CN113259321A - System and method for verifying security awareness of personnel on network attack and utilization - Google Patents
System and method for verifying security awareness of personnel on network attack and utilization Download PDFInfo
- Publication number
- CN113259321A CN113259321A CN202110395591.7A CN202110395591A CN113259321A CN 113259321 A CN113259321 A CN 113259321A CN 202110395591 A CN202110395591 A CN 202110395591A CN 113259321 A CN113259321 A CN 113259321A
- Authority
- CN
- China
- Prior art keywords
- target person
- page
- attack
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides a system and a method for verifying security awareness of personnel on network attack and utilization, which comprises a phishing attack unit: configuring a mail or a page used for inducing a target person to reply or input sensitive data by using a disguised mail or page; an attack module loading unit: the method comprises the steps that an attack module which is used for carrying out changeable configuration parameters on a portable file is configured to be injected and loaded; a monitoring unit: the system is configured to respond to the opening of a file by a target person or reply or input of sensitive data, and feed back the session to the system so that a user can view detailed information of the session and collect data information; the system evaluates the security awareness of the target person based on the collected data information, including data received, accessed, submitted, and whether the target person is aware of the attack. The system and the method can effectively improve the testing efficiency and the network security awareness of personnel.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a system and a method for verifying security awareness of personnel on network attack and utilization.
Background
In the long process of osmosis and reverse osmosis antagonism, some network criminals find it simpler to use the nature of human beings than to use software bugs, so that the new discipline of social engineering comes into existence. In the subject, people are considered as a weak link in the system, and the aims of stealing confidential information and access authority of a target system are fulfilled by comprehensively utilizing psychology, linguistics and cheating and effectively utilizing weak points in humanity. Social engineering is a different level of skill from ordinary fraud and fraud. Because social engineering needs to collect a large amount of information aiming at the actual situation of the other side, a method for carrying out psychological tactics is used. The security brought by the system and the program is often avoided. But in the human and psychological aspects. Social engineering is often an attack by using psychological performances of human vulnerability, greedy and the like, and is defensive.
The disadvantages of the prior art are roughly divided into the following points:
1. the high requirements for security expertise may result in a phishing interface that is "unreal" and not easily accessible.
2. Social engineering is operated manually, steps are complicated in the operation process, and efficiency is low.
3. The system is not set to store sensitive information, and the user is difficult to ensure to print the name of the test in the test process, and the target sensitive information is acquired by doing real social engineering.
Disclosure of Invention
In order to solve the technical problems of high requirement on professional skills, complex operation and the like required by the verification of the safety consciousness of the personnel in the prior art, the invention provides a system and a method for verifying the safety consciousness of the personnel on network attack and utilization, which are used for solving the problems.
In one aspect, the present invention provides a system for verifying security awareness of a person with respect to network attacks and exploitation, the system comprising:
a fishing attack unit: configuring a mail or a page used for inducing a target person to reply or input sensitive data by using a disguised mail or page;
an attack module loading unit: the method comprises the steps that an attack module which is used for carrying out changeable configuration parameters on a portable file is configured to be injected and loaded;
a monitoring unit: the system is configured to respond to the opening of a file by a target person or reply or input of sensitive data, and feed back the session to the system so that a user can view detailed information of the session and collect data information;
the system evaluates the security awareness of the target person based on the collected data information, including data received, accessed, submitted, and whether the target person is aware of the attack.
In a specific embodiment, the phishing attack unit includes a phishing email and a web phishing page, and transmits the masquerading email or web page to the target person through the mail transmission server.
In particular embodiments, a configuration mail server is also included for simulating the content of mail or web pages, landing pages, and redirection pages.
In a particular embodiment, the redirection page enters login information for the target person and is then determined to be used to prompt the target person that the mail is a phishing mail and how to identify the page that protects against phishing.
In a specific embodiment, the portable files comprise word, excel, compressed files and an installation program, and the portable files are uploaded to a mobile storage medium and are placed in the target character activity area.
In particular embodiments, the push modality of phishing emails also includes propagating with instant chat tools, disguising errors that are likely to occur when the target character is entered into a website, placing advertisements, and website simulation flyover windows.
According to a second aspect of the present invention, there is provided a method for verifying security awareness of a person of a network attack and utilization, the system comprising:
s1: sending a disguised mail or page to a target person by using a phishing attack unit, or performing injection loading of an attack module on a portable file by using an attack module loading unit, and placing the portable file in an active area of a target task;
s2: responding to the file opened by the target person, and responding or inputting sensitive data in the disguised mail or page, and collecting data information of the target person by the monitoring unit;
s3: and based on whether the target person receives the portable file, the disguised mail or the page, whether the portable file, the disguised mail or the page is accessed after receiving, whether sensitive data is operated or submitted after accessing, and whether the attacked 4 stages are detected to gradually evaluate the safety consciousness of the target person.
