Alphabet – Greg Kras, Alin Irimie, Knowbe4 Inc
Abstract for “Using smart groups to computer-based security awareness training system”
This disclosure describes improvements to static group solutions. Administrators only need to specify the criteria they are interested in. Smart groups are different from static groups. Instead of having to track the status of users and move them around between static groups when their status changes, smart group allows the automatic identification of relevant users at the time that action is required. This feature automates user administration for enrollment in phishing or training campaigns. Smart group memberships are determined when the group is being used for something. This ensures that the membership of the smart group is accurate and not outdated. When you’re about to run a campaign, or take any other action that requires the membership of the smart groups to be determined, the query that determines smart group membership is run.
Background for “Using smart groups to computer-based security awareness training system”
It is possible to simulate phishing attacks against a user or group of users as part of a computer-based security alert training system. Phishing is a malicious attempt to obtain sensitive information, such as usernames, passwords and credit card details. It can also be used to disguise as a trusted entity. An email could be sent to a target with an attachment that performs malicious actions when executed, or a link to a webpage which either prompts the user or performs malicious action when accessed. Malicious actions can include malicious data collection, actions that are harmful to the normal operation of the device from which the email was activated or any other malicious actions that could be performed by a program (or a group of programs). An organization can determine its vulnerability to phishing attacks by using simulated attacks. Organizations can use this knowledge to reduce vulnerability via tools and training.
Reporting can be done using dynamic groups. A report can be saved and generated when an administrator searches users who meet certain criteria using Boolean logic. Data is generated every time an administrator runs a report based on query.
Conceptually, similar types have been used in active directories that use groups for distribution lists (e.g. dynamic distribution groups as they are used in IT environment). You can use dynamic group systems in both a manual way to manage security groups or in scripts that are run regularly for group management. These groups are used for reporting, where you can set criteria about what you want to include in your report.
In some cases, campaign management systems, such as a computer-based security awareness system that can run simulated attacks campaigns, may only use static group. You can either manually manage static groups or you use a workflow process to manage them. Users that meet certain criteria may be manually added to a static group. They can be removed only by a workflow process, or by taking a manual action.
Static groups can cause workflow inefficiencies and inaccuracies. They are used to create different user groups according to different criteria. If company administrators attempt to remove users from one static group and place them in another, it can lead to many users who have been trained, phished, failed a phishing exam, gone through remediation training, and so on. A large number of logic branches can be required to manage user groups that are based on workflow. Administrators can easily lose track of these rules, making it difficult to manage. You can have infinite numbers of static groups, both driven by workflows or manual actions. Users will be missed if a workflow process doesn’t get done correctly. Mistakes can happen because static groups are controlled by administrator workflows and users. Administrators will need to correctly place users in static groups from the beginning. This leads to a large number of groups.
Smart groups, also known as dynamic groups, are a solution to these limitations. They automatically build a list that meets specified criteria when the list is requested. Smart groups are query-based groups.
“The present solution extends on similar concepts in report-making. You can create a group that contains users who meet certain criteria and then generate a report based upon the list. Smart groups allow for the creation of similar dynamic groups for other purposes, such as training or phishing campaigns.
This solution is an improvement on static groups because administrators only need to specify the criteria they are interested in. Smart groups are different from static groups. Instead of having to track users’ status and move them around between static groups when they change, smart groups allow for the automatic identification of relevant users whenever an action is required. This feature automates user administration for enrollment in phishing or training campaigns.
The smart group membership is established as soon as the group is being used for something. This ensures that the smart group membership remains accurate and is never out of date. When you’re about to run a campaign, or take any other action that requires information about the membership of the group, the query that determines smart group membership is run. The criteria that was set by the administrator when the group was formed will always be used to determine how smart groups are created. The system bases a smart group’s membership upon criteria, and adds only users who meet those criteria at the time the group is being used. This ensures that the group membership is up-to-date and accurate. Training campaign, simulated hacking campaign, report, etc. are the right users at the time that the action is taken.”
A server might create a group using criteria to identify users at the time the group will be used. A server might be notified that a group membership is required. The server can query a user population to determine if they meet the criteria and identify them as members of the group. In some implementations, the server sets the criteria for a group. In other implementations, the server receives these criteria. One or more criteria can be combined using logical operators in some instances to create a group criteria.
In an implementation, the server might receive a request for the execution of a simulated campaign for a group. This request indicates to the server that the group members are to be identified using a query using group criteria. Other implementations may include a request to join the group or a request to obtain a report on the group. These requests indicate to the server that the query using the group criteria will be used to identify the group members.
“In an implementation the server might address to query to the database containing information regarding the users that is located at a different device, server, or in the cloud.”
“In an implementation the server might receive an additional indication of user the group and may conduct a new query among a population to determine which users match the criteria associated with this group. The new population of group members is different to the population that was identified as being part of the group in the previous query.”
“The following sections of the specification with their respective contents can be useful for reading the descriptions of various embodiments:”
“Section A” describes a computing environment and network environment that may be helpful in the practice of embodiments.
“Section B” describes embodiments of systems, methods, and devices for adding users to user group and systems and methods that allow for the use of smart groups.
“A. Computing and Network Environment.”
