User Tools

Site Tools


lucy_onboarding_checklist

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
lucy_onboarding_checklist [2019/10/15 15:32] lucylucy_onboarding_checklist [2021/09/29 10:28] (current) lucysecurity
Line 13: Line 13:
 ^ Name ^ Description ^ Questions ^ Link(s) ^  ^ Name ^ Description ^ Questions ^ Link(s) ^ 
 | Get approval | Similar to approaching any important project, the first step in running a successful internal phishing training campaign is to make sure all concerned parties are notified and ready to comply. This includes executives, board of directors, IT and HR team, and your legal department. This step is usually accomplished fast and easy as it requires only a mild investment in phishing education in exchange of employee knowledge that can protect your company data from hacker attacks. Don’t forget to consult your HR department to ensure your simulations comply with current company policies. It’s also wise to reach out to your IT and Helpdesk Departments and discuss the planned activities with them. |•Did you get approval from the relevant departments (legal, risk, HR, support etc.)? \\ \\ •Has anyone voiced concerns you didn’t consider? | No links | | Get approval | Similar to approaching any important project, the first step in running a successful internal phishing training campaign is to make sure all concerned parties are notified and ready to comply. This includes executives, board of directors, IT and HR team, and your legal department. This step is usually accomplished fast and easy as it requires only a mild investment in phishing education in exchange of employee knowledge that can protect your company data from hacker attacks. Don’t forget to consult your HR department to ensure your simulations comply with current company policies. It’s also wise to reach out to your IT and Helpdesk Departments and discuss the planned activities with them. |•Did you get approval from the relevant departments (legal, risk, HR, support etc.)? \\ \\ •Has anyone voiced concerns you didn’t consider? | No links |
-| Define goeals| Always make sure to state the goals of each activity, including information on what you want to be tested. Usually, phishing engagements are concerned with testing people and their reactions to phishing emails. The points of concern are: Will a user click on a suspicious link, fill in their credentials in a web form, install unknown software, or otherwise interact with the email contents? In many cases, however, phishing simulations test non-human defenses as well. These typically come in the form of spam and phishing filters that protect the company’s mail server. Knowing that your network defenses work is great, but it’s imperative that the phishing simulation reaches your employees. Additionally, make sure you warn your testers about any flooding protections set up on your mail server. Remember, running a phishing test has one main purpose: to educate your employees so they are aware of the hackers’ tactics and of the ways to avoid becoming their victim. In no way should you try to catch your employees in a mistake without prior training or warn them about the scenarios beforehand as that wouldn’t help either. The security of your company is your main goal, and your employees should be aware of that. Measure the behaviors: A common issue with many training programs and phishing simulations is that their behavior remains unchanged throughout the course of the test. Identify the goals that your phishing simulation should meet, then design a path that evaluates if, and to what extent, each goal is accomplished. |•Did you already perform phishing simulations in the past and if yes: what were the average click/data submit rates?\\ \\ •What is the expected click/data submit rate for the planed phishing simulation? \\ •What is the desired click and data submit rate after the simulation / training; after 1 year of simulation/training?| No links |+| Define goals| Always make sure to state the goals of each activity, including information on what you want to be tested. Usually, phishing engagements are concerned with testing people and their reactions to phishing emails. The points of concern are: Will a user click on a suspicious link, fill in their credentials in a web form, install unknown software, or otherwise interact with the email contents? In many cases, however, phishing simulations test non-human defenses as well. These typically come in the form of spam and phishing filters that protect the company’s mail server. Knowing that your network defenses work is great, but it’s imperative that the phishing simulation reaches your employees. Additionally, make sure you warn your testers about any flooding protections set up on your mail server. Remember, running a phishing test has one main purpose: to educate your employees so they are aware of the hackers’ tactics and of the ways to avoid becoming their victim. In no way should you try to catch your employees in a mistake without prior training or warn them about the scenarios beforehand as that wouldn’t help either. The security of your company is your main goal, and your employees should be aware of that. Measure the behaviors: A common issue with many training programs and phishing simulations is that their behavior remains unchanged throughout the course of the test. Identify the goals that your phishing simulation should meet, then design a path that evaluates if, and to what extent, each goal is accomplished. |•Did you already perform phishing simulations in the past and if yes: what were the average click/data submit rates?\\ \\ •What is the expected click/data submit rate for the planed phishing simulation? \\ •What is the desired click and data submit rate after the simulation / training; after 1 year of simulation/training?| No links |