In a specific embodiment, after the target person replies or inputs sensitive data in the disguised mail or page and confirms in step S2, the target person jumps to a preset redirection page to remind the target person that the mail or page is a phishing attack, and informs how to identify a page for preventing phishing.
In a specific embodiment, the data information in step S2 includes the target person receiving the mail or file, opening the mail or file, clicking on the mail link, and entering a form containing sensitive information in the submission link.
According to a second aspect of the present invention, a computer-readable storage medium is proposed, on which a computer program is stored, which computer program, when being executed by a computer processor, is adapted to carry out the above-mentioned method.
The method is used for assisting a user to quickly establish a system for verifying and simulating social engineering, and finally achieves a risk scene of invading a target system and obtaining target information by inducing the target to share sensitive information or executing certain dangerous codes. Individuals using social engineering assess whether members of an organization comply with safe operating regulations by performing social engineering tests. The system and the method have simple and clear operation, the summarized information is easy to read, and non-technical personnel can directly know the safety condition of the system. The waste of human resource input in the traditional penetration test is reduced, the dependence on the professional skills of testers in the test process is eliminated, the test efficiency is improved, and the test result is perfected.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and together with the description serve to explain the principles of the invention. Other embodiments and many of the intended advantages of embodiments will be readily appreciated as they become better understood by reference to the following detailed description. Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is a block diagram of a system for verifying security awareness of persons to network attacks and exploitation according to one embodiment of the present application;
FIG. 2 is a block diagram of a social engineering verification system of a specific embodiment of the present application;
FIG. 3 is a configuration diagram of a phishing mail of a particular embodiment of the present application;
FIG. 4 is a diagram of a portable file configuration for a particular embodiment of the present application;
FIG. 5 is a project launch diagram of a particular embodiment of the present application;
FIG. 6 is a schematic diagram of project feedback for a specific embodiment of the present application;
FIG. 7 is a flow chart of the use of phishing mail of a particular embodiment of the present application;
FIG. 8 is a flow chart of the use of a web phishing page of a particular embodiment of the present application;
FIG. 9 is a flow chart of the use of portable files of a specific embodiment of the present application;
FIG. 10 is a flow chart of the use of snooping in a particular embodiment of the present application;
FIG. 11 is a flow diagram of a method of verifying security awareness of a person to network attacks and exploitation according to one embodiment of the present application;
FIG. 12 is a block diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 shows a block diagram of a system for verifying security awareness of a person about network attacks and utilizations according to an embodiment of the present application. As shown in fig. 1, the system includes: phishing attack unit 101, attack module loading unit 102, and listening unit 103. The phishing attack unit 101 is configured to induce a target person to reply or input sensitive data by using a disguised mail or page; the attack module loading unit 102 is configured to perform injection loading of an attack module with changeable configuration parameters on the portable file; the monitoring unit 103 is configured to respond to a target person opening a file or replying or inputting sensitive data, and feed back a session to the system, so that a user can view detailed information of the session and collect data information; the system for verifying security awareness of persons to network attacks and utilization evaluates the security awareness of a target person based on collected data information, including data received, accessed, submitted, and whether the target person is aware of the attack.
In a particular embodiment, a social engineering attack is a cyber attack performed using "social engineering". Social engineering, precisely, is not a science, but an art and trick's technique. Social engineering takes advantage of human weaknesses to allow users to have appropriate methods, an art and a study in a way that follows the wishes of users and satisfies the desires of users. It is not scientific in that it is not always repeatable and successful and, in the case of sufficient information, automatically fails. The trick of social engineering also implies various flexible concepts and changing factors. Social engineering is a method for acquiring self-benefits by using weaknesses of people, such as instinct reaction, curiosity, trust, low price and the like, to perform harmful means, such as cheating, injury and the like. Social engineering attacks are propagated in different forms and through diverse attack vectors. This is an art that remains continuously sophisticated and rapidly evolving. Some social engineering attacks still occur at some time. As follows:
fishing: phishing is a social worker technique that attempts to obtain sensitive information from a human target, such as a user name, password, credit card information, and the like. The target receives a spoofed email which is disguised as being sent from some trusted source. The mail contains links to fake Web pages, and the styles, logos, pictures and the like of the Web pages can all come from the original real website. The target is induced to enter sensitive data. Phishing requires the use of both email and Web page components.
The client utilizes: the client utilizes client-side attacking software, such as a browser, an email application, a media player, and the like. The client side can use the E-mail component and the Web page component optionally.
The file format utilizes: the file format utilization is attacked by vulnerabilities existing through specific file format processing modes, such as PDF, DOC, JPEG and the like. The file format utilizes a commonly used email component or a portable file component.
Java signed applet: the system can create a Jar file and sign it. You can create a web page containing the applet and induce the victim to open and agree to run the applet. This approach is difficult to succeed for a slightly vigilant psychological target.