“Before we discuss specific embodiments of this solution, it might be useful to describe aspects such as the operating environment and associated system components (e.g. hardware elements) in relation to the methods or systems described herein. Referring to FIG. FIG. 1A shows an example of a network environment. The network environment includes one to three clients 102a-102n (also known as client(s), 102 and client(s), 102), client node(s), 102 and client(s), 102), client computer(s), 102, and client machine(s), 102), client client(s), 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102. Client device(s), 102. Endpoint(s), 106 or remote machine(s). A client 102 can be used as both a client node that seeks access to server resources and as a server that provides access to server resources for other clients.
“Although FIG. FIG. 1A depicts a network of 104 between clients 102, servers 106. However, clients 102 may be on the same network (104). Some embodiments may have multiple networks 104 connecting the servers 106 and clients 102. One of these embodiments may have a network 104. A network 104 could be a private network, while a network (not shown), may be public. A network 104 could be a private network, while a network 104.1 may be a public network. A public network. Networks 104 and104 are also possible in another embodiment. Both networks 104 and 104 may be private networks.”
“The network 104 can be connected via either wired or wireless links. Digital Subscriber Line (DSL), coaxial cables lines or optical fiber lines can all be connected via wired links. Wireless links can include BLUETOOTH and Wi-Fi (Worldwide Interoperability for Microwave Access) as well as an infrared channel, satellite band, or BLUETOOTH. Wireless links can also include any cellular network standard used to communicate between mobile devices. This includes standards that are 1G, 2G or 3G. If the network standards meet a specified or set of standards, they may be considered one or more generations of mobile telecommunications standards. The 3G standards, for example, may correspond to the International Mobile Telecommunications-2000 (IMT-2000) specification, and the 4G standards may correspond to the International Mobile Telecommunications Advanced (IMT-Advanced) specification. AMPS, GSM and UMTS are some examples of cellular network standards. Cellular network standards may use various channel access methods e.g. FDMA/TDMA/CDMA, SDMA. Different types of data can be transmitted using different standards and links in some embodiments. Other embodiments allow the transmission of identical data via different standards and links.
The network 104 can be any type or form of network. The network 104’s geographical coverage can vary greatly. It could be a body-area network (BAN), personal area network, or a local-area network. Intranet, metropolitan area network (MAN), wide area network(WAN), or Internet. The network 104’s topology can be any type and could include any combination of: bus, star or ring, tree, point-to-point, bus or star. The network 104 could be an overlay network that is virtual and sits on top one or more layers from other networks 104?. The network 104 can be any network topology known to ordinary skill in the art and capable of supporting operations. The network 104 can use different protocols and layers, such as the Ethernet protocol, TCP/IP, the ATM (Asynchronous Transfer Mode), SONET (Synchronous Optical Networking), or SDH (Synchronous Digital Hierarchy). TCP/IP’s internet protocol suite can include the application layer, transport layer and internet layer (including IPv6). Network 104 could be classified as a broadcast network or a telecommunications network. It also may include a data communication network or computer network.
“In some embodiments, multiple servers may be logically grouped 106. One of these embodiments may refer to the logical grouping of servers as either a server farm 38 (not illustrated) or a computer farm 38. Another embodiment may allow the servers 106 to be geographically dispersed. A machine farm 38 can be managed as one entity in other embodiments. Another embodiment of the machine farm 38 may include a number of machine farms 38. Each machine farm 38 may contain multiple machines farms 38.
In one embodiment, the servers 106 of the machine farm 38 could be stored in rack systems with high density and associated storage systems. They would then be located in an enterprise-level data center. This embodiment consolidates the servers 106 to improve system management, data security, and system performance. Servers 106 are located on high-performance localized networks. The centralization of the servers 106, storage systems, and their coupling with advanced system management tools allows for more efficient use.
“Servers 106 and 106 from each machine farm 38 don’t need to be physically close to other servers 106 in the machine farm 38. The machine farm 38 group of servers 106 may be connected using either a metropolitan-area (MAN) or wide-area (WAN) connection. A machine farm 38 could include servers 106 located on different continents, in different areas of a country, state, city or campus. The data transmission speeds between the server 106 of the machine farm 38 can increase if they are connected via a local-area networking (LAN) connection, or another type of direct connection. A heterogeneous machine farms 38 could also include servers 106 that operate according to one type of operating system and one or two other servers 106 that run one or several types of hypervisors. Hypervisors can be used in these embodiments to simulate virtual hardware, partition and virtualize physical hardware, as well as to execute virtual machines that allow access to computing environments. Multiple operating systems may run simultaneously on the host computer. Native hypervisors can run directly on the host machine. VMware ESX/ESXi, made by VMWare, Inc. of Palo Alto, Calif., and the Xen hypervisor, which is an open-source product whose development was overseen by Citrix System, Inc., as well as the HYPERV hypervisors that Microsoft or other companies provide. Hosted hypervisors can run in an operating system at a second level. VIRTUALBOX and VMware Workstation are two examples of hosted hypervisors.
“Management of the machine farms 38 could be decentralized. One or more servers 106 could be composed of components, subsystems, and modules that support one or several management services for the machine farms 38. One or more servers 106 are used to manage dynamic data. This includes techniques for managing failover, replication and increasing the resilience of the machine farm. Each server 106 can communicate with both a persistent store or, in certain embodiments, a dynamic store.
