This is an old revision of the document!
Yes. The benefits of a simulated attack training are:
For security awareness to be successful, it needs to be ingrained into the culture of your organization. The phishing test is just a small part of the whole awareness campaign. Without the appropriate context, the security messages from posters or presentations are lost. A blame-free culture should be created so that your employees can alert you if they feel that a mistake has been made. Education and awareness of security, successfully adopted throughout your organization, can have a measurably positive impact.
What are the best practices to ensure that you get the most out of your training program?
If you plan on conducting a phishing test, we recommend that you let people know about it ahead of time. Let them know what they should expect and why. Clear communication ahead of time is key for people to accept the program.
Phishing Assessment Announcement
Here is a sample email taken from SANS Security Awareness Program:
As you know, we take information security extremely seriously. As part of our on going security awareness program, at different times, we will be testing your understanding of this training, including quizzes, awareness surveys and assessments. Starting next month, we will be kicking off phishing assessments. A phishing assessment is nothing more than when we send out an email pretending to be a hacker. These are the very same email attacks that the bad guys are sending. The only difference is that these emails will not harm you in any way. They are only designed to track how many people fall victim to them and to help you learn how to identify these scams and protect yourself.
A couple of key points.
• We will be sending out these emails once a month randomly. Each month will be different. • If you fall victim to one of these phishing emails you will be notified immediately. • If you fall victim your name will not be reported to management. It will not impact you in anyway. This training is designed to help you learn. • Twenty-four hours after each assessment, we will send an email out to everyone explaining the attack and how you could have figured out the email was a scam or attack.
If you have any questions about this program or suggestions on how to improve it, please contact [Your Contact Information Here]. They are responsible for our security awareness program and will be happy to hear from you.
Phishing Assessment Follow-up Here is an example of an email taken from SANS Security Awareness Program used to follow-up after a phishing assessment.
As some of you may have noticed, we had our monthly phishing assessment this week. As always, the purpose of these assessments is to help you identify and protect yourself against common email based attacks. I've attached, at the bottom of this email, a screenshot of the scam that went out. If this had been a real attack, simply clicking on the attachment could have infected your computer. There were some simple ways to determine that this was a scam.
1. The email was extremely generic in nature. Notice how it does not use your name but uses the introduction “Dear Customer” instead. The attack is designed to work against everyone. If your bank had sent you an email it would have used your name. 2. Notice the poor grammar and misspellings. This is another indicator the email is an attack. 3. Notice how the email comes from a @hotmail.com account. Your bank would never use such an email address.
As for the assessment, only 13 people fell victim. Great job folks. Finally, be sure to download this month's security awareness newsletter “Social Engineering” from our internal company portal. As always, if you have any questions (or suggestions) about security please contact the help desk.
NOTE: Be sure to include screenshot of the attack in the email so that people can read and learn from it.
|SPAM Whitelist||Is it possible to whitelist LUCY's IP on the SPAM filter and FW?|
|Recipients||How many users shall be tested? Is it possible to get a list of users including email, name and additional info (like department, location etc.)?|
|Recipients Allocation||Shall all recipients get the same scenario simulation or a simulation preferred, where user groups get different attack scenarios?|
|Test Mail||What is the mail address that can be used for testing the campaign?|
|Distribution method||Should the phishing simulation only be send via mail or also include SMS, USB or any other form of a portable media?|
|Scenario Type||Should the scenario type be hyperlink only or include a landing page? Does it need a malware simulation as well?|
|Data Extraction||If a malware component shall be used: what should it extract (e.g. system info)? What format is desired (Word Macro vs. Executable)?|
|Template||Does it need a fully customized template for the mail- and landing page or is it possible to use and adjust one of LUCY predefined templates?|
|Domain Details||Does it require to reserve one or multiple domains? Should the domain be similar to the clients domain name or completely different?|
|Encryption||Should the landing page be accessed over an encrypted channel and does it require a trusted certificate?|
|Privacy||Is it possible to store usernames and passwords from the attack on the system (partially, full or none)?|
|eLearning||Should the campaign include also eLearning content? If yes: does it need to be customized? It is required that individual eLearning statistics are also logged?|
|Running the campaign||Should all mails be send simultaneously or is it better to send the mails over a longer time period using the scheduler?|
|Organizational||When can the test start, until when does it have to be finished?|
|View Only Access||Does the client wish to get a view only access on LUCY to monitor the campaign statistics?|
|Log & Success Level||What is considered a successful attack (link click, data submit etc.)? Should LUCY also trigger opened mails? Can advanced client side scripts (BeEF) be executed to gather more detailed information about the user?|
|Login Restrictions||If a landing page with a login is created: is it necessary to let the user submit the password or shall LUCY redirect the user to a different page before the full password is entered? Is it necessary to implement regular expressions on the login fields in order to avoid false positives?|
|Server Location||Should LUCY run in the cloud or on the client's premises?|