

fra juniper
Next

Subversion of security measures in Nexperia case highlights importance of resilient controls