The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/657874
90 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2016 Catch and Release: Raising Phishing Aack Awareness LESSONS LEARNED » Engage a Web-based graphical user interface (GUI) to configure and run phishing campaigns against one or thousands of users » Copy existing Web pages and integrate them into your campaign » Provide statistical and comparative analysis in real time of each phishing campaign with a custom report template » Update soware automatically » Benchmark results » Back up and restore campaigns, Web and e-learning templates » Run login filters to check for complex passwords or custom domains required within the login Cost and Support Options LUCY can be downloaded for free, although some limitations apply in the current version. The community edition increases awareness and can run up to five campaigns with 20 users per campaign (max 100 users in total). You'll have to purchase the tool to run larger campaigns and access additional features. The soware can be deployed as SAS on a dedicated Linux virtual private server (VPS) with full root access to a secured data center in Germany or in Switzerland. Or it can be downloaded and installed on-premises using something like VMware Player image, VMWare, ESXi image, Debian Installation Script, Amazon Image or Virtual Box Image. Our Deployment and Lessons Learned We tested this solution for about a month, and finally it came down to ease of use, the feature set, timely support and cost. None of the other vendors we considered came close to cost. We went with a customized enterprise version of the tool in a virtual environment within our walls that gave us additional control and deployment options, and we were able to configure the system and test the initial campaign in less than a day. Support on some of the configuration seings was timely and helpful. Customizing templates, landing pages and payload were straightforward, and the number of test scenarios and awareness templates available out of the box covered most of our use cases. We have utilized the tool's Web-based templates, file-based templates, hyperlink templates and malware test templates successfully, and the results are providing direct metrics for our information security awareness initiative. Reporting features were adequate to comply with client requirements. We are working with the vendor to add additional features to reporting and to beef up their documentation for certain scenarios that might not be obvious. Importing users' email addresses through a flat file with delimiters was straightforward. Through the integrated mail client, it is a breeze to fake a sender's address. With the current version, it is even possible to automatically link an awareness landing page to an aachment-based workflow. If a user clicks on the email aachment, they automatically get sent to an awareness landing page. Throwing the Phish Back Studies from Verizon, Trustwave and others show that social engineering via email phishing is one of the most popular aacks. It's just too simple and too effective for the bad guys to ignore. Having a tool that allows us to simulate and monitor the types of phishing aacks users experience will make our security awareness program a continued success. P2P Through the integrated mail client, it is a breeze to fake a sender's address.