11 May 5 Things we learned after a Notice and Takedown Request
Notice and Takedown Request?
On May 4th 2017 the hosting provider of Guardian360 received a ‘Notice and Takedown Request’ from the security operations center (soc) of a large Dutch organization. This organization stated that a website was hosted which collects personal data of the visitors of this website. To prevent that the imported data would be abused, and more data would be breached, the Dutch organization requested to get this website offline.
What was the case?
The website was developed by Guardian360 intended for the Phishing As A Service offering.
With this service Guardian360 is able to measure the awareness of information security of the staff of a particular organization. For example, the amount of people who clicks on the e-mail or even open this e-mail and fill in the form and leave their data on this website.
Important to mention is that Guardian360 only tests at the request of her customers. Guardian360 only sends e-mails to employees within this organization with the same e-mail domain. The client delivers the e-mail addresses to Guardian360 themselves. In this way, only the preselected group will receive the phishing e-mail. Besides that, delivered data will not be saved on the Guardian360 servers. Only the amount of clicks an registrations on the website will be registered in the Guardian360 database.
What is the objective of the Phishing As a Service offering?
Thanks to our reporting, customers are able to measure the awareness of their employees. Based on these reports they are able to decide if they should offer e-learning courses to their staff– for example- to increase awareness. After three months a new test could be executed, based on a different case, to measure the improvements.
The good news is, definitely one employee of our customer is really aware of the current situation related to information security. This person mentioned the phishing mail to the Dutch organization.
The bad news is, our good intentions to increase the awareness has led to an unnecessary alarm to different authorities. We decided not to use this case anymore. A case of “lessons learned”.
What have we learned?
The lessons we learned are as follows:
- At least one employee is aware of information security.
- In The Netherlands we get things straight when it comes to the security of our data. In less than a day the hosting provider received an mention about the phishing e-mail from the concerned organization. Besides that, the security officer of SIDN acted quickly and communicated directly. In Dutch: Stichting Internet Domeinnaam Nederland, which means the Dutch organization of domains. This organization is concerned with top level domain names.
- In addition to the previous point: Because of the use of the .nl top level domain some Dutch organizations got alarmed and acted quickly. Whenever a different top level domain was chosen, things would probably be handled slower, less effective and less efficient.
- To realize a good phishing campaign, it needs to be realistic. This is the reason why it’s necessary to potentially infringe copyrights and other rights. According to current law no right is formulated yet. This is the reason why Guardian360 operates with this service in a grey area, nowadays. We keep on searching for ways to create as realistic as possible phishing mails and to reduce the amount of nuisance for third parties.
- The intention of these test is to make sure as few as possible people get knowledge about these tests beforehand within the organization on which Guardian360 is testing. On the other side we want to make sure that abuse notifications will be communicated in the organization first. Without the bothering of other authorities. In the future we will be focusing more on that!