 | Past Education | Don’t forget to consider prior simulations and trainings that you’ve conducted on the topic of phishing and scam detection. If your employees have already been trained to spot scams, you should probably consider more sophisticated attack simulations that will be more difficult to recognize. | • Have you already trained all users on phishing & social engineering? \\ • Do you keep the results from past trainings to compare with future attack simulations? \\ • How do trainings currently look like (length, interactivity, video, exam, design etc.)? | No links | | Past Education | Don’t forget to consider prior simulations and trainings that you’ve conducted on the topic of phishing and scam detection. If your employees have already been trained to spot scams, you should probably consider more sophisticated attack simulations that will be more difficult to recognize. | • Have you already trained all users on phishing & social engineering? \\ • Do you keep the results from past trainings to compare with future attack simulations? \\ • How do trainings currently look like (length, interactivity, video, exam, design etc.)? | No links |
 | Current exposure | One main tactic attackers use is ‘spoofing’, that is, creating emails that closely resemble those of trusted organizations. They can then use those spoofed emails to attack your customers or employees. \\ Any publicly available information about your company can be used by attackers to create convincing phishing messages aimed at your employees. Your website and social media pages often offer all the data scammers need to run an attack, so keep an eye on any information that your partners share online about your organization. \\ \\ LUCY offers an employee online footprint analysis service for the price of USD 500. Its aim is to help you understand which of your sensitive employee information can be viewed on the Internet as well as the kind of data your employees tend to share publicly via their company e-mail address. \\ \\ Once you have a better idea of your data exposure on public channels, you’ll be equipped to help your staff understand how sharing their personal information can affect them and your organization. You can use this to develop a clear digital footprint policy for all users. Of course, you should not expect your employees to remove all traces of themselves from the Internet. What you can do instead is help them to better manage their digital footprint, so they share information in a way that protects them and the organization. | • Do you request of your employees to not use business email addresses for private services? \\ • Do you want to perform an employee footprint analysis (the results can be used at a later point for specific eLearning)? | No links | | Current exposure | One main tactic attackers use is ‘spoofing’, that is, creating emails that closely resemble those of trusted organizations. They can then use those spoofed emails to attack your customers or employees. \\ Any publicly available information about your company can be used by attackers to create convincing phishing messages aimed at your employees. Your website and social media pages often offer all the data scammers need to run an attack, so keep an eye on any information that your partners share online about your organization. \\ \\ LUCY offers an employee online footprint analysis service for the price of USD 500. Its aim is to help you understand which of your sensitive employee information can be viewed on the Internet as well as the kind of data your employees tend to share publicly via their company e-mail address. \\ \\ Once you have a better idea of your data exposure on public channels, you’ll be equipped to help your staff understand how sharing their personal information can affect them and your organization. You can use this to develop a clear digital footprint policy for all users. Of course, you should not expect your employees to remove all traces of themselves from the Internet. What you can do instead is help them to better manage their digital footprint, so they share information in a way that protects them and the organization. | • Do you request of your employees to not use business email addresses for private services? \\ • Do you want to perform an employee footprint analysis (the results can be used at a later point for specific eLearning)? | No links |
