Artwork for podcast The Circuit Magazine Podcast
Online Vulnerability Assessments for Protectors and Corporate Security | Sandra Stibbards
Episode 4023rd October 2022 • The Circuit Magazine Podcast • BBA Corporate Ltd
00:00:00 00:34:09

Share Episode

Shownotes

Is your Principal leaking data? Not intentionally but many EP teams could be unaware of the wealth of Open Source Information (OSINT) they are emitting even on covert operations.

This week we are delighted to welcome Sandra Stibbards, CEO of Camelot Investigations, recorded live at the Corporate Security Modernization Forum for DC, Maryland and Virginia to address:

  • How would a protector know why and when to investigate their online footprint?
  • What are the parameters of 'open source' intelligence?
  • How are the Principal's family causing potential problems for your operations and how can you help?
  • To what extent are online vulnerability assessments part of 'cyber' security or the wider 'corporate security' framework?
  • What is the extent of the details adversaries can find out about your clients?

More about Sandra:

LinkedIn

Website

More about the Circuit:

The Circuit Magazine is written and produced by volunteers, most of who are operationally active, working full time in the security industry. The magazine is a product of their combined passion and desire to give something back to the industry. By subscribing to the magazine you are helping to keep it going into the future. Find out more >

If you liked this podcast, we have an accompanying weekly newsletter called 'On the Circuit' where we take a deeper dive into the wider industry. Opt in here >

The Circuit team is:

  • Elijah Shaw
  • Jon Moss
  • Shaun West
  • Phelim Rowe

Connect with Us: 

Circuit Magazine

BBA Connect

NABA Protector

British Bodyguard Association

Transcripts

[:

When you have executive protection, especially going out on detail, you want to make sure there's nothing out there that's going to give up their information, their locations, their family information.

[:

Welcome to the Circuit Magazine, the number one source of information on protection matters, the industry leading magazine for all security professionals who want to stay ahead of the game.

[:

Online Vulnerability Assessments and the Protector of Tomorrow. Today we are going to be speaking with Sandra Stibbards, Director and Founder of Camelot Investigations, a friend of the industry, particularly in the States, who looks at where principals, executives and operators, as well as the wider corporate security world, have left details or can be found online in various ways.

And this week we're trying something... Again, a little bit new. We're going to be giving you a slice of a recording that we ran at the Corporate Security Modernization Forum for DC, Maryland, and Virginia. A very important place in the corporate and EP world, not least because of the ties to government, but the many details that go in and out of the city.

Sandra had recently given this particular talk in a different format, not dedicated to EP, at GSX. Beautiful that we can harness the power of this cross pollination format. We're going to be talking about where your principal leaves crumbs to be found. And we're not just talking their tailgate sign on one of those online, media sites.

We're talking about areas where their family are vulnerable, where you're vulnerable, and where they're emitting a certain degree of data pollution about themselves. Now that's probably not a technical term, but we'll get into it. And I'm really happy to share with you this session that we... did with Sandra live because there's actually audience participation coming up with questions that no doubt you might ask live and, as we go through it.

So there's something magical about replaying a segment as part of our podcast. It just adds to the spice and flavour of our original format, I think. So we're really excited to explore how this applies to you, the protector, how you're going to look a lot. better to your principal if you can get your head around this and why this matters to the wider corporate security community.

Sandra is, of course, a friend of many of the, listeners on this podcast but also previous speakers, in fact, specifically Scott Walker out in Arizona who came onto the podcast just a few months ago. So this is going to be great to tie in and, she keeps a low profile but This is Gold Dust 2, tomorrow's EP professional.

So let's get into it with Sandra Stibbards, CEO and founder of Camelot Investigations, and we're going to look at online vulnerability assessments for you, the EP specialist.

[:

And now, let's meet one of the contributors to the Circuit Magazine.

[:

We're live at the Corporate Security Modernisation Forum DMV, and we're delighted to welcome Sandra Stibbards, President, Camelot Investigations. And we're going to look at the angle of whether or not... modernization can be found by, looking at online vulnerability assessments. you're very much in demand and I know Scott Walker, directed me, to chat to you because I think you did a session at GSX last week.

How did that go?