“Server106” may be a file, application, web, proxy, server, firewall, gateway, gateway, virtualization, deployment, SSL VPN server or firewall. The server 106 can be called a remote machine, or a node in one embodiment. A plurality of nodes (290) may be located in the path between two communicating servers.
Referring to FIG. “Referring to FIG. 1B, a cloud computing ecosystem is depicted. Client 102 may have access to one or more resources through a cloud computing environment. One or more clients 102a-102n may be part of the cloud computing environment. They can communicate with the cloud 108 via one or several networks 104. Clients 102 could include thick clients, thin client, or zero clients. Even if the client is disconnected from servers 106 or cloud 108, a thick client can still provide some functionality. To provide functionality, a thin client or zero client might depend on the connection with the cloud 108 and server 106. Zero clients may depend on the cloud108, other networks 104, or servers 106 for operating system data retrieval. The cloud 108 could include back end platforms such as servers 106, storage, data centers, or server farms.
“Cloud 108 can be either public, private or hybrid. Public clouds could include public servers106 that are managed by third parties for clients 102 or their owners. Servers 106 could be located in remote locations, as described above. The servers 106 may be connected over public networks to other public clouds. Private clouds could include servers 106 that are owned by clients 102. Private clouds can be connected to servers 106 via a private network. Hybrid clouds (108) may connect to both public and private networks 104 and servers106.
“Cloud 108 may also include cloud-based delivery, such as. Software as a Service 110, Platform as a Service 112, and Infrastructure as a Service 114. IaaS can refer to renting infrastructure resources for a specific time period. IaaS providers can offer large amounts of storage, networking, servers, or virtualization resources. This allows users to scale up quickly and access more resources as they need them. IaaS may include AMAZON WEB Services provided by Amazon.com, Inc., Seattle, Wash., Rackspace US, Inc., San Antonio, Tex., and RACKSPACE CLUD provided by Rackspace US, Inc., San Antonio, Tex., Google Compute Engine offered by Google Inc., Mountain View, Calif., or RIGHTSCALE supplied by RightScale, Inc., Santa Barbara, Calif. Additional resources, such as the operating system, middleware, and runtime resources, like the operating system, software, or other than Iaa. Examples of PaaS are WINDOWS AZURE, provided by Microsoft Corporation of Redmond, Wash., Google App Engine, provided by Google Inc., or HEROKU, provided by Heroku, Inc. of San Francisco, Calif. SaaS providers might offer the same resources as PaaS, including storage, networking, servers, virtualization, operation system, middleware, runtime resources, and virtualization. SaaS providers can offer additional resources, such as data and application resources, in some instances. SaaS includes GOOGLE APPS offered by Google Inc., SALESFORCE offered by Salesforce.com Inc. San Francisco, Calif. or OFFICE 365 offered by Microsoft Corporation. Data storage providers may also be included in SaaS, for example. DROPBOX provided Dropbox, Inc., San Francisco, Calif., Microsoft SKYDRIVE provided Microsoft Corporation, Google Drive provided Google Inc., and Apple ICLOUD provided Apple Inc., Cupertino, Calif.
Clients 102 can access IaaS resources using one or more IaaS standard, such as Open Cloud Computing Interface, Open Cloud Computing Interface, Cloud Infrastructure Management Interface (CIMI), and Amazon Elastic Compute Cloud. Clients may be able to access resources via HTTP using some IaaS standards. These standards may use the Representational state Transfer (REST), Simple Object Access Protocol, or both. Clients with 102 clients may have access to PaaS resources using different PaaS interfaces. Some PaaS interfaces may use HTTP packages, JavaMail APIs, Java Data Objects(JDO), Java Persistence APIs (JPA), Python APIs and web integration APIs. These APIs can be used for various programming languages, such as Rack for Ruby, WSGI For Python, PSGI for Perl or any other APIs that are built on REST or HTTP, XML or other protocols. Clients 102 can access SaaS resources via web-based user interfaces provided by a browser (e.g. GOOGLE CHROME and Microsoft INTERNET Explorer are some examples of SaaS resources that clients 102 can access. Clients 102 can also access SaaS resources via smartphone or tablet apps, such as Salesforce Sales Cloud or Google Drive app. Clients 102 can also access SaaS resources via the client operating system. This includes, e.g. Windows file system for Dropbox.
“In certain embodiments, access may be authenticated to IaaS or PaaS resources. A server or authentication server might authenticate a user using security certificates, HTTPS, and API keys. API keys can include different encryption standards, such as Advanced Encryption Standard, (AES). “Data resources can be sent via Transport Layer Security (TLS), or Secure Sockets Layers (SSL).
“The client102 and server106 can be deployed on any type of computing device and/or executed from it, e.g. A computer, network device, or appliance that can communicate on any type of network and perform the operations described herein. FIGS. FIGS. 1C and 1D show block diagrams of a computing unit 100 that can be used to practice an embodiment of client 102 or server 106. FIGS. 1C and 1D show that each computing device 100 has a central processing module 121 and a main storage unit 122. FIG. FIG. 1C shows that a computing device 100 can include a storage device 128, a installation device 116 and a network interface 118. Display devices 124 a-124 n are shown. A keyboard 126 is also shown. A mouse. Without limitation, the storage device 128 can include an operating system, software, or a software of a simulating phishing attache system 120. FIG. FIG. 1D shows that each computing device 100 can also have additional elements, e.g. A memory port 103, bridge 170, input/output devices 130a-130n (generally referred by using reference number 130) and a cache memory 140 in communications with the central processing unit.
