Author: |
盧宣良 Hsuan-Liang Lu |
---|---|
Thesis Title: |
電子郵件社交工程演練之自動化教育訓練系統 Automatic Education Training System for E-mail Social Engineering Drill |
Advisor: |
羅乃維
Nai-Wei Lo |
Committee: |
吳宗成
Tzong-Chen Wu 查士朝 Shi-Cho Cha |
Degree: |
碩士 Master |
Department: |
管理學院 - 資訊管理系 Department of Information Management |
Thesis Publication Year: | 2011 |
Graduation Academic Year: | 99 |
Language: | 中文 |
Pages: | 61 |
Keywords (in Chinese): | 社交工程 、教育訓練 、資訊安全 、自動化 |
Keywords (in other languages): | Social Engineering, Education Training, Information Security, Automatic |
Reference times: | Clicks: 504 Downloads: 3 |
Share: |
School Collection Retrieve National Library Collection Retrieve Error Report |
在現今的社會中,資訊網路的發展非常迅速,且被廣泛地應用在生活中,使我們的生活更加方便也更有效率。但伴隨著電腦與網路的普及,駭客技術亦有所提昇,故資訊安全已經成為一個越來越不可輕忽的議題。雖然企業針對網路安全建立了它們自己的防護系統,然而這樣還是不夠的。資安專家把他們的精力花在他們認為最好的方式身上:防火牆與其他安全機制,例如SSL(Secure Sockets Layer)。但是雖然防火牆與其他安全機制能有效預防駭客侵入企業電腦網路,但卻無法阻止最重大的電腦犯罪來源:內部員工。許多人認為間諜活動是由那些資金充足的組織所進行的,所以只能由政府出來制止。然而,美國工業安全協會與學者Katz的研究表示超過70%上的資訊盜竊是內部員工所需負責的。大部份員工對於資訊安全抱持著草率的態度,而導致企業內部產生資訊安全漏洞。這種利用人類弱點的攻擊手段,也就是所謂的「社交工程」,可能是最難以克服的。
因此,本研究基於社交工程與資訊安全的理論去建構一個自動化社交工程教育訓練系統。研究的目的是以本系統幫助雇主對員工建立基本的社交工程資訊安全觀念,相關的實作方式也包含於本論文中。
本研究分為兩個議題:
( 1 ) 如何自動化產生含有社交工程訊號之社交工程電子郵件
( 2 ) 如何自動進行完整的社交工程演練與教育訓練
Nowadays, the Information Network is developed rapidly and utilized widely to make our life more convenient and efficient. Due to the popularity of computers, networks and the rapid progress of hacker skills, the issue of information security becomes more and more important. Although generally the companies construct their security systems for network protection, however, that is still indefensible. Information security professionals focus their efforts on what they know best: Firewalls and other Internet security mechanisms like Secure Sockets Layer(SSL). While firewalls and other Internet security mechanisms go a long way in preventing the hackers from intruding into a corporate computer network, they do nothing to stop the most significant source of computer crime: the employees. Many people believe that the espionage is committed by well financed organizations that can only be stopped by national agencies. However, studies show that employees were responsible for more than 70% of information related thefts. Most of the employees are careless with information security that causes the information security vulnerability in an enterprise. The human approach in terms of 'Social Engineering' is probably the most difficult one to be dealt with.
Consequently, this study adopts Social Engineering and Information Security to construct an Automatic Education Training System for E-mail Social Engineering Drill. The objective of this study is helping employers to construct the concept of information security of E-mail Social Engineering for employees by importing this system, related practice. Therefore, this paper comprises two issues as listed below:
1. How to automate the E-mail of social engineering include Signals of social engineering.
2. How to automate a complete social engineering drill and training
[1] Sericon Technology Inc.(2005), Introduction to SSL. from http://www.sericontech.com/Downloads/Introduction_to_SSL.pdf
[2] American Society for Industrial Security (1996), Study on the Theft of Proprietary Information , Arlington, VA: ASIS.
[3] Katz, A. (1995), Computers: The Changing Face of Criminality , Unpublished dissertation: Michigan State University
[4] 教育部(2010),教育部99年度學術機構分組防範惡意電子郵件社交工程演練計畫
[5] 梁定澎(1997),資訊管理研究方法總論,資訊管理學報,第四卷第一期:p.1-7
[6] Joan Goodchild (2010), Social Engineering: The Basics.
[7] NISCC Briefing (2006), Social engineering against information systems: what is it and how do you protect yourself ?
[8] Check Point & Ponemon Institute (2011), Check Point and Ponemon Survey Validates Need for 3D Security. from
http://www.checkpoint.com/press/2011/CheckPoint-Ponemon-Survey-3D-Security.html
[9] Pei-Wen Liu, Jia-Chyi Wu, Pei-Ching Liu TWNCERT (2008), The Best Practice to Protect against Social Engineering Attacks in E-mail Form.