[:

Oh, it went absolutely amazing. Scott and I have such a good time. doing our sessions together. It was on corporate due diligence investigations, and it was a little bit of a workshop. We offered a lot of links and tools that people could use. Scott and I always tend to play off each other and have so much fun.

It keeps the audience laughing and enjoying, and we always invite them to engage. The only thing was the room was way too small and we had people standing around the back, standing in the hallway that couldn't get in. So hopefully next year, if we do it again, we'll have a much bigger room, but we had an absolute marvellous time together as we always do.

[:

And fantastic. Scott is in the house. He says, standing room only. Standing room only. Yes. And Mike Gibbs says, horse voice is good for tradecraft, keeping in stealth mode.

[:

I love it. It is actually.

[:

what are you going to be talking to us about today? Because we're concerned about what is the modernization of corporate security and, part of that is convergence and part of that is making use of both sides of the house.

what are online vulnerability assessments and why should they pay attention?

[:

they're a high priority because in the corporate security world, you have very high profile people, but when you have executive protection, especially going out on detail, you want to make sure there's nothing out there that's going to give up their information, their locations, their family information, so they know that if The C level person isn't home.

They know the family is vulnerable. So there's a lot of demand on making sure that if we do the online vulnerability assessment, I can actually determine what vulnerabilities are there, possibly social media, articles, calendars are sometimes posted, and they don't even realize it. So I do a really deep dive Not just the regular Google searches.

We dig deep, way down in the underbelly to make sure that any of those bad guys out there that might be targeting the CEO or the C level person, as well as the family, cannot get the information that could make them be placed in danger. So my recommendation is always have someone like myself that specializes in the online vulnerability assessments to do these first before they go out on details.

I also recommend just doing this in general for all management, all higher level, as well as their employees. And there's a reason for that, because a lot of times you don't realize you have employees that are in your system that are doing all the social media. They're posting things on, Instagram or Reddit or TikTok even, which is really, it's scary stuff.

They might be doing little videos and you don't even realize they're talking about the CEO. Oh yeah, he's going to be over in Switzerland next week and, giving up all the details. So we have to not only look at the person that is being protected, but the team that's supposed to be protecting them, as well as all of the employees.

So this is something that, in my opinion, should be done on every single employee from the top to the bottom.

[:

which is good because, traditionally people say, ah, they are an executive, member, therefore they get CP and they get EP and they get this and that, but actually there's other people like the system administrator.

hang on, that person has probably more power than the CEO, if you really think about it. so, I like that. and so how, so we can explore OSINT, we can explore, deep dive into the dark web, maybe vetting and things like that. how did you get into all of this?

what's your background that you can share? Yeah,

[:

my background is 30 years as a private sector investigator. I have had my company Camelot Investigations for almost 27. I'm a financial fraud investigator, but I also do corporate due diligence for mergers and acquisitions, corporate online vulnerability assessments.

I do a lot of counterintelligence, business espionage cases, internet threats. and I also do online counterfeiting investigations. This all came about because I originally, being 30 years ago, was a gumshoe. we didn't have all these really cool tools that we've been developing over the last 20 years.

So over time, I learned how to use the internet as we got more access and more access. And basically took the, road of getting my own education and understanding what I can do, what I shouldn't do. Took a friend's course in online security and configuration. And, from there, I just kept learning and learning.

And so I started using OSINT as my tool for all my investigations, which has expanded things tremendously. And then from there about. 12 to 13 years ago, I had a company called Government Training Inc. approach me and ask me if I would put together a two day open source intelligence training for the federal government, for the U.

S. federal government. And I did, that for about a year, and then I thought, why am I not bringing it to the private sector? So I started doing it for everyone, doing open registration, events. And the next thing it snowballed into conferences and shorter trainings. And I started doing financial crime conferences, AML, anti money laundering, threat management, like ATAP, that type of thing, corporate security, like ASIS.

And then I started doing all these cyber conferences, and I've been very fortunate to be able to teach people how to protect themselves online, as part of my trainings, and I've been able to teach on four continents, and it's been very good for me. I love teaching all, public and private sectors. And it's been very fortunate because every industry can use this, no matter whether it's public or private.

[:

and I'd be interested in thinking, the, physical security leader, the corporate security leader, is this, a skill set they could master or they should master, or is it something they should palm off to, I don't know, Financial Fraud Investigators, or something like that.