“The central processing module 121 is any logic circuitry which responds and processes instructions from the main memory device 122. A microprocessor unit is often used to provide the central processing unit (121) in many embodiments. Those manufactured by Intel Corporation, Mountain View, Calif., and those manufactured at Motorola Corporation, Schaumburg (Ill.); the ARM processor with TEGRA system on a Chip (SoC), manufactured by Nvidia, Santa Clara, Calif. ; the POWER7 process, manufactured by International Business Machines, White Plains, N.Y., or those manufactured at Advanced Micro Devices, Sunnyvale, Calif. These processors or any other processor that can operate as described herein may be used to create the computing device 100. The central processing unit (121) may use instruction level parallelism or thread level parallelism. It can also utilize different levels of cache and multi-core processors. Multi-core processors may contain multiple processing units within a single component. The AMD PHENOM IIX2, the INTEL Core i5 or INTEL CPU i7 are examples of multi-core processors.
“Main memory unit (122) may contain one or more memory chips that can store data and allow any storage location to directly be accessed by the microprocessor. 121 Main memory unit 122, which may be volatile, can store more data than 128 memory. The main memory unit 122 can be Dynamic random-access memory (DRAM), or any variants thereof, Burst SRAM/SynchBurst SRAM(BSRAM), Fast Page Mode (FPM) DRAM, Extended Data Output RAM/EDO RAM, Extended Data Output (EDO DRAM), Burst Extended DRAM/BEDO DRAM), Single data rate synchronous DRAM/SDR SDRAM), Double data rate SDRAM/DDR SDRAM), Direct Rambus RAMbus DRAM/DRDRAM (DRDRAM/XDRDRAM/DRDRAM (DRDRAM), and DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRAM), DRAM/DRDRAM (DRDRAM), DRAM/DR DRAM/XDR DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), Direct Rambus DRAM/DRAM (DRDRAM), DRAM), or DRAM adRAM), In some embodiments, the main memory 122 or the storage 128 may be non-volatile; e.g., non-volatile read access memory (NVRAM), flash memory non-volatile static RAM (nvSRAM), Ferroelectric RAM (FeRAM), Magnetoresistive RAM (MRAM), Phase-change memory (PRAM), conductive-bridging RAM (CBRAM), Silicon-Oxide-Nitride-Oxide-Silicon (SONOS), Resistive RAM (RRAM), Racetrack, Nano-RAM (NRAM), or Millipede memory. You can use any of the memory chips described above, or any other memory chips that are capable of operating in accordance with this invention. FIG. FIG. 1C shows how the processor 121 communicates via a system bus 150 with main memory (described below). FIG. FIG. 1D shows an embodiment of a computing system 100, in which the processor communicates with main memory via a memory port. FIG. FIG. 1D may show DRDRAM as the main memory 122.
“FIG. “FIG. Other embodiments of the main processor 121 connect with cache memory 140 via the system bus 150. Cache memory 140 is usually faster than main memory 122 in response times and is typically supplied by SRAM (BSRAM), EDRAM or EDRAM. FIG. 1D shows how the processor 121 communicates via a local bus 150 with I/O devices 130. There are many buses that can be used to link the central processing unit 121 with any I/O device 130. These include a PCI bus or a PCIX bus or a PCI Express bus or a NuBus. In embodiments where the I/O device 124 is a video monitor, the processor 121 can use an Advanced Graphics Port to communicate with the display (124) or the I/O controller (123 for the monitor 124). FIG. FIG. 1D shows an example of a computer 100 where the main processor 121 can communicate directly with I/O device 130b or other processors. via HYPERTRANSPORT or RAPIDIO communications technology. FIG. FIG. 1D shows another embodiment where local buses and direct communications are combined: processor 121 communicates directly with I/O devices 130a via a local interconnect bus, while I/O devices 130b uses a local bus to communicate with it.
The computing device 100 may contain a variety of I/O devices 130a-130n. Trackpads, trackpads and trackballs can be used as input devices. Video displays, graphical displays and speakers can be output devices.
“Devices 130a-130n may contain multiple input or output devices such as Microsoft KINECT or Nintendo Wiimote, Nintendo WII U GAMEPAD or Apple IPHONE. Some devices 130 a-13 n can combine some inputs and outputs to allow gesture recognition inputs. Devices 130 a-130n allow facial recognition, which can be used for authentication or other commands. Devices 130 a-130n provide voice recognition and inputs such as Microsoft KINECT by Apple, SIRI to IPHONE by Apple or Google Now.