Portable files: portable files are often used for social engineering attacks on the USB flash disk. An executable file or a file based on file format utilization is generated and put into the U disk. The attack requires a targeted design, such as selecting a fashioned-lovely U disk and putting in a beauty photo and then discarding the area that the target may pass through, which may attract the curious target of such a U disk. Some of which utilize the payload using the file format generated by the system.
In a specific embodiment, fig. 2 shows a frame diagram of a social engineering verification system according to a specific embodiment of the present application, as shown in fig. 2, a social engineering verification system 200 includes an environment architecture 201 and a business function 202, where the environment architecture 201 specifically includes a mail server 2011, a listener 2012, a web server 2013, a crawler service 2014 and a load production service 2015, and the business function 202 specifically includes a simulated mail fishing 2021, a simulated short message fishing 2022, a simulated web fishing 2023, a simulated portable file 2024 and a simulated installation program 2025. The system rapidly builds a framework of Web service and mailbox service through an environment framework 201 of a social engineering simulation system aiming at network security, captures the content of a target website through a crawler, and dynamically generates a simulation page from the content. A simulated file or software program may also be generated to test whether it will be run in a particular scenario. The safety awareness of the tester is checked by using the simulation page or the testing software to cooperate with the testing process. The system provides a quick simulation environment building framework and various testing software. The supported simulation types include the following: 1. simulating fishing of mails; 2. simulating phishing of a website; 3. simulating short message fishing; 4. simulating phishing files (such as word, excel, etc.); 5. and simulating the installation program. 3-6 show a specific application example of the system, fig. 3 shows a configuration diagram of phishing mails in the system, and a user can perform definition of test contents (such as e-mails, landing pages, and selection settings of servers) according to requirements; FIG. 4 shows a configuration diagram of portable files in the system, where a user can define the name, type, listening host, listening port, attack type, etc. of a setup component; FIG. 5 shows a project launch diagram of the system under which a user can learn of the launch of a project; FIG. 6 shows a project feedback diagram of the system under which a user can learn the results of a project and task log, whether the target receives mail, opens mail, clicks on a link, and submits a form.
In particular embodiments, particular uses of the system include:
(one), phishing email: the method includes the steps that a disguised e-mail is used, and a recipient is deceived to reply information contents such as account numbers, passwords and dynamic passwords to a specific receiver; or the receiver is guided to be linked out to a specially made webpage (the webpage is generally installed to be the same as a real website, so that the login user can believe the true website), and information contents such as account numbers and passwords are input so as to steal the information contents of the receiver. As shown in fig. 7, a flow chart for using phishing mail according to a specific embodiment of the present application includes: configuration mail server 701, simulation mail content 702, configuration web service 703, setup simulation web interface 704, jump to address 705 after verification is complete, and alert need to be attended to security awareness 706.
In a specific embodiment, when configuring the mail server 701, it is necessary to pass through a designated mail sending server when mass-sending the mail, and it is automatically tested whether the mail can be correctly sent when storing (if the verification is unsuccessful, the mail cannot be sent to the target person). The e-mail means that a disguised e-mail is used, and the recipient is deceived to reply information contents such as account number, password, dynamic password and the like to a specific receiver; or the receiver is guided to be linked out to a specially made webpage (the webpage is generally installed to be the same as a real website, so that the login user can believe the true website), and information contents such as account numbers and passwords are input so as to steal the information contents of the receiver. The characteristics of phishing emails are as follows: 1. emails typically contain links to web pages or text chains. Special attention is paid to "color changing font styles" and incomplete outer chains of english words. 2. The e-mail typically contains a function "button" to guide the click. When a new target is created by the receiving target list, a target mailbox for receiving mails by manual input can be selected, and an import target list (the import target list needs to be imported into a CVS format) can also be selected. To make phishing mail more realistic requires the user to carefully design the content of the simulated real mail.
In a specific embodiment, the login page is a page for inputting sensitive information, which is jumped after the mail content sent to the target person clicks the link. The landing page has no template, only a default format. But the landing page can select "copy website", when the copy website is selected, the sent mail can jump to the copy web page directly by clicking the link. After the configuration of the E-mail is finished, entering a 'login page', and when the configuration of the login page is carried out to set the content, the login page can select whether to change the path or not, redirect the URL after the form is submitted and maintain the submitted data or not. The user may select "copy web site" (copy a web site landing page that is perceived as more confusing) and copy the web site to the landing page. If the copied website has a domain name, the acquaintance degree is higher, but an operator needs to be on the basis of front-end styles, so that the website is easier to confuse target personnel and induce the target personnel to input sensitive information through front-end design.
