Security Summary
 

PhishingBox LLC develops and markets cybersecurity tools and services to help organizations minimize the threat from social engineering and other security threats.  PhishingBox products and services are provided directly to clients and used by third-party audit/consulting firms or managed service companies to provide software and services to their clients.  In some cases, PhishingBox may be white labeled by partner companies and offered under a different brand.  PhishingBox suite of products and services are as follows:
 
Phishing Simulator –  The phishing simulator provides simulated phishing emails that are used in testing campaigns to evaluate employee’s security awareness. 
 
PhishingBox LMS  –  The PhishingBox LMS is a light-weight learning management system that provides a portal for employees to take security and other related training. 
 
KillPhish – KillPhish is an email client plugin that provides email analysis for security threats and includes a reporting mechanism to alert an organization’s security personnel of suspicious emails. 
 
Phishing InBox –  Phishing InBox provides an email client that can be set up to receive and respond to emails submitted by an organization’s users directly or via KillPhish.  
 
Managed Services – PhishingBox provides a complete security awareness training program to include training and employee testing. 
 
INFRASTRUCTURE 
 
PhishingBox’s core products are a web-based suite of services.  The majority of the core systems are maintained in an AWS Data Center.  The email processing and the landing page processing server are maintained at a data center in Lexington KY on PhishingBox owned hardware.  Those servers are not in AWS due to AWS terms and conditions.   The systems are Linux based and use various relational and non-relational databases.  The systems are accessed by clients via standard web-browsers over SSL/TLS connections.  The overall infrastructure is diagramed below.  
 
PhishingBox Security Infrastructure
 
Perimeter Firewall
 
The perimeter firewall restricts traffic to authorized protocols.  This device provides the first line of defense.  This system also provides a termination point for authorized remote access users.
 
Remote Access
 
Remote access to PhishingBox systems is strictly controlled.  All system remote access is provided through a Virtual Private Network or dedicated connections from known end points.  
 
Facilities Management (Physical Controls) 

A primary control is to ensure that our datacenters protect data from physical and environmental risks.   Some of the controls at datacenters include, but are not limited to, the following: 
 
  • Physical access control systems that operate on the principle of least privilege 
  • Video surveillance of onsite access 
  • 24/7/365 onsite server engineers who perform regular checks of critical datacenter facility systems 
  • Automated non-water-based fire suppression systems ‘
  • Redundant heating and cooling systems 
  • Strategically placed water sensors 
  • Raised flooring 
  • Redundant uninterruptable power supplies and transfer switches 
  • Backup electrical power generators 
  • Regular testing and preventative maintenance of environment control systems 
  • Global network operations center that monitors environmental systems for availability and performance 
SOFTWARE

The core applications are development in-house by PhishingBox developers and contracted personnel.  The infrastructure is primarily built on PHP along with JavaScript and related technologies.  

Development Environment

A separate environment is maintained for all software development.  All programming changes are maintained within a software repository to keep track of changes.  All development is tested by internal staff prior to deployment in the production environment.
 
Deployment

Routine software updates are deployed on a monthly schedule.  This schedule helps clients anticipate new releases or feature enhancements.  Clients are informed of these changes through emails, dashboard messages, or the accessible change log.  Should an emergency change be needed, these would be applied immediately, with client notification sent as appropriate. 

Change Log

A change log is provided to the end-users through the client administrator’s login.  This change log shows all key updates made to the system. 

PEOPLE 
Employees of any organization are a key component of its security and success.  PhishingBox is no different.  
 
New Hires Training

All new hires receive indoctrination on the company’s security policies and must take security awareness training. 
 
Employee Security Awareness Training

Employee security awareness training is provided to all new employee and on a periodic basis for existing employees.  This training includes topics on information security, such as maintaining data privacy, handling incidents, and current security threats, such as social engineering. 