“Additional devices 130a-130n can be used as input or output devices. They include haptic feedback devices and touchscreen displays. Multi-touch screens, touchpads and touch mice may use different technologies to sense touch. These technologies include capacitive (surface capacitive), projected capacitive (PCT), resistive (infrared), waveguide, dispersive touch (DST), in cell optical, surface acoustic (SAW), bendingwave touch (BWT) or force-based sensing technology. Multi-touch devices can allow for two or more contact points with the surfaces, which allows advanced functionality such as pinch, rotate, scroll or other gestures. Some touchscreen devices, such as Microsoft PIXELSENSE and Multi-Touch Collaboration Wall may have larger surfaces like on a table-top, or on a wall. They may also interact with other electronic gadgets. A group of I/O devices 130a-130n, display devices 124-64 n and some other devices could be augment reality. An I/O controller 123 may control the I/O devices as shown in FIG. 1C. 1C. An I/O device can also be used to store and/or install the computing device 100. Other embodiments may also provide USB connections (not illustrated) for receiving handheld USB storage devices. An I/O device 130 can be used as a bridge between system bus 150, external communication buses, e.g. A USB bus, a SCSI Bus, a FireWire Bus, a FireWire Bus, an Ethernet Bus, a Gigabit Ethernetbus, a Fibre Channel Bus, or a Thunderboltbus.
In some embodiments, display devices 124a-124n can be connected to I/O control 123. Display devices include liquid crystal displays (LCD), thin-film transistor LCD (TFTLCD), blue-phase LCD, electronic papers, (e-ink), and liquid crystal on silicon displays (LCOS). They may also be connected to I/O controller 123. Some examples of 3D displays include: Stereoscopy, active shutters or polarization filters are some examples of 3D displays. Display devices 124a-124n can also be head-mounted displays (HMD). Display devices 124 a?124 n and the corresponding I/O control units 123 can be controlled or have hardware support OPENGL, DIRECTX API, or other graphics libraries in some embodiments.
“In some instances, the computing device 100 can connect to multiple display devices (124 a-124n), which may be the same type or different. Any of the I/O device 130 a?130 n or the I/O controller123 can include any type or combination of hardware, software, and hardware to enable, support, enable, or provide for multiple display devices 124a?124n. The computing device 100 could include any type or form of video adapter or video card, driver and/or library to connect, communicate, connect, or otherwise use multiple display devices. Software may be developed and built to work with another computer’s display device 124a. One example is that an Apple iPad can connect to a computing device 100, and the display of the 100 may be used as an additional screen. This could allow the user to use the 100’s display as an extended desktop. A computing device 100 can be configured to support multiple display devices 124a-124n. One who is skilled in the art will appreciate and recognize the many ways that this configuration may be possible.
“Referring to FIG. “Referring again to FIG. One or more hard drives, or redundant arrays or independent disks, for the storage of an operating system or related software. Also for storing software programs related to the simulated hacking attack system software 120. One example of a storage device 128 is a hard disk drive (HDD), optical drive including CD, DVD, or Blu-ray drive; solid-state drives (SSD); USB flash drive; and any other device that can store data. Many storage devices can include both volatile and nonvolatile memories. This includes solid-state hybrid drives, which combine hard disks with solid states cache. One storage device 128 could be read-only, non-volatile or mutable. One storage device 128 could be internal and connect via a bus 150 to the computing device 100. One storage device 128 can be external and connects to the computing device 100 via an I/O device 130. This provides an external bus. One storage device 128 can connect to the computing devices 100 via the network interface 118. This network 104 includes, e.g. the Remote Disk For MACBOOK AIR from Apple. Client devices 100 may not need a non-volatile data storage device 128. They may also be thin clients or zero clients. A storage device 128 can also be used to install software or programs 116. The operating system and software can also be run from a bootable media, such as a CD or DVD. KNOPPIX is a bootable CD that runs GNU/Linux. It can be downloaded from knoppix.net.
Client device 100 can also download software from an application distribution platform. The App Store for iOS, provided by Apple, Inc., is the Mac App Store provided to Apple, Inc., GOOGLE LAY for Android OS provided o Google Inc., Chrome Webstore CHROME OS provided o Google Inc., Amazon Appstore for Android OS, KINDLE FIRE, provided by Amazon.com, Inc., are all examples of application distribution platforms. A repository of applications may be included in an application distribution platform. This can be on a server (106) or cloud 108 that clients 102 a-102n can access via a network (104). A distribution platform could include applications developed by different developers. An application distribution platform allows users of client devices 102 to select, buy and/or download applications.
“Moreover, the computing device 100 can include a network interface 118 that allows it to connect to the network 104 via a variety connections such as standard telephone lines LAN/WAN links (e.g. 802.11, T3, Gigabit Ethernet and Infiniband), broadband connections (e.g. ISDN, Frame Relay ATM, Gigabit Ethernet or Ethernet-over-SONET), ADSL, VDSL BPON, GPON or fiber optical including FiOS), or a combination of all of these connections. TCP/IP can establish connections using a variety communication protocols, such as Ethernet, ARCNET and SONET, SDH. Fiber Distributed Data Interface (FDDI), IEEE 802.21/b/g/n/ac CDMA. GSM, WiMax, and direct asynchronous connections. One embodiment shows that the computing device 100 can communicate with computing devices 100. Any type and/or combination of tunneling protocols or gateways, e.g. Secure Socket Layer, Transport Layer Security, or Citrix Gateway Protocol, manufactured by Citrix Systems, Inc., Ft. Lauderdale, Fla. The network interface 118 can include a built-in network connector, network card or PCMCIA network card. It may also contain an EXPRESSCARD networkcard, EXPRESSCARD card network card, card bus adapter and wireless network adapter. Modems, or any other device that is capable of interfacing with the computing device 100 to any network that can communicate the operations described in this article.