[:

They should, and they can, at all your questions being answered. Absolutely, every physical security person should be understanding what's out there when it comes to OSINT. Just even auditing your own company, setting up a... something on Google Alerts with your corporate name and then your personal name, and Google Alerts will then advise you if anything new comes up on the internet, and so through Google, and it's a great way to monitor yourself, but yes, these tools are something that every person, whether you're a physical security guard, a security company, a corporate, Office, they should all at least have an understanding of the capabilities out there because I don't believe those people that don't really use a lot on the internet or don't get trained on how to use OSINT.

have a lack of understanding of how dangerous it can be and how useful it can be because it goes both ways. It's like anything. There's the good part and there's also the bad part. So absolutely everybody should be using it. And on top of it, when they're covering things, they should be hiring somebody like myself to then make sure we're covering everything they need.

So you hit the head on all three categories.

[:

We can explore that then, because if it's then in their purview, and if they have the ability to master it, then we get on to the tools, which Scott has very kindly asked. But Carl has asked a question as well, and he said, Can you speak to what current trends you're seeing from your standpoint within the private sector?

And what differences you're finding in relation to high net worths and corporate clients versus local or state government? I suppose that's the type of projects that you're working on. Is that where you're going with it, Carl? but, either way, start, I wonder what, do you think, Sandra?

[:

in the big picture, the trends I'm seeing right now really stem from COVID. Because we have the situation where we're doing this type of thing, where we're doing virtual, which makes everybody a little more vulnerable, because if the hackers want it, they're going to get it. So the first trend I'm seeing is a lot more cyber fraud than we did before.

And so therefore, my concern is that companies are not realizing how vulnerable they are when it comes to their online security and having the proper tech set up. But the trends I'm really seeing are criminal. And that's, so for me, being able to educate them and let them understand that what's trending right now is their online security, and they really need to focus on that.

I'm hoping I'm answering his question. Is that kind of the focus he was looking for?

[:

hopefully, but yeah, Carl, you can chime in here. actually, do you know what? Do you know what? I've got an idea. What? Carl, I've activated your microphone. what does that capture it, Carl?

Yes. A absolutely. Can you hear me? Yes. Yes. Okay,

[:

great. Sandra, great points and yeah. Yes, you, you, nailed it. I was also gonna ask about, if you could, speak to how that, how your work also relates to the threat profiles as it stands with executive protection on corporate level and a high net worth level as well, and the results of that.

[:

Yeah, depending on how, high profile they are will depend on how far I have to take it. My, my whole world is based on making sure that they're protected, and the more net worth they have, the more vulnerable they're going to be, and the more work it's going to take to protect them, because unfortunately, and this, is going to make sense to you guys.

Fortunately, the younger CEOs and the younger high corporate and high money people don't even realize that they're throwing themselves basically on the sword because they like to do Instagram, Facebook, they like to be on LinkedIn, which I teach people how to protect themselves if they can have a LinkedIn profile, but I show them the how they're putting too much and every little piece of information makes them vulnerable.

So as far as these higher profile and higher net worth companies and people, the bigger it is, the more we're going to have to dig because they're the ones that are being focused on by the bad guys. So depending on the level that they are, Incorporates me into doing a lot more vulnerability assessment work, and I start getting into a lot more social media searches.

I can give you a few platforms that can help the bigger corporations monitor themselves and protect themselves, and I know that, that Phelim, you were asking about if I had slides. What I want to do is just, you're recording this so people can go back and look at or listen to this. One of the platforms that I think is very important for any of these very high profile people and corporations in general and corporate security companies, they need to be using something like TweetDeck.

And I can't, I don't, we don't have the time to actually educate you on it, but you can learn about TweetDeck. What it does is it monitors tweets that are going out there, and you can set it up by keywords, hashtags, usernames, location based, and you can use Boolean operators, advanced operators, all of these things.