(II) web phishing page: web phishing is a social worker technique that attempts to obtain sensitive information from human targets, such as user names, passwords, credit card information, and the like. The target receives a spoofed email which is disguised as being sent from some trusted source. The mail contains links to fake Web pages, and the styles, logos, pictures and the like of the Web pages can all come from the original real website. The target is induced to input sensitive data, the system interface can successfully acquire the sensitive data input by the target, and fishing can detect safety awareness of people. The Web phishing page is basically consistent with a real website page, and a consumer is deceived or account and password information submitted by a visitor is stolen. Phishing pages typically have only one or a few pages, and are slightly different from real Web pages. As shown in fig. 8, a flow chart for using a phishing page of a specific embodiment of the present application includes: configuration mail server 801, simulation mail content 802, configuration web interface 803, mail sending 804, jump to address 805 after verification is complete, and alerting of need to care for security awareness 806.
In one embodiment of testing a particular phishing webpage, mail parameters are configured; opening the mail after the mail is successfully sent; clicking a link in the mail, jumping to a login page, and inputting login information; inputting information, clicking to confirm, and jumping to a redirection page to prompt that the fishing mail is fished. Tells the target person to take care of preventing phishing, how to identify fishing mails, and why a fishing mail is to be sent. The phishing pages can also be pushed in other forms, such as: 1. sending a phishing website link through QQ, Aliwang and other client chat tools; 2. putting advertisements in a search engine and small and medium websites to attract users to click phishing website links; 3. releasing phishing website links in batches through Email, forum and blog; 4. spreading phishing website links through short connections in the micro-blog; 5. deceiving the user into the phishing website by spoofing a mail, such as pretending to be a "bank password reset mail"; 6. popping up chat tool windows simulating QQ, Aliwang and the like after the viruses are infected, and enabling a user to enter a phishing website after clicking; 7. popping up simulation suspension windows of the malicious navigation website and the malicious download website, and entering the fishing website after clicking; 8. pretending to be an error which is easy to occur when the user inputs the website, and mistakenly entering the phishing website once the user wrongly writes.
(III) portable files: an executable file or a file based on file format utilization is generated and put into the U disk. The attack requires a targeted design, such as selecting a fashioned-lovely U-disk and putting it in a photograph and then discarding it in the area where the target may pass, which may attract the curious target of such a U-disk. Some of which utilize the payload using the file format generated by the system. The portable file can be used in combination with a phishing mail, and the portable file can be carried in the mail sent to the target person and sent to the target person together. When the target person opens the mail and clicks the file, the target person computer is attacked, and the data result is fed back to the system and can be viewed through the summary page. As shown in the flowchart of using portable files of a specific embodiment of the present application shown in fig. 9, the flowchart includes: configuring a portable file 901, downloading the file to a desktop 902, uploading the file to a USB flash disk 903, preventing the USB flash disk from waiting for pickup 904, opening the USB flash disk 905, and acquiring information 906 when the system receives feedback.
In a specific embodiment of a portable file, the system selects file format attack through portable file configuration, selects one or more 'Word' attack modules from the loaded modules through loading, can change module configuration parameters according to actual conditions in each module, downloads the Word portable file after storing the Word portable file after completing the selection, and detects the security consciousness of personnel by putting the file into a U disk and other modes. And after the configuration is finished, downloading the USB key to the computer desktop. (the file name can be changed, and the file name is defaulted to be 'USB key') Word portable file is an operation script for loading a Word module, is an attack script for Word documents, is uploaded to a U disk, and is placed in a designated area to wait for a detected person to open and use the U disk. Externally, the USB flash disk is a common USB flash disk and is very confusing, but when the USB flash disk is inserted into a computer and files in the USB flash disk are opened, Word module scripts can be run, and therefore the computer is attacked. When the USB flash disk is opened, the system monitoring interface feeds back detailed data to the summary page, and the summary page can know detailed information of which computer opens the USB flash disk, when the USB flash disk is opened, which module is used by the USB flash disk, and the like, so that the safety awareness of personnel can be detected through the data.
In a second specific embodiment of the portable file, the system selects file format attack through portable file configuration, selects one or more 'Excel' attack modules from the loaded modules through loading, can change module configuration parameters according to actual conditions in each module, saves the Excel portable file after the selection is completed, downloads the Excel portable file, and performs personnel safety consciousness detection in modes of putting the file into a U disk and the like. After the configuration is finished, the USB key is downloaded to the computer desktop (the file name can be changed, and the USB key is defaulted to). The method comprises the steps of downloading a script with an 'Excel' module, wherein the 'Excel' script is an attack script aiming at an Excel file, uploading the attack script to a puzzled U disk through a computer, putting the U disk into a place where a target person passes, and after the target person picks up the U disk, if the U disk is opened through the computer and the content in the U disk is checked, the attack script of the Excel module runs, so that the computer is attacked. When the USB flash disk is opened, the system monitoring interface feeds back result data to a summary page, and detailed information such as which computer opens the USB flash disk, what time the USB flash disk is opened, which module the USB flash disk uses, and the like can be checked through the summary, so that the safety awareness of personnel can be detected through the data.