“A computing device 100, of the type shown in FIGS. “A computing device 100 of the type shown in FIGS. 1B and 1C can be controlled by an operating system that controls access to system resources and scheduling. Any operating system can run on computing device 100, including any version of MICROSOFT WINDOWS, Unix or Linux releases, any embedded operating software, any real-time operation system, any proprietary system, any mobile operating system or any other operating program that is capable of running on the device. WINDOWS 2000, WINDOWS server 2012, WINDOWS CE, WINDOWS Phone, WINDOWS XP, WINDOWS VISTA and WINDOWS 7 all manufactured by Microsoft Corporation of Redmond, Wash., MAC OS, iOS, and Linux, a freely available operating system, e.g. Linux Mint distribution (?distro?) Linux Mint distribution (?distro?) You can use some operating systems, such as the CHROME OS from Google, on thin clients or zero clients.
“The computer system 100 may include any computer system that can communicate with a computer network, such as a desktop, phone, notebook, computer, computer or telephone, netbook, ULTRABOOK or tablet, server or handheld computer, mobile telephone, smartphone, tablet or mobile computing device, media player, gaming system, mobile computing device or any other form of computing, telecommunications, or media device. The computer system 100 is equipped with sufficient memory and processor power to carry out the operations described. The computing device 100 can have different operating systems and processors depending on its configuration. Samsung GALAXY smartphones, for example, are controlled by the Android operating system, developed by Google, Inc. GALAXY phones receive input via a touch interface.
“In some embodiments, a computing device 100 may be a gaming system. The computer system 100 could include, for example, a PLAYSTATION 3 or PERSONAL PLAYSTATION PORTABLE(PSP), or a PLAYSTATION VITA manufactured by the Sony Corporation, Tokyo, Japan, a NINTENDO DS, NINTENDO 3DS, NINTENDO WII, NINTENDO WII, NINTENDO WII U manufactured by Nintendo Co., Ltd., Kyoto, Japan, and an XBOX 360 manufactured by Microsoft Corporation, Redmond, Wash
“In certain embodiments, the computing devices 100 are digital audio players such as the Apple IPOD Touch, IPOD Touch and IPOD NANO line of devices manufactured by Apple Computer in Cupertino (Calif.). Other functionality may be available for some digital audio players, such as a gaming system, or functionality that is made available by applications from a digital distribution platform. The IPOD Touch can access the Apple App Store. The computing device 100 may be a portable media player, digital audio player, or a portable media player that supports file formats such as MP3, WAV and M4A/AAC Protected AAC AIFF and.mov, H.264/MPEG-4 AVC video file formats.
“In certain embodiments, the computing devices 100 are a tablet e.g. The IPAD line of Apple devices; the GALAXY TAB series of Samsung devices; or KINDLE IRE, by Amazon.com, Inc., Seattle, Wash. The computing device 100 can also be used as an eBook reader. The KINDLE family devices by Amazon.com, and the NOOK family devices by Barnes & Noble, Inc., New York City, N.Y.”
“In some embodiments, the communication device 102 may include a combination of devices. A combination of a smartphone and a digital audio or portable media player. One example of one of these embodiments would be a smartphone. The IPHONE smartphone family manufactured by Apple, Inc., a Samsung GALAXY smartphone family manufactured by Samsung, Inc., or a Motorola DROID smartphone family. Another embodiment of the communications device102 is a computer or laptop that has a web browser, microphone, and speaker system. a telephony headset. These communications devices 102 can be web-enabled to receive and initiate calls. A laptop or desktop computer may also be equipped with a webcam, or another video capture device that allows for video chat and video calling.
“In some embodiments, one or more machines 102 and 106 are monitored as part of network management. One of these embodiments may identify the machine’s status, such as the number of processes running on it, their CPU utilization, memory usage, or port information. This could include information about the available communication ports and addresses, or the session status, which can include the type and duration of the processes and whether they are active or inactive. Another embodiment of this type of information can be identified using a variety of metrics. The plurality may be used at least partially to make decisions regarding load distribution, network traffic management and network failure recovery, as well as other aspects of the operations described herein. The systems and methods described herein will make it easy to see aspects of the components and operating environments mentioned above.
“B. “B.
This disclosure generally refers to systems and methods of using smart user groups (also known as dynamic groups) in computer-based security alert training systems. Some systems and methods for adding users to user groups can be based on user interactions with simulated malware attacks and remediation training. These systems and methods enable a server to add a user to a first group to a second group if that user interacts with a simulated email that contains phishing messages. Some embodiments allow users to be removed from a user group when they are added to another group. The user who is added to the second group is then removed from the original user group. The server can also electronically track remediation training that the user has completed. In some cases, the server will add the user back to the original user group. The server can automatically add the user to any of the user groups if it detects an event related to the user.
In some embodiments, users can remain members of the same user group even if they are added to another group. The user can, for example, remain a member the first user group even if the user is added to a second user group. Another example is that the user does not lose their membership in the second user group if they are added back to either the first or third user groups.
