User Tools

Site Tools


anonymisation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
anonymisation [2019/02/26 13:32] – [Anonymisation of personal data within a campaign] lucyanonymisation [2021/07/30 13:00] (current) – [Introduction] lucy
Line 1: Line 1:
-===== Background info =====+===== Introduction ===== 
 + 
 +Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets so that the people whom the data describe remain anonymous. This is required by law in different countries. Before we explain the Anonymisation of data, we want to answer a few questions regarding data security & privacy: 
 + 
 + 
 +  * **Where is LUCY storing and processing data?** Lucy can be installed On-Site or on a cloud server. All data is stored within LUCY, no matter where it is installed. No LUCY employee has access to the client's data, unless it was approved in written by the client. 
 + 
 +  * **Where is data sent?** No personalized information that falls under GDPR ever gets transmitted outside of LUCY. As you can see in [[network_communication_-_lucy_--_internet|this chapter]], LUCY uses some connections to centralized servers (e.g. update server). This is only for maintenance reasons and to maintain the functionality. 
 + 
 +  * **Do we have a data processing agreement**: We do. Please visit this [[company_application_and_data_security|chapter]] 
 + 
 +  * **Protecting personal data**: Lucy encrypts the data and offers many possibilities to [[security_considerations|secure access to the data]].  
 + 
 +  * **Collecting personal data**: In certain countries, you are not allowed to collect personalized data (e.g. who failed a phishing simulation and who did not pass a training). In such a case you need to [[confidentiality_of_campaign_data|enable anonymous mode in LUCY]]. This will be described in the next chapter. 
 + 
 +===== What type of data can get logged in LUCY? ===== 
 + 
 +LUCY needs in minumum only email adresses (or in case of Smishing attacks phone numbers). In case of anonymization there is no personalized data logged at all.  The following (not complete) list shows all the information that can be collected within a phishing or awareness campaign. Please note that every client can decide what data gets logged within a campaign. 
 + 
 +  - **[[track_opened_mails|Emails Opened]]**: Recipients opened the email  
 +  - **Link Clicks**: Recipients clicked the link in the email  
 +  - **Successful Attacks**: Recipients submitted data in a form (e.g. login data that is submitted via a form based POST request), clicked on a link, executed a file etc.  
 +  - **Hourly Stats**: Page views, link clicks, successful attacks, invalid submits, etc. 
 +  - **Daily Stats**: Page views, link clicks, successful attacks, invalid submits, etc. 
 +  - **Recipient Criteria's**: Based on the usage of additional fields in the [[add_mail_recipients|recipients list]] you can sort and filter the statistics for each field 
 +  - **Operating System** Of recipient. This information is based on the user agent string 
 +  - **Browser type** of the recipient 
 +  - **Browser Plugins** of the recipient 
 +  - **[[tracking_downloads|File downloads]]** 
 +  - **IP**: Remote IP address of your recipient. 
 +  - **Vulnerable Browser | Vulnerable Client**: Based on the user agent, LUCY will tell you if there is any vulnerability.  
 +  - **Time based stats**: How long does the user stay on each landing page 
 +  - **User history**: Historical user statistics 
 +  - **Awareness stats**: Number of users trained, % correct questions, training results, users who did not start/finish training etc.
  
-Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous. This is required by law in different countries. 
  
 ===== Anonymisation of personal data within a campaign ===== ===== Anonymisation of personal data within a campaign =====
  
-Within a campaign you can enable anonymous mode in the according scenario settings:+Within a campaign you can enable anonymous mode in the base settings:
  
-{{ anonymize.png?600 }}+{{ anonymous_mode.png?600 }}
  
 Please note that this operation cannot be undone! Please note that this operation cannot be undone!
Line 22: Line 54:
  
 {{ add_anon_sett.jpg?600 }} {{ add_anon_sett.jpg?600 }}
 +
 +
 +Every campaign needs a recipient group to work. The recipient group are the users who receive the attack simulation or awareness content. You can create multiple groups for a single campaign. Groups can be used within LUCY to target users with specific phishing or training campaigns. Many organizations start by grouping users by department, location (if you have multiple office locations), or even domains (if there are multiple domains). The recipients can be in any number of groups and you can set up an unlimited number of groups.
 +
 +
 +===== How to Enter Your Recipients? =====
 +
 +Recipients and groups can be configured under Admin/Recipients. 
 +
 +{{ 45.jpg?direct&600 }}
 +
 +You can either add them manually (1), import them (2) or search the internet by using the "[[scan_for_mail_addresses|SCAN FEATURE]]" (3). The groups are always defined globally and you can re-use them among different campaigns.
 +
 +{{ 46.jpg?direct&600 }}
 +
 +We recommend importing them because it will enable you to create a custom text file with additional information about each target user (e.g. defining the division or location where they work). This information can later be used for automatic analysis and statistics. The more information you provide, the better. 
 +
 +**Note**: Searching the internet without a Bing or Google API won't get you the same results as if you searched directly with a search engine. 
 +
 +
 +===== Process of anonymization =====
 +
 +The recipients for the campaign can be imported via file or via [[ldap_integration|LDAP]]. The recipients can contain the following attributes:
 +
 +  * 1.Email - Recipient's e-mail address
 +  * 2.Name - Recipient's name
 +  * 3.Staff - Job position or related
 +  * 4.Location - Recipient's location
 +  * 5.Division - Company division
 +  * 6.Comment - Any custom comment
 +  * 7.Link - Unique link part for the Landing Page. 
 +  * 8.Phone - recipient phone number
 +  * 9.Language - recipient language
 +
 +
 +Once you imported the recipients, you have to associate the recipients with a specific campaign(attack simulation or awareness training):
 +
 +{{ recipient_association.png?600 }}
 +
 +After you start a campaign in anonymous mode you will only be able to see general statistics:
 +
 +{{::anonymous_view1.png?600|}}
 +
 +{{::anonymous_view2.png?600|}}
 +
 +{{::anonymous_view3.png?600|}}
 +
 +If you have less than 10 employees in a division, location etc, the marked stats will also not be visible:
 +
 +{{::anonymous_view5.png?600|}}
anonymisation.1551184333.txt.gz · Last modified: 2019/07/25 12:50 (external edit)