In a third specific embodiment of the portable file, the compressed file is in a zip format, the system selects a file format attack through portable file configuration, one or more zip attack modules are selected from the loaded modules through loading, module configuration parameters can be changed in each module according to actual conditions, after the selection is completed, the zip portable file is saved, the zip portable file is downloaded, and personnel safety consciousness detection is performed in a mode of putting the file into a U disk and the like. After the configuration is finished, the USB key is downloaded to the computer desktop (the file name can be changed, and the USB key is defaulted to). The method comprises the steps of downloading a script with a 'zip' module, wherein the 'zip' script is an attack script aiming at a zip file, uploading the attack script to a puzzled U disk through a computer, placing the U disk in a place where a target person passes through, and after the target person picks up the U disk, if the U disk is opened through the computer and the content of a zip compressed file in the U disk is checked, the attack script runs, so that the computer is attacked. When the USB flash disk is opened, the system monitoring interface feeds back result data to a summary page, and detailed information such as which computer opens the USB flash disk, what time the USB flash disk is opened, which module the USB flash disk uses, and the like can be checked through the summary, so that the safety awareness of personnel can be detected through the data.
In a specific embodiment of the fourth portable file, the installation program takes an 'install' format as an example, the system selects file format attack through portable file configuration, selects one or more 'install' attack modules from the loaded modules through loading, can change module configuration parameters according to actual conditions in each module, saves the install portable file after the selection is completed, downloads the install portable file, and performs personnel security awareness detection by putting the file into a usb disk or the like. After the configuration is finished, the USB key is downloaded to the computer desktop (the file name can be changed, and the USB key is defaulted to). Downloading a script with an install module, wherein the install script is an attack script aiming at an installation program, uploading the attack script to a puzzled USB flash disk through a computer, putting the USB flash disk into a place where a target person passes, and after the target person picks up the USB flash disk, if the USB flash disk is opened through the computer and the installation program content in the USB flash disk is checked, the attack script runs, so that the computer is attacked. When the USB flash disk is opened, the system monitoring interface feeds back result data to a summary page, and detailed information such as which computer opens the USB flash disk, what time the USB flash disk is opened, which module the USB flash disk uses, and the like can be checked through the summary, so that the safety awareness of personnel can be detected through the data.
(IV) monitoring: the system generates a portable file by configuring portable file parameters, when starting a project, the system jumps to a monitoring interface, the interface can check whether a target person opens the portable file, and whether the opened file feeds back 'session' to the system. The summary page can check the details of the file opened by the target person, and when the target person opens the file and feeds back "session" to the system, the user clicks "session" to check the detailed information of the "session", and can operate the "session" to collect data information. After the file is operated, the system summary page receives feedback information of the file opened by the target person. There are two cases of feedback information: the summary page receives the information that the target person opens the file, but does not pop up session to "session"; the summary page receives the opening information and feeds back a session to a system session interface, and data collection can be performed on the computer of the target person from the session interface. The summary page receives information that the target person opens the file, and in the summary page, the information can be exported. session is a mechanism for recording client state, and is different from the way that a Cookie is stored in a client browser, and session is stored on a server. When a client browser accesses a server, the server records client information in some form on the server. When the client browser accesses again, the client browser only needs to search the state of the client from the session. As shown in the usage flow chart of snooping of a specific embodiment of the present application shown in fig. 10, the flow includes: start listening 1001, mail sending 1002, mail opening 1003, jump web 1004, information submission 1005, and reminder that security awareness is needed 1006.
In a specific embodiment, taking a portable file (a U disk) as an example, a user configures project parameters through a social engineering function and generates an executable file through a system. And downloading the executable file to the U disk through a download button in the system interface. The user places the USB flash disk in a conspicuous place and waits for the staff to pick up the USB flash disk. When a certain employee picks up the USB flash disk, the USB flash disk is not protected, the USB flash disk is directly inserted into a computer used for work, and after a file is opened, the system can directly check the sensitive information of the computer. Whether the staff has enough safety awareness or not can be detected through the portable file, and the risk that the system is attacked is reduced.
The system provides an operation interface of the B/S framework, the operation is simple and clear, the summary information is easy to read, and non-technical personnel can directly know the safety condition of the system; the social engineering can detect the safety consciousness risk of personnel and truly simulate the phishing attack and the Trojan file propagation effect. The waste of human resource input in the traditional penetration test can be reduced, the dependence on the professional skills of testers in the test process is eliminated, the test efficiency is improved, and the test result is perfected. Various simulation environments can be quickly built, so that the simulation environments are more vivid, and the generation process is easier.
With continuing reference to FIG. 11, FIG. 11 illustrates a flow diagram of a method of verifying security awareness of a person of network attacks and exploitation, as illustrated in FIG. 11, according to an embodiment of the present application, the method comprising:
s1: and sending a disguised mail or page to the target person by using a phishing attack unit, or performing injection loading of an attack module on the portable file by using an attack module loading unit, and placing the portable file in an active area of the target task.