A simulated phishing attack can be used to test security systems or users in order to prevent malicious actions. For example, a simulated phishing attack could target large numbers of users such as employees. This attack can be carried out by either a friendly or neutral party to the victims of the simulated attack. One type of simulated attack on phishing is where sensitive information is attempted to be extracted using phishing methods. Any information that is obtained is not used maliciously but is part of a process to detect security weaknesses. Simulated phishing attacks can expose weaknesses in security and help to minimize the risk. Targeted, real-time training can improve user knowledge.
The following is a method for adding users to user group. The system administrator (or a third party acting on behalf of security managers) creates a fake phishing email template that is used to generate phishing emails. These emails can be disguised as emails from an employee of the company. The email could be intended to be interesting and offer the user access to interesting news, useful software, knowledge about money-making schemes, or other information. The email might ask the user to respond to it or transfer money to an attacker’s account. A reply email will confirm that money was transferred. A simulated campaign manager creates a fake phishing attack based on selections made either by the system administrator or by another person. The system administrator chooses the first user group that contains the users who will be part of the simulated campaign. The system administrator creates a second user account to include users who interact with the simulated email. This second user account is used to electronically track remediation training. The selection of the second and first user groups is sent to the system.
“The system sends one or more simulated Phishing emails to users in the first user groups, depending on the created simulated campaign. If a user from the first user group contacts the server with a simulated email phishing campaign, the server will receive a first indication. The server responds to the first indication by adding the user who is part of the first group to the second group. A user interaction with a fake phishing email can be illustrated by the sending of a reply or forwarding an email. A user interaction with a simulated email phishing is also possible by clicking on a link within the email. The server may track the number times the user interacts simulated phishing email links and add the user to that group when the threshold is reached. Some embodiments allow the server to detect an event and add the user to another user group.
“Once a user is added to the first user group responsive to interfacing with a simulated email from a phishing campaign, they will start to receive electronic tracked remediation training. The server will receive a second indication once the user has completed the remediation training. The server will respond to the second indicator by adding the user to the first or third user groups. The server may track the number of courses the user has taken in electronic tracked remediation training. The server may automatically add the user to the second user group. This corresponds to the number of courses that the user has taken. The server may add the user who is a member the second user group back to the original user group in some cases. This applies to embodiments where the user has been removed from the first group or to a third group based on the number of courses completed electronically tracked remediation training. Further embodiments allow the user to be removed from the second group by adding the user to the predetermined group, or when they are added back to either the first or third user groups.
“Referring at FIG. FIG. 2A provides a broad overview of the architecture. 2A shows some architecture for a system 200 that can add users to user groups in response events. FIG. In response to events, the system 200 can also remove users from user groups.
“Referring at FIG. 2A explains in greater detail the system 200 that includes a server number 106. The server 106 also includes a user-group management function 212 that interacts with a virtual phishing campaign manager 250. This is responsible for the execution of the simulated campaign. Further, the server 106 includes an event tracker 234, which tracks phishing emails 235 and 236, as well as a remediation training tracker 236, 236 and a user group selector 238, respectively. The user group management function 212 includes a user management application 214, an phishing email user interaction counter 221 and a user remediation completion counter 218. There are several storage modules in the server 106. Storage 240 houses remediation training. Storage 241 contains users. Storage 242 stores user groups, while storage 244 holds simulated phishing email.
Each of the server 106 user group management functions 212, 214, phishing mail user interaction counter 217, user remediation tracking completion counter 218 and user group selector 238 may contain a program, service or task, script library, application, or any other type of executable instructions or codes that can be executed on one or more processors. Any server 106, user-group management function 212 and user group application 214 can be combined to create one or more modules, apps, programs, services or scripts.
The simulated phishing campaign administrator 250 contains a simulated email generator 254, which can be used as or contain virtual machines 256. The simulated campaign manager 250 responds to user input and generates a campaign to simulate phishing attacks. It includes one or two selected phishing templates, one, or more chosen landing page templates, as well as one or several targeted user groups.
“System 200 is an implementation that includes server 106. A cluster of servers may include the server 106. In some cases, the tasks performed by server 106 can be shared by multiple servers. These tasks can be assigned among the cluster of servers using an application, service or daemon routine. Server 106 could include memory and a processor.
“In an implementation, system 200 also includes client 102. The client may contain a communications module 266, a user interface 266, and a display 268, as well as a messaging application 272. In some cases, the client can also include a communications program 264. Client 102 can interact with server 106 via a network, which is 104.
“In certain embodiments, the server contains a simulated campaign manager 250 that may manage different aspects of a simulated attack campaign. The simulated phishing manager 250, for example, may process input from server 106 and/or provide access as required to various software components of server 106. The 250-year-old simulated phishing manager may be responsible for monitoring and controlling the timing of various aspects of an attack campaign. He/she may also process requests to access simulated attack campaigns results and/or perform other tasks that are related to the management and operation of an attack campaign.