You can set up different columns and constantly monitor what's being said about a certain person, about an activity, an event, a location. It is an amazing situation because the location itself can geofence a direct area. So TweetDeck, you can just go to tweetdeck. com and it will redirect you to tweetdeck.

twitter. com. Now that's a free platform that Twitter owns. The other one I mentioned already was Google Alerts. You want to set up Google Alerts. It does the monitoring for you. You can go to YouTube and get, any kind of tutorials for any of these platforms, by the way. So if you go to I think you can if you go to google.

com slash alerts, it will take you right there. You do have to have a Google account, which is set up by Gmail. So make sure you set that up as well. So you're monitoring Google, you're monitoring Twitter. There's another platform that you can use. It's called Talkwalker. And if you do talkwalker. com slash alerts, it's another system that sets up alerts for Twitter.

So you can be running both TweetDeck. And Twitter alerts. These are all free platforms. Another one that you can utilize, and I recommend this very highly, is ScopeNow. com. It is a pay platform, but I'm going to tell you what it does is it will compile a full social media account. report on all the information you've entered in on your, say it's your CEO or whoever you're trying to protect.

Or maybe you're doing it on one of your employees because you're concerned and you've heard in chatter this might be a problem. You can run the reports. Every day, every week, however you want to do it, and it will monitor and you can set filters and date ranges and so forth. The other platform that I want to tell you about is another pay platform that can really help corporations and big security companies.

It's called EchoSec, and it's, and you can sign up for it. It's echosec. net. Reach out to them. Please tell these platforms that I sent you because these are tools that I use. regularly for all of my investigations. That's why I'm telling you about them because I think they're magnificent. What EchoSec does is something completely different than any of the other platforms.

They do social media monitoring on 27 social media platforms that are location enabled. Any platform that allows location based searching. So say you're looking for your target and they're on Twitter and they have their location turned on. When you search in this platform, you can search anywhere in the world.

You can base it on a specific location. You can do it. In an area, an address, you can do a city, a zip code, and then you can geofence those areas, and it will monitor those areas, so you might have a certain person of concern that you want to geofence a certain area to make sure that your CEO or your person that you're trying to protect isn't in danger, because if You know what crazies are like out there.

This platform sends you alerts. You can set up any high alerts, you can set low alerts, like I said, the geofencing. The other thing that you can do on there is keyword searches and boolean searches. And the keyword searches, say you're looking for a filter over just the next, for a week gone by and then you have the author you're following, you have a geofenced area, then you put in the keyword gun, it will look for all.

Posts that are location enabled and that are involve the word gun, not just in text, but in image searching. So this is the platform is amazing. So if you contact them, let them know. I told you about them. They're incredible. They also have a dark web. a search as well called Beacon. So you want to check that out.

Oh, and that's the other thing that Scope now has. They also have a Darknet search. Now, if you really want to dig deep for Darknet, the one that I recommend to you that's also a partner of mine, and it is an unbelievable platform, is called DarkOwl. DarkOwl actually collects from over 95, 000 Sites, as far, I think I have the number correct, and what they do is they monitor the dark net for all these sites every 60 to 90 seconds.

And they save it. They archive everything. So anybody that knows and deals with the dark net knows things come and go within 24 to 48 hours. all these, all the nefarious activity that's going on out there, they monitor all of it and they save the information. So when you're on their platform, it's a text based search and you have filters and marketplaces.

And so you can monitor. If there's any kind of nefarious activity going on against one of your CEOs or one of your important people or the company or email addresses or domain that's affiliated with the company, there are so many options. So all these platforms put together will help you protect everyone and also weed out the bad apples that may be in your company or that are out there looking at your people.

I'm hoping some of those platforms will help you.

[:

Wow. I've been writing the notes in the comments, helping people along. let me see if I can catch up cause a few comments came in as well and questions. Larry, hi, Larry, who spoke earlier, ditto to Scott's question. And how do you manage the volume of info on open source platforms?

effectively, we have looked at companies that monitor because it seems that volume and time is required and is significant and maybe can I add to that question? if you're getting a service. Who does the prioritization? Because it seems that either you're paying them to do it, and then they're doing it, or not, because if you're paying and they're not doing it, Do you know what I'm saying?

who's responsible for that prioritization anyway?

[:

whoever, whoever is going to be utilizing the platform itself is going to be the one that sets it up. The thing about these platforms are, is that they've set it up to make it easy for you to be the investigator, right? So what you're doing is, because they're not going to know what you're looking for.

