在現今的社會中，資訊網路的發展非常迅速，且被廣泛地應用在生活中，使我們的生活更加方便也更有效率。但伴隨著電腦與網路的普及，駭客技術亦有所提昇，故資訊安全已經成為一個越來越不可輕忽的議題。雖然企業針對網路安全建立了它們自己的防護系統，然而這樣還是不夠的。資安專家把他們的精力花在他們認為最好的方式身上：防火牆與其他安全機制，例如SSL(Secure Sockets Layer)。但是雖然防火牆與其他安全機制能有效預防駭客侵入企業電腦網路，但卻無法阻止最重大的電腦犯罪來源：內部員工。許多人認為間諜活動是由那些資金充足的組織所進行的，所以只能由政府出來制止。然而，美國工業安全協會與學者Katz的研究表示超過70%上的資訊盜竊是內部員工所需負責的。大部份員工對於資訊安全抱持著草率的態度，而導致企業內部產生資訊安全漏洞。這種利用人類弱點的攻擊手段，也就是所謂的「社交工程」，可能是最難以克服的。
因此，本研究基於社交工程與資訊安全的理論去建構一個自動化社交工程教育訓練系統。研究的目的是以本系統幫助雇主對員工建立基本的社交工程資訊安全觀念，相關的實作方式也包含於本論文中。
本研究分為兩個議題：
( 1 ) 如何自動化產生含有社交工程訊號之社交工程電子郵件
( 2 ) 如何自動進行完整的社交工程演練與教育訓練

Nowadays, the Information Network is developed rapidly and utilized widely to make our life more convenient and efficient. Due to the popularity of computers, networks and the rapid progress of hacker skills, the issue of information security becomes more and more important. Although generally the companies construct their security systems for network protection, however, that is still indefensible. Information security professionals focus their efforts on what they know best: Firewalls and other Internet security mechanisms like Secure Sockets Layer(SSL). While firewalls and other Internet security mechanisms go a long way in preventing the hackers from intruding into a corporate computer network, they do nothing to stop the most significant source of computer crime: the employees. Many people believe that the espionage is committed by well financed organizations that can only be stopped by national agencies. However, studies show that employees were responsible for more than 70% of information related thefts. Most of the employees are careless with information security that causes the information security vulnerability in an enterprise. The human approach in terms of 'Social Engineering' is probably the most difficult one to be dealt with.

Consequently, this study adopts Social Engineering and Information Security to construct an Automatic Education Training System for E-mail Social Engineering Drill. The objective of this study is helping employers to construct the concept of information security of E-mail Social Engineering for employees by importing this system, related practice. Therefore, this paper comprises two issues as listed below:

1. How to automate the E-mail of social engineering include Signals of social engineering.
2. How to automate a complete social engineering drill and training

摘要I
AbstractII
誌謝IV
目錄V
圖目錄VII
表目錄VIII
第一章緒論1
1.1研究背景1
1.2研究動機7
1.3研究目的9
1.4研究方法11
1.5論文架構12
第二章文獻探討13
2.1社交工程13
2.2社交工程教育訓練14
第三章系統設計17
3.1需求分析17
3.1.1應用程式端需求分析18
3.1.2網頁資料庫端需求分析21
3.2系統架構22
3.2.1系統架構22
3.2.2應用程式端內部功能結構23
3.2.3網頁資料庫端內部功能結構25
3.3系統流程26
3.3.1電子郵件社交工程系統流程(使用者端)26
3.3.2電子郵件社交工程系統流程(收件者端)28
第四章系統實作29
4.1系統實作環境29
4.2系統介面與功能介紹31
4.2.1應用程式端系統介面(郵件發送設定)與功能介紹31
4.2.2應用程式端系統介面(自訂郵件與資料查詢) 與功能介紹36
4.2.3網頁資料庫端系統介面與功能介紹39
4.3系統執行流程40
4.4社交工程電子郵件解析45
4.4.1收件者收件情形45
4.4.2社交工程郵件內容48
4.5網頁資料庫端資料解析52
4.6實作問題與結論匯整53
第五章結論與未來展望58
5.1結論58
5.2未來展望60
參考文獻62

[1]Sericon Technology Inc.(2005), Introduction to SSL. from http://www.sericontech.com/Downloads/Introduction_to_SSL.pdf
[2]American Society for Industrial Security (1996), Study on the Theft of Proprietary Information , Arlington, VA: ASIS.
[3]Katz, A. (1995), Computers: The Changing Face of Criminality , Unpublished dissertation: Michigan State University
[4]教育部(2010)，教育部99年度學術機構分組防範惡意電子郵件社交工程演練計畫
[5]梁定澎(1997)，資訊管理研究方法總論，資訊管理學報，第四卷第一期：p.1-7
[6]Joan Goodchild (2010), Social Engineering: The Basics.
[7]NISCC Briefing (2006), Social engineering against information systems: what is it and how do you protect yourself ?
[8]Check Point & Ponemon Institute (2011), Check Point and Ponemon Survey Validates Need for 3D Security. from
http://www.checkpoint.com/press/2011/CheckPoint-Ponemon-Survey-3D-Security.html
[9]Pei-Wen Liu, Jia-Chyi Wu, Pei-Ching Liu TWNCERT (2008), The Best Practice to Protect against Social Engineering Attacks in E-mail Form.