Line 24: Line 24:
 ^ Name ^ Description ^ Questions ^ Link(s) ^  ^ Name ^ Description ^ Questions ^ Link(s) ^ 
 | Setup location | You can run the attack simulation from a cloud server or on-premise. \\ \\ Reasons for installing on an external server in the internet are: \\ ◾ Public IP address outside your network range: Prevents your infrastructure from being blacklisted. \\ ◾ Direct access: The server will not be blocked by any security products already in place within your own infrastructure. \\ ◾ Less possible conflicts with integration: A LUCY server placed directly in the internet will be setup very fast as it does not require a complex integration process with your mail, DNS and firewall infrastructure \\ ◾ Smaller attack surface: As the LUCY server requires a web based access for end users from the internet (e.g. accessing their mails from mobile devices), you might need to punch a hole in your firewall and allow inbound access to a LUCY server. If you place LUCY in the intranet (see this chapter), your might violate your zone concept. \\ \\ Reasons for installing LUCY on premises are:  \\ ◾ Legal: Some laws might not allow you to store sensitive data on an external server outside your network or outside your country. Especially with the new data protection law in Europe (GDPR) you need to make sure any personalized or sensitive data is secured. \\ ◾ Integration with certain features: LUCY comes with different API's such as the LDAP API, the REST API etc. which are common for backend applications that are usually not exposed to the internet. \\ ◾ Security: LUCY might store sensitive data like windows login, user names, emails etc. within the database. Integrating the LUCY server in the internal protection layers (IDS, FW etc.) will minimize the risks of successful attacks. | • Do you plan to integrate LUCY with your internal systems (LDAP, LMS etc.)? If yes: you might probably want to consider an on-premise installation or a VPC (virtual private cloud) | [[network_design_-_where_to_setup_lucy|Setup Guide]] |  | Setup location | You can run the attack simulation from a cloud server or on-premise. \\ \\ Reasons for installing on an external server in the internet are: \\ ◾ Public IP address outside your network range: Prevents your infrastructure from being blacklisted. \\ ◾ Direct access: The server will not be blocked by any security products already in place within your own infrastructure. \\ ◾ Less possible conflicts with integration: A LUCY server placed directly in the internet will be setup very fast as it does not require a complex integration process with your mail, DNS and firewall infrastructure \\ ◾ Smaller attack surface: As the LUCY server requires a web based access for end users from the internet (e.g. accessing their mails from mobile devices), you might need to punch a hole in your firewall and allow inbound access to a LUCY server. If you place LUCY in the intranet (see this chapter), your might violate your zone concept. \\ \\ Reasons for installing LUCY on premises are:  \\ ◾ Legal: Some laws might not allow you to store sensitive data on an external server outside your network or outside your country. Especially with the new data protection law in Europe (GDPR) you need to make sure any personalized or sensitive data is secured. \\ ◾ Integration with certain features: LUCY comes with different API's such as the LDAP API, the REST API etc. which are common for backend applications that are usually not exposed to the internet. \\ ◾ Security: LUCY might store sensitive data like windows login, user names, emails etc. within the database. Integrating the LUCY server in the internal protection layers (IDS, FW etc.) will minimize the risks of successful attacks. | • Do you plan to integrate LUCY with your internal systems (LDAP, LMS etc.)? If yes: you might probably want to consider an on-premise installation or a VPC (virtual private cloud) | [[network_design_-_where_to_setup_lucy|Setup Guide]] | 
-| Prepare Hardware | Please make sure you have the hardware ready with sufficient disk space (>200 GB) and memory (>4 GB). | - | [[hardware|Hardware Specs]] |+| Prepare Hardware | Please make sure you have the hardware ready with sufficient disk space (>100 GB) and memory (>4 GB). | - | [[hardware|Hardware Specs]] |
  
  
Line 40: Line 40:
 | Login | [[lucy_weblogin|Login]] to LUCY with the Webbrowser using the IP address of your server. Continue the setup in the browser using the credentials provided in the setup script. As an alternative you can also use a domain name for the administration. If you want to use a domain for your administration UI, Connect to your LUCY instance with the root or phishing account. If you connect as root, please execute the command  python /opt/phishing/current/tools/setup/setup.py (if you have a docker based installation, execute: docker exec -it lucy /bin/bash and then press enter and execute "python /opt/phishing/current/tools/setup/setup.py)". Within the setup script menu please choose menu item "domain configuration" and set the domain for your admin UI | • Did you think of reserving a domain for the administration frontend of LUCY?| [[domain_configuration|Domain configuration]] | | Login | [[lucy_weblogin|Login]] to LUCY with the Webbrowser using the IP address of your server. Continue the setup in the browser using the credentials provided in the setup script. As an alternative you can also use a domain name for the administration. If you want to use a domain for your administration UI, Connect to your LUCY instance with the root or phishing account. If you connect as root, please execute the command  python /opt/phishing/current/tools/setup/setup.py (if you have a docker based installation, execute: docker exec -it lucy /bin/bash and then press enter and execute "python /opt/phishing/current/tools/setup/setup.py)". Within the setup script menu please choose menu item "domain configuration" and set the domain for your admin UI | • Did you think of reserving a domain for the administration frontend of LUCY?| [[domain_configuration|Domain configuration]] |
 | Download License | Please send us the [[how_to_activate_lucy|workstation ID]] | - | [[https://lucysecurity.com/pricing/|LUCY Pricing]] | | Download License | Please send us the [[how_to_activate_lucy|workstation ID]] | - | [[https://lucysecurity.com/pricing/|LUCY Pricing]] |
-| Update | Please make sure that LUCY can connect to the internet via http/https to our update server (193.25.100.129 - update.phishing-server.com). If you are using a proxy, please go to “advanced settings” and define your proxy first. \\ • Please test the disk space before updating all templates. Show a warning, if disk space is not sufficient. Always install with “install + replace” \\ • System update: show this button greyed out while templates are downloaded. If all templates are downloaded, allow the user to check for updates. Display an error if the http connection cannot be established. | - | [[update_lucy|Update LUCY]] |+| Update | Please make sure that LUCY can connect to the internet via http/https to our update server (162.55.130.83 - update.phishing-server.com). If you are using a proxy, please go to “advanced settings” and define your proxy first. \\ • Please test the disk space before updating all templates. Show a warning, if disk space is not sufficient. Always install with “install + replace” \\ • System update: show this button greyed out while templates are downloaded. If all templates are downloaded, allow the user to check for updates. Display an error if the http connection cannot be established. | - | [[update_lucy|Update LUCY]] |
 | Mail Settings | Define your **[[mail_delivery_methods_in_lucy|default mail delivery method]]** in LUCY. If you plan a phishing siluation together with a training, you might want to consider using a different domain or een mail server for the awareness training. In case you use the build in mail server: set the [[set_hostname_for_smtp_communication|hostname]] for the mail server. | • Do you want to perform a phishing simulation bundled with awareness training? | - | | Mail Settings | Define your **[[mail_delivery_methods_in_lucy|default mail delivery method]]** in LUCY. If you plan a phishing siluation together with a training, you might want to consider using a different domain or een mail server for the awareness training. In case you use the build in mail server: set the [[set_hostname_for_smtp_communication|hostname]] for the mail server. | • Do you want to perform a phishing simulation bundled with awareness training? | - |
-| Domain Setup | You will need two domain types in LUCY:  \\ \\ **Attack simulation domains** \\ \\ This is the domain you could use for your phishing website in your attack simulation. We recommend reserving first a generic domain like "cloud-services625.com". If you create a wildcard A-record for that domain, you can then use a matching subdomain. Let’s say you prepare a phishing simulation with some web-based email service. Using the subdomain "webmail" would give you the domain "webmail.cloud-services625.com" for the landing page. If you ask the user to download a file, you could use "download.cloud-services625.com" etc. \\ If you want to do more sophisticated attacks you can reserve a typo squatted version of your own domain name. Typo squatting is a technique of registering domain names which look similar to some legitimate domain name. For instance, given google.com, one example of typo squatting domain might be g00gle.com. You can use https://spoofing.lucysecurity.com  to verify what variations of a domain name are available.You can use the domain from your landing page also for the email sender (like sender@cloud-services625.com). But as the sender email domain is a free text field that can be used with any domain name, it is not required to reserve a domain for just sending emails. There are some rules though when it comes to sending on behalf of other domain names: \\  \\ a) You can only use domain names that really exist \\ b) You can only use domain names that are not SPF protected (unless you white list them on your mail server) \\ c) You can only use domains that also have an MX record \\  \\ That means, you cannot use "@apple.com" as there is an SPF entry for this domain. You also cannot use "@this-does-not-exist.com". But you could use "@example.com" - a domain that exists, but is not protected. The website MX Toolbox helps you verifying if a MX or SPF record exists. \\  \\ **Awareness Website Domain** \\  \\ Try to avoid using the same domain for attack simulations as for the awareness training. If possible, point a trusted domain record to LUCY like "training.your-domain.com" and send awareness emails using your own mail server as a relay in LUCY. \\ If you don't have a domain registered yet, you can use the integrated LUCY Domain Registration Wizard. This feature is only available for commercial licenses, allowing you to reserve all the available domain names for an affordable price. Commercial clients have a built-in budget for using the domain API and are also able to later add credits for the domain reservation.  | - | - |+| Domain Setup | You will need two domain types in LUCY:  \\ \\ **Attack simulation domains** \\ \\ This is the domain you could use for your phishing website in your attack simulation. We recommend reserving first a generic domain like "cloud-services625.com". If you create a wildcard A-record for that domain, you can then use a matching subdomain. Let’s say you prepare a phishing simulation with some web-based email service. Using the subdomain "webmail" would give you the domain "webmail.cloud-services625.com" for the landing page. If you ask the user to download a file, you could use "download.cloud-services625.com" etc. \\ If you want to do more sophisticated attacks you can reserve a typo squatted version of your own domain name. Typo squatting is a technique of registering domain names which look similar to some legitimate domain name. For instance, given google.com, one example of typo squatting domain might be g00gle.com. You can use the domain from your landing page also for the email sender (like sender@cloud-services625.com). But as the sender email domain is a free text field that can be used with any domain name, it is not required to reserve a domain for just sending emails. There are some rules though when it comes to sending on behalf of other domain names: \\  \\ a) You can only use domain names that really exist \\ b) You can only use domain names that are not SPF protected (unless you white list them on your mail server) \\ c) You can only use domains that also have an MX record \\  \\ That means, you cannot use "@apple.com" as there is an SPF entry for this domain. You also cannot use "@this-does-not-exist.com". But you could use "@example.com" - a domain that exists, but is not protected. The website MX Toolbox helps you verifying if a MX or SPF record exists. \\  \\ **Awareness Website Domain** \\  \\ Try to avoid using the same domain for attack simulations as for the awareness training. If possible, point a trusted domain record to LUCY like "training.your-domain.com" and send awareness emails using your own mail server as a relay in LUCY. \\ If you don't have a domain registered yet, you can use the integrated LUCY Domain Registration Wizard. This feature is only available for commercial licenses, allowing you to reserve all the available domain names for an affordable price. Commercial clients have a built-in budget for using the domain API and are also able to later add credits for the domain reservation.  | - | - |
 | SSL Setup | If you want to generate a trusted certificate for the admin access you have two options: \\  \\ • Upload your own certificate \\ • Create a trusted certificate using Lets Encrypt \\  \\ **SSL for your awareness training or attack simulation landing pages** \\  \\ Each campaign scenario can be configured with a custom landing page and SSL certificate. Please start the campaign setup wizard to setup SSL for your campaign after you finished the system setup.  | - | [[ssl_configuration|SSL Setup]]  | | SSL Setup | If you want to generate a trusted certificate for the admin access you have two options: \\  \\ • Upload your own certificate \\ • Create a trusted certificate using Lets Encrypt \\  \\ **SSL for your awareness training or attack simulation landing pages** \\  \\ Each campaign scenario can be configured with a custom landing page and SSL certificate. Please start the campaign setup wizard to setup SSL for your campaign after you finished the system setup.  | - | [[ssl_configuration|SSL Setup]]  |
 | White-Label | The application can be visually adapted to corporate branding (custom copyright, software name, admin path, custom error page etc.)  | - | [[white_label_lucy_-_custom_branding|custom branding]]  | | White-Label | The application can be visually adapted to corporate branding (custom copyright, software name, admin path, custom error page etc.)  | - | [[white_label_lucy_-_custom_branding|custom branding]]  |
lucy_onboarding_checklist.1571146329.txt.gz · Last modified: 2019/10/15 15:32 by lucy