1. Field of Invention
The present invention relates to training and services relating to corporate security and more specifically to training and services relating to compromising corporate information security by opening electronic messages and either clicking on a malicious link or attachment.
2. Description of Related Art
Network Security—Generally
Since most computers, smart phones, tablets, and other computing devices are typically connected to a network and/or the Internet, there is a risk that the corporate network may be compromised and information stolen by those gaining unauthorized access to the computing devices who may be referred to as “malicious hackers”.
In response, there are many hardware and software products protecting the computing devices such as firewalls and virus protection software. Much of this hardware/software has become quite sophisticated. Other means to gain access to the computing devices besides a direct technical attack are now becoming more popular.
Exceptions are typically made to allow mail and other electronic messages to pass through the firewall. A possible attack method or attack vector is to insert a link to a malicious website or to hide malicious software (“malware”) in these electronic messages. Once inside the firewall, the malware can be activated and perform malicious activities inside of the firewall. These are referred to as “incidents”. Malicious activities may include logging keystrokes and sending them back to the hacker, releasing a virus into the system, taking control of your computer making it a part of a network to attack other systems, encrypting your hard drive and asking for a ransom to unlock it, and other malicious acts. All of these can cause significant damage and incur large costs to recover data and put the system back into its original state.
The malicious software is typically inadvertently activated by the user by clicking on an attachment or link within the message. Since users typically do not click on or activate messages which they do not believe apply to them, the user must be ‘tricked’ into clicking on the message.
A malicious hacker intending to gain access to computing devices typically sends messages with malicious software to numerous users and then waits for a ‘bite’, just like fishing. This type of attack is commonly called “phishing”. Even if only a small percentage of messages are clicked, this gives the attacker access to many computing devices. Therefore, the network and firewall are typically not the problem. The user is now the weak link in the system.
User Training
Corporate information security training is effective in teaching users how to recognize phishing messages and to refrain from clicking on these messages, thereby reducing the number of incidents. Users are also taught to report phishing messages. Reporting alerts a system administrator to the presence of the phishing messages and allows the system administrator to quarantine the phishing message, notify the users of the phishing message, and give the users instructions on how to proceed.
Extensive training of all users can be effective. Lack of training or improper training can make the network vulnerable to attacks and give the users a false sense of security.
There have been attempts to test a company's vulnerability to phishing by a legitimate penetration testing vendor. This was a simple process of sending a phishing message to various users in a company and monitoring if they clicked on the message. This only provided information on click rates, no determination or indication of how difficult it was to identify that the message was not authentic, and was therefore not a true test of an organization's security stance.
Another method worked in a similar fashion, except that it sent a first phishing message then followed up with a second phishing message that referred to the first phishing message. Again, there was no determination or indication of a difficulty level indicating how difficult it was to identify that either message was a phishing message or was authentic.
Besides the shortcomings listed above, the prior methods of testing for phishing or providing security and phishing education were stand-alone programs.
Currently, there is a need to provide an improved process for including phishing as part of a comprehensive security awareness program to increase security and reduce the incidents due to phishing that is easy to implement.