They've set it up with all the filters. And ways for you to search so that then you can save it, you can build reports, you have the alerts, and you gather those, you put 'em in your file. Then you can compile it for the monitoring and the concern concerns that you might have that you're searching for. So you're responsible, or I should say whoever is utilizing the platform.

But the purpose of these platforms is to make your job easier instead of just going out to all the open sources. It's really difficult if you have to do it one at a time. It takes, it's very time consuming. The kind of work I do, I'm meticulous and I'm digging every piece out of every, little, spot and every crevice.

But when I have these platforms, I then have reports that I can review, and it helps me build on to where else I want to search. So I'm responsible for that. Again, like when you have Scope Now, they actually build an entire report for you. So if I have, maybe I want to... See what's out there on a CEO. I'm going to put their name in there with their different cities and locations up to three that they're affiliated with.

I might know their usernames, put their cell phone number in there. I might have a spouse that I add to it, their age, the title of their job, and what their algorithms are going to do is utilize all of that. And they're going to create a report that gives you all the social media platforms that they need.

They spider out to all the websites that they find this information on. Then they're going to be giving you dark web hits as well. They're going to be giving you address history. Then they're going to give you chatter and then they're going to give you documents. It's, amazing. And you can go through the report, decide what items you want to keep, what you don't want to keep, save it as a PDF or a Word document.

And then you have that reference to then keep doing your work better. the platforms are great. Dark Owl is the same way. And everything is savable in report format on all of these platforms.

[:

I like that. And, that, to be fair, it just sounds so handy. It's wonderful. but then what's this then, what's this for?

Is this for you to expand the scope of your... work or is this actually for a whole new type of professional? Are you going to, are you going to be tempted to hire analysts, yourself, when, you realize just how much is available?

[:

for me, I'm not hiring analysts because I'm doing the work myself.

That's what the companies are hiring me to do it. When I'm using these platforms, they are the ones that are getting me to the next level. yes, the first part of your question was, is it expanding what you're doing, taking you to a deeper place, a further place? That's exactly what they're doing.

They're making sure I'm not missing anything and they go to a length that we don't have access to in open sources. because they've developed a platform with their partners and they're gathering in other places. So they've created software and algorithms that are going to pull information that I wouldn't be able to get my hands on.

So with that in mind, then I can utilize that to take it to the next level.

[:

and that's an, interesting segue because it, combines a question that I had with a question that Ken has. Ken, says, great platforms, however, are there, legal issues in the future due to the amount of data, you are collecting through such platforms and how you use it?

Now? My question was, obviously in, in the EP world and in the corporate security world, there are some people that, that provide other services like protest intelligence, or, other types of intelligence. And that's not open source stuff. I, guess the larger question is, how had you handled the data?

and what about the non-open source things?

[:

the, I should really correct myself 'cause pretty much everything is open source. It's just that I'm not finding it because their algorithms are picking it up. So the legality of it is their, all of these platforms are making sure they're staying within the legal realm.

They're not, they're, they don't do anything that they're not allowed to do. And any accesses that they have are partnered. with them. So yeah, if, if there was something that would be non ex Accessible, and they weren't given permission or partnered with the company, then they wouldn't be doing it. So everything in that aspect would become an open source because they have permission to either access the material, access the information, and they're able to draw on it.

And when it comes to scope now. They're all open source, when it comes to ECHOSAC, they're all open source because they're using all these different platforms, but they've gotten permission from any platforms that they're partnered with to provide the information. So the partners know that they're providing information, so it's an open source as well.

They might have proprietary information that they like to keep within themselves, but when these platforms partner with them, it is all legal and it's within the same realm. Now, I sit in the United States, I know the laws in my country. Any of the other countries out there, I know there's the GDPR, there's limitations in certain places.

They're not going to be obtaining anything that would not be accessible and given permission. there are privacy concerns in certain places. We're not going to be picking up things that say in the UK, for example, I know there's limitations. We're not going to be picking up anything but social media and other things that are open.

in that area. We're not going to be getting criminal records and things like that. That's not available because that would be breaking the law. So they don't access anything that is not an open source and they've been given permission to utilize their platforms.

[:

Okay. that's good. That's, that's, a good clarification because then that will make, what you do and what they can do with these tools more appealing.