Customer Support

PhishingBox maintains an active support team. This team manages the support desk during normal business hours.  There are many ways that clients can access the support team. These methods, include, but are not limited to a ticking system, email, phone, and online chat.

Client Success

In addition to the client support team, each new client is assigned a client success manager.  This employee is responsible for helping to make sure the client is onboarded and is able to use the system properly.  

PROCEDURES 
 
PhishingBox maintains appropriate administrative, technical, and physical controls to protect client information.  Some of the key controls or procedures are listed below. 

Vulnerability Assessments 

An automated vulnerability scan is conducted weekly.  This vulnerability scan reviews the external interface for any new vulnerabilities that may be identified.  Any vulnerabilities are appropriately remediated by management within a reasonable timeframe. 

Penetration Testing

In addition to vulnerability assessment, an out-side firm is contracted to conduct a penetration test of the system at least annually.  This testing includes manual as well as automated test to try an penetrate the system.  Access credentials are provided to the tester to help facilitate identification of any exploitable vulnerabilities.  One of the primary focuses of this test is to ensure that one account user cannot access the data of another account user.   Management responds to any issues identified and has a subsequent retest of these issues within a reasonable time frame. 

Incident Response / Notification

Although controls are in place to minimize the likelihood of an incident, should one occur, PhishingBox maintains a formal incident response program.  This formal program established procedures to identify, isolate, remediate, and resolve the issue.  Client notifications are sent via emails, dashboard notices, or phone calls.

Risk Assessment
 
An information security risk assessment is conducted at least annually.  In addition, the assessment is updated if there are significant changes in the environment, business processes, or risk tolerance.  This risk assessment is the basis for identifying risk, developing controls, and formulating policies.  
 
Policy Oversight
 
Policies have been established to guide the operation of PhishingBox.  These policies are reviewed annually at a minimum.  Policies are modified, or updated, in light of risk assessments or audit recommendations.
 
General Data Protection Regulation (GDPR/Code of Conduct) 
 
As a processor of information, PhishingBox adheres to the requirements of the GDPR.  As part of this requirement PhishingBox will provide Clients with an appropriate Data Processing Addendum (DPA) that includes standard contractual clauses.  Learn more about our GDPR compliance here
 
Termination Procedures
 
Formal termination procedures have been established.  System access is removed or disabled for all personnel who no longer need access to the system. 
 
Access Level Reviews
 
Access levels granted to PhishingBox employees or contractors are reviewed periodically, but at least annually.  This review ensures that access levels for personnel are limited to only that needed for these personnel to perform their duties.  PhishingBox subscribers manage the access levels for their authorized users.  
 
Terms of Service
 
All PhishingBox subscribers are required to agree to the PhishingBox Terms of Service.  During the first login, this agreement is signed electronically.  The agreement describes the end-user requirements for access to, and use of, PhishingBox.   

Target Authorization
 
Each user of the PhishingBox system acknowledges that they have the authority to test the targets they have configured.  To confirm this fact, the system has built in controls where an authorization email is sent to and must be approved by someone at the target domain. 
 
Insurance
 
PhishingBox maintains insurance policies that provides significant coverage for information security events.  We maintain specific cybersecurity policies along with Errors & Omissions policies.  
 
DATA 

Data collected is stored encrypted on the PhishingBox server.  Overall, the systems are designed not to collect non-public information such as information that might be entered by a target during a test.

Encryption 
 
User traffic for PhishingBox is secured via SSL/TLS (secure sockets layer / transport layer security).   Data at rest on the system, including backup data, is encrypted.  
 
Target Responses 
 
Some of the information supplied by the targets tested may contain sensitive information.  PhishingBox does not store or maintain such information, such as user-supplied information.  Only the actions of the user are tracked, such as the fact that they entered the information, not the actual contents of what they supplied.
 
Subscriber Identification
 
Each subscriber is issued a unique username and password, with optional multi-factor authentication available.  These login credentials are needed in order to access the system.  After receiving an initial activation link, the user must establish a password during the first login.