S2: the monitoring unit collects data information of the target person in response to the target person opening a file, replying or inputting sensitive data in a disguised mail or page.
In particular embodiments, the data information includes a form containing sensitive information in the target person's receipt of the mail or file, opening the mail or file, clicking on the mail link, and entering a submit link. And after the target person replies or inputs sensitive data in the disguised mail or page and confirms the sensitive data, jumping to a preset redirection page to remind the target person that the mail or the page is a phishing attack, and informing how to identify the page for preventing phishing.
S3: and based on whether the target person receives the portable file, the disguised mail or the page, whether the portable file, the disguised mail or the page is accessed after receiving, whether sensitive data is operated or submitted after accessing, and whether the attacked 4 stages are detected to gradually evaluate the safety consciousness of the target person. The security consciousness of the target person can be evaluated according to the four stages of behaviors of the target person, for example, the first stage, the second stage, the third stage and the fourth stage are sequentially arranged from top to bottom to express security consciousness levels, if the target person does not receive portable files, disguised mails or pages, the target person is the first stage, the target person is not accessed after receiving the portable files, disguised mails or pages, the target person is the second stage, the target person is not operated or sensitive data is submitted to the third stage after accessing the target person, and the target person is not perceived to be attacked to the fourth stage after submitting the target person, so that the security consciousness level of the target person can be quickly evaluated according to results.
The invention has simple and clear operation and is easy to operate, and the testing efficiency is effectively improved. The operation is carried out through the web browser page, and the content of the phishing mails is configured simply and flexibly. After the project is started, the project testing step is automatically carried out, and the purposes of collecting evidence of the safety information leakage process and obtaining the safety consciousness of testing personnel are finally achieved by inducing targets to share sensitive information or executing certain dangerous codes. The network environment simulating the safety consciousness of the checking personnel can be built quickly. The method comprises the steps of rapidly building a framework of Web service and mailbox service by a social engineering simulation system aiming at network security, obtaining the content of a target website through a crawler, and dynamically generating a simulation page from the content. By using the simulation page or the testing software to match with the testing process, the tester can identify the authenticity of the common system, and the attention of the network security consciousness is improved.
Embodiments of the present invention also relate to a computer-readable storage medium having stored thereon a computer program which, when executed by a computer processor, implements the method above. The computer program comprises program code for performing the method illustrated in the flow chart. It should be noted that the computer readable medium of the present application can be a computer readable signal medium or a computer readable medium or any combination of the two.
Referring now to FIG. 12, shown is a block diagram of a computer system 1200 suitable for use in implementing the electronic device of an embodiment of the present application. The electronic device shown in fig. 12 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 12, the computer system 1200 includes a Central Processing Unit (CPU)1201, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)1202 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 1203. In the RAM 1203, various programs and data necessary for the operation of the system 1200 are also stored. The CPU 1201, ROM 1202, and RAM 1203 are connected to each other by a bus 1204. An input/output (I/O) interface 1205 is also connected to bus 1204.
The following components are connected to the I/O interface 1205: an input section 1206 including a keyboard, a mouse, and the like; an output portion 1207 including a display such as a Liquid Crystal Display (LCD) and a speaker; a storage section 1208 including a hard disk and the like; and a communication section 1209 including a network interface card such as a LAN card, a modem, or the like. The communication section 1209 performs communication processing via a network such as the internet. A driver 1210 is also connected to the I/O interface 1205 as needed. A removable medium 1211, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is mounted on the drive 1210 as necessary, so that a computer program read out therefrom is mounted into the storage section 1208 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 1209, and/or installed from the removable medium 511. The computer program, when executed by a Central Processing Unit (CPU)1201, performs the above-described functions defined in the methods of the present application.
It should be noted that the computer readable storage medium described herein can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a first determining unit, a second determining unit, a generating unit, a first extracting unit, and a first storing unit. Here, the names of these units do not constitute a limitation to the unit itself in some cases, and for example, the first determination unit may also be described as a "unit that determines whether or not there is newly added event information in a preset event information list".
As another aspect, the present application also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable storage medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: sending a disguised mail or page to a target person by using a phishing attack unit, or performing injection loading of an attack module on a portable file by using an attack module loading unit, and placing the portable file in an active area of a target task; responding to the file opened by the target person, and responding or inputting sensitive data in the disguised mail or page, and collecting data information of the target person by the monitoring unit; and based on whether the target person receives the portable file, the disguised mail or the page, whether the portable file, the disguised mail or the page is accessed after receiving, whether sensitive data is operated or submitted after accessing, and whether the attacked 4 stages are detected to gradually evaluate the safety consciousness of the target person.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.