Yes. which is good news. I can't promise

[:

you that I'll never break the law either. We always stay within the law. People that will ask, attorneys will even ask sometimes for things and you, we have to look at them and go, no, we're not allowed to do that. So we will never, and any of us as investigators that have been in the business a long time have the understanding of what our limitations are.

So we will not do anything nefarious and we will always stay within the law.

[:

And, that would be a good connector with our next session, in fact, because we look at public private partnerships and, maybe that's where we hand off to the public sector, where, law enforcement and, so on, which is, which is perhaps a good, good, thing.

So how can people get in touch with you? Are you doing courses? Are you doing, more talks and offering services in that respect?

[:

I am. I'm so glad you asked. my website for the OSINT information is opensourceintelligentstraining. org, and that gives you all of my upcoming events. Or you can email me at sandra at camelotinvestigations.

org. So hopefully I gave all the info and I really appreciate you letting me tell people about this information and I'm sure hoping that we get to do this again.

[:

Yeah, absolutely. this is very, key, very interesting. It brings something new. and, and I think it, it helps with one of the key questions, which is, So I'm a corporate security specialist and I want to modernize.

Now what? And this is the what? This is, okay, this is a skill set or perhaps a collaboration that you can actually, achieve.

[:

And yeah, and just to finish off on that, I want to remind everybody that when it comes to security in general, I know I'm hoping that they're all the companies are hiring really good cyber security people to protect their online activity, their websites, their zoom calls, make sure you have the best of the best out there because the investment I promise you, you'll be happy you've done it.

The other thing you want to do is have someone like myself teach your people the human side of it to protect their digital footprint. Both go hand in hand. You can't have one without the other. So make sure you educate your team on how to protect your digital footprint and what not to do out there.

Love

[:

it. Sandra, thanks for coming on. I'll give you a big virtual round of applause. Thank you. I hope you have a lovely time out in Texas and I look forward to seeing you in the audience.

[:

Thank you, Phelim. I appreciate it. I hope to see you again soon. See you soon. Thank

[:

you. Take

care.

what a great pleasure to welcome Sandra to an event live and talk opens. Source Intelligence for your Protector and your Protect E community. And what I really think is interesting is the way in which a lot of different physical security specialists have embraced the cyber element. Not become the cyber element, but said, okay, how does this apply to me and my principal?

Aha, this is who I will call. more the Ghostbuster strategy, the who you're going to call strategy, rather than, spending hours in night school. Now, if you are spending hours in night school learning to code or learning, the world of cyber, absolutely, hats off to you. That's definitely an amazing way forward.

However, if you are not going down that path. This is very important and It's actually not very intimidating, is it? You know who to call, you know why you would call them, and you know the ramifications for not managing your digital footprint, especially in areas that you had not previously considered.

and also, it's a pleasure to just add something new to the Circuit Magazine podcast this week, which I, think is really good fun. coming up, I will see everybody, because on the 12th of November, we have a stand at the EP World Conference, I'm looking forward to seeing you there with my, Circuit Magazine hat on, and, coming up even later than that, of course, is the IPSB in Vegas and the EP Forum, great events, in December, and we very much hope to see you there.

And, of course, 26th of January, in London, is the 8th Annual Executive Security and Clothes Protection Technology Forum. Just some dates for your diary. we're very pleased if you could come to us with another suggestion for another article in this month's magazine. obviously, it could be any topic, but, maybe you've been inspired from what you've heard today.

Maybe you can help apply it to your... work, and then maybe, you could explain how that sort of reacted. That would be a great cause and effect from the latest episode of the podcast. obviously, we know that we've had some great updates in the BBA Connect app, and the NABA Protector app, so keep those coming, keep those updated, and we look forward to continuing the communication.

obviously, thanks to all who've, taken part in our D. C., Maryland, Virginia Forum, from which today's session, was recorded, but a special thanks to Sandra Stibbard. I asked, could I share that for the wider audience and she was very happy to do thinking of my fellow, presenters, Elijah, Shaun and Jon, let's see everyone next week for another fantastic edition of the Circuit Magazine podcast.

[:

You have been listening to the Circuit Magazine podcast. Be sure to subscribe and be sure to not miss an episode.

Chapters

Video

More from YouTube