Claims (10)
1. A system for verifying security awareness of a person regarding network attacks and exploitation, the system comprising:
a fishing attack unit: configuring a mail or a page used for inducing a target person to reply or input sensitive data by using a disguised mail or page;
an attack module loading unit: the method comprises the steps that an attack module which is used for carrying out changeable configuration parameters on a portable file is configured to be injected and loaded;
a monitoring unit: the system is configured to respond to the opening of a file by a target person or reply or input of sensitive data, and feed back a session to the system so that a user can view detailed information of the session and collect data information;
the system evaluates the security awareness of the target person based on the collected data information, including data received, accessed, submitted, and whether the target person is aware of the attack.
2. The system for verifying the security awareness of persons about cyber attack and utilization according to claim 1, wherein the phishing attack unit includes a fishing e-mail and a web phishing page, and transmits a masquerading mail or web page to the target person through a mail transmission server.
3. A system for verifying security awareness of persons with respect to network attacks and exploitation as claimed in claim 2, further comprising configuring the mail server to simulate the contents of a mail or web page, a landing page, and a redirection page.
4. A system for verifying security awareness of persons working against cyber attacks and exploitation as claimed in claim 3, wherein said redirection page inputs login information for said target person and is used to prompt said target person after determination that the mail is phishing mail and how to identify a page for preventing phishing.
5. The system for verifying security awareness of persons about network attacks and utilization according to claim 1, wherein the portable files comprise word, excel, compressed files, and installation programs, and are uploaded onto a mobile storage medium and placed in the target person activity area.
6. A system for verifying personnel security awareness of cyber attacks and their exploitation as claimed in claim 2, wherein said phishing emails are pushed in a form further comprising propagating by instant chat tools, masquerading as errors liable to the target character entering the website, placing advertisements and simulating floating windows on the website.
7. A method of verifying security awareness of persons to network attacks and exploitation, using a system according to any one of claims 1-6, comprising:
s1: sending a disguised mail or page to the target person by using the phishing attack unit, or performing injection loading of an attack module on a portable file by using the attack module loading unit, and placing the portable file in an active area of the target task;
s2: responding to a target person to open a file, reply or input sensitive data in a disguised mail or page, and collecting data information of the target person by the monitoring unit;
s3: and based on whether the target person receives the portable file, the disguised mail or the page, whether the portable file, the disguised mail or the page is accessed after receiving, whether sensitive data is operated or submitted after accessing, and whether the target person is detected to be attacked in 4 stages to evaluate the safety consciousness of the target person step by step.
8. The method for verifying the security awareness of people about cyber attack and utilization according to claim 7, wherein the target person replies or inputs sensitive data in a disguised mail or page and confirms the data in step S2, and then jumps to a preset redirection page to remind the target person that the mail or page is a phishing attack and inform how to identify a page for preventing phishing.
9. The method for verifying the security awareness of persons about network attack and utilization as claimed in claim 7, wherein the data information in step S2 includes the steps of receiving the mail or document by the target person, opening the mail or document, clicking the mail link and inputting a form containing sensitive information in the submission link.
10. A computer-readable storage medium having one or more computer programs stored thereon, which when executed by a computer processor perform the method of any one of claims 7 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110395591.7A CN113259321A (en) | 2021-04-13 | 2021-04-13 | System and method for verifying security awareness of personnel on network attack and utilization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110395591.7A CN113259321A (en) | 2021-04-13 | 2021-04-13 | System and method for verifying security awareness of personnel on network attack and utilization |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113259321A true CN113259321A (en) | 2021-08-13 |
Family
ID=77220656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110395591.7A Pending CN113259321A (en) | 2021-04-13 | 2021-04-13 | System and method for verifying security awareness of personnel on network attack and utilization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113259321A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113806740A (en) * | 2021-09-30 | 2021-12-17 | 上海易念信息科技有限公司 | Fishing simulation test method and system and electronic equipment |
| CN114050909A (en) * | 2021-08-30 | 2022-02-15 | 国网思极网安科技(北京)有限公司 | Method and system for drilling simulated mails and electronic equipment |
| CN114205272A (en) * | 2021-12-08 | 2022-03-18 | 北京恒安嘉新安全技术有限公司 | Communication security test method, device, equipment and storage medium |
| CN114465978A (en) * | 2022-02-07 | 2022-05-10 | 北京知道创宇信息技术股份有限公司 | Mailbox disclosure discovery method, device and system and readable storage medium |
| CN114499932A (en) * | 2021-12-16 | 2022-05-13 | 山东星维九州安全技术有限公司 | Phishing mail test service supporting method, system and terminal |
| CN117353988A (en) * | 2023-09-25 | 2024-01-05 | 北京五一嘉峪科技有限公司 | Risk detection method and device and computing equipment |
| CN117455228A (en) * | 2023-09-28 | 2024-01-26 | 永信至诚科技集团股份有限公司 | Evaluation method and device for network risk identification capability |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104283889A (en) * | 2014-10-20 | 2015-01-14 | 国网重庆市电力公司电力科学研究院 | Electric power system interior APT attack detection and pre-warning system based on network architecture |
| CN107451466A (en) * | 2017-08-17 | 2017-12-08 | 深信服科技股份有限公司 | A kind of safety evaluation method and device, computer installation, readable storage medium storing program for executing |
| CN110290155A (en) * | 2019-07-23 | 2019-09-27 | 北京邮电大学 | The defence method and device of social engineering attack |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
-
2021
- 2021-04-13 CN CN202110395591.7A patent/CN113259321A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104283889A (en) * | 2014-10-20 | 2015-01-14 | 国网重庆市电力公司电力科学研究院 | Electric power system interior APT attack detection and pre-warning system based on network architecture |
| CN107451466A (en) * | 2017-08-17 | 2017-12-08 | 深信服科技股份有限公司 | A kind of safety evaluation method and device, computer installation, readable storage medium storing program for executing |
| CN110290155A (en) * | 2019-07-23 | 2019-09-27 | 北京邮电大学 | The defence method and device of social engineering attack |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114050909A (en) * | 2021-08-30 | 2022-02-15 | 国网思极网安科技(北京)有限公司 | Method and system for drilling simulated mails and electronic equipment |
| CN114050909B (en) * | 2021-08-30 | 2023-08-18 | 国网思极网安科技(北京)有限公司 | Exercise method, system and electronic equipment for simulating mail |
| CN113806740A (en) * | 2021-09-30 | 2021-12-17 | 上海易念信息科技有限公司 | Fishing simulation test method and system and electronic equipment |
| CN113806740B (en) * | 2021-09-30 | 2024-04-16 | 上海易念信息科技有限公司 | Fishing simulation test method, system and electronic equipment |
| CN114205272A (en) * | 2021-12-08 | 2022-03-18 | 北京恒安嘉新安全技术有限公司 | Communication security test method, device, equipment and storage medium |
| CN114499932A (en) * | 2021-12-16 | 2022-05-13 | 山东星维九州安全技术有限公司 | Phishing mail test service supporting method, system and terminal |
| CN114465978A (en) * | 2022-02-07 | 2022-05-10 | 北京知道创宇信息技术股份有限公司 | Mailbox disclosure discovery method, device and system and readable storage medium |
| CN114465978B (en) * | 2022-02-07 | 2023-10-13 | 北京知道创宇信息技术股份有限公司 | Mailbox leakage discovery method, device and system and readable storage medium |
| CN117353988A (en) * | 2023-09-25 | 2024-01-05 | 北京五一嘉峪科技有限公司 | Risk detection method and device and computing equipment |
| CN117455228A (en) * | 2023-09-28 | 2024-01-26 | 永信至诚科技集团股份有限公司 | Evaluation method and device for network risk identification capability |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113259321A (en) | System and method for verifying security awareness of personnel on network attack and utilization | |
| CN112567710B (en) | System and method for contaminating phishing campaign responses | |
| Baloch | Ethical hacking and penetration testing guide | |
| Engebretson | The basics of hacking and penetration testing: ethical hacking and penetration testing made easy | |
| Hope et al. | Web security testing cookbook: systematic techniques to find problems fast | |
| Chen et al. | GUI-squatting attack: Automated generation of Android phishing apps | |
| Kharraz et al. | Optical delusions: A study of malicious QR codes in the wild | |
| US20210306375A1 (en) | Live forensic browsing of urls | |
| Barua et al. | Server side detection of content sniffing attacks | |
| US11558414B1 (en) | Autonomous penetration tester | |
| Roth et al. | 12 Angry Developers-A Qualitative Study on Developers' Struggles with CSP | |
| Ndibwile et al. | UnPhishMe: Phishing attack detection by deceptive login simulation through an Android mobile app | |
| Abualola et al. | An Android-based Trojan Spyware to study the notificationlistener service vulnerability | |
| Hoffman et al. | Ajax security | |
| Handa et al. | Implementing Enterprise Cyber Security with Open-Source Software and Standard Architecture: Volume II | |
| Palmer | Web application vulnerabilities: Detect, exploit, prevent | |
| Parimala et al. | Efficient web vulnerability detection tool for sleeping giant-cross site request forgery | |
| Iqbal et al. | When ChatGPT goes rogue: exploring the potential cybersecurity threats of AI-powered conversational chatbots | |
| Prasad | Mastering modern Web penetration testing | |
| Heartfield et al. | Protection against semantic social engineering attacks | |
| El Aassal et al. | Spears Against Shields: Are Defenders Winning The Phishing War? | |
| Jain et al. | Detection of javascript vulnerability at Client Agen | |
| Gan et al. | A Review on detection of cross-site scripting attacks (XSS) in web security | |
| CN111131223B (en) | Test method and device for click hijacking | |
| Norman | COMPUTER HACKING BEGINNERS GUIDE HOW TO HACK WIRELESS NETWORK, BASIC SECURITY AND PENETRATION TESTING, KALI LINUX, YOUR FIRST HACK |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210813 |
|
| RJ01 | Rejection of invention patent application after publication |