“In some cases, the simulated campaign for phishing module 250 can be integrated or coupled with memory 122. The memory can include any type of storage such as a file system or database in some embodiments. The memory 122 can store parameters and scripts that are associated with a specific simulated phishing campaign. For example, memory 122 could store scripts and parameters that correspond to the selections made by server 106 via simulated phishing campaign administrator 250. “A simulated phishing attack is described as follows:
“In an implementation, a simulated Phishing Campaign Manager 250 includes a simulated Phishing Email Generator 254. The memory 122 may have the simulated email generator 254 integrated or coupled to it. This allows the simulated email generator 254 to access parameters that are associated with the messaging choices for a specific simulated campaign, e.g. The server 106. The simulated phishing email generator 254 can be connected to memory, a memory store, or another storage, such as a database containing failure remediation training 241. The simulated phishing mail generator 254 can be coupled with memory, a memory store, or another storage, such a database containing users 241. The simulated phishing generator 254 can be coupled or integrated with memory, a memory store, or another storage, such a database, that contains user groups 242. The simulated email generator for phishing 254 can be coupled to memory, a memory store, or another storage such as a database containing simulated scam emails 244. The simulated email generator 254 could be an application, a service, daemon or routine that generates messages. The simulated phishing mail generator 254 can generate messages in any format. They could be text messages, email messages, messages sent by specific messaging apps like WhatsApp?, or other types of messages. E.g. A server 106 is simulated to use a 250-word phishing campaign manager. You can generate the messages in any way you like, e.g. You can run an instance of the application that generates the desired type of message, such as running e.g. Gmail? Gmail? You can generate the messages by running a messaging program on e.g. The messages can be generated by running a messaging application on e.g. You can have messages formatted to conform with certain messaging platforms such as Outlook 365, Outlook Web Access, Webmail, iOS, Gmail client and so forth.
“In certain embodiments, the simulated phishing email generator 254 may be configured to generate messages that can be traversed users who interact with them to a particular landing page.
“In certain embodiments, the simulated email phishing generator 254 can be used to generate a fake phishing mail. It is possible for the email to appear to have been sent from a trusted address such as an email address belonging to an executive at the company where the target is located. The email may also have a “Subject:?” The subject field is designed to prompt the user to perform an action such as initiating wire transfers. The simulated email phishing generator 254 may generate one or more simulated emails that are stored in the virtual phishing mail storage 244. The simulated phishing generator 254 may generate multiple instances of an email that can be sent to different users from the storage 241. This includes employees or subsets of them. The simulated phishing generator 254 may generate multiple instances of an email that can be delivered to a user who is stored in the users storage 242. The server 106, for example, can choose any number of employees to be the target of a simulated attack and can create a user account. This user account can then be stored in the user groups storage 246. This information can be retrieved by the simulated phishing generator 254, which can then generate similar emails to the original email. Each email will be addressed to a target identified in the information stored within the memory 122. The simulated phishing generator 254 can create emails with the following messages:?From? The simulated phishing email generator 254 can generate emails such that the?From:???? and?Subject? fields are identical. Each email has the same fields, but the?To? field is different. Each email has identical fields, while the?To:? field is modified according to the targets.
The event tracker 234 tracks and detects events that are associated with users in simulated phishing campaign. An event can be any activity, interaction or behavior that occurs in conjunction with a user or a simulated campaign. An event may be defined as the number of interactions a user has with a simulated email phishing scam. Another embodiment of an event includes a number courses of electronically tracked remediation training that the user has completed since the last time they interacted with a simulated email phishing. One embodiment of an event includes a series of simulated campaigns that were run since the last time the user interacted using a simulated email phishing. An event can be described as the time since the last interaction with a simulated email phishing. An event, in one embodiment, is the time since the user completed the electronic tracked remediation training course.
“The user groups management function 212 includes a user management application 214 which manages the addition of users to user groups. In some cases, the user management application 214 can also be used to remove a user from a group. One embodiment of the user group management app 214 allows for the addition of a user to another user group in response to the interaction of a user with a simulated email phishing. The user group management software 214 can also be used to remove a user from one user group after they are added to another user group. This is in response to the user engaging with the simulated Phishing email. The user group management software 214 can manage the addition of a user to another user group in response to the completion of electronically tracked remediation training. The user group management software 214 can also be used to remove the same user from a user group when they are added to another user groups in response to the completion of electronically tracked remediation training. One embodiment of the user group management app 214 allows for the addition of users to other user groups in response to an event related the simulated Phishing campaign. A further embodiment of the user group management app 214 allows for the removal of the same user from one user group after the user is added or removed to another user group in response to an event related to the simulated phishing campaign.
“The user group management function (212) also includes a phishing mail user interaction counter 216, which tracks, counts and/or manages the interactions of users with simulated email phishing. One embodiment of the phishing user interaction counter 216 tracks how many times users interact with a given simulated email. The phishing mail user interaction counter (216) keeps track of the number of times any given user interacts simulated phishing emails. The phishing mail user interaction counter (216) keeps track of how long it takes for a user to interact with a specific simulated email phishing or any other simulated email phishing. One embodiment keeps track of the number of times users interact with a particular simulated phishing mail. One embodiment of the phishing mail user interaction counter 216 tracks the user’s interactions with a specific simulated email. This includes the number and type of clicks that the user makes on a link in the email or the number or number of replies that the user forwards to a simulated email.
“The phishing mail interaction tracker (235) detects and tracks user interactions with simulated Phishing emails using the phishing user interaction counter (216). The phishing mail interaction tracker (235) may receive indications from phishing user interaction counter 221 whenever a user interacts a simulated email phishing. The phishing mail interaction tracker 235, for example, uses the phishing user interaction counter 216, to track user interactions that may be counted or stored in a database. The phishing mail interaction tracker (235) detects and tracks when the user clicks on a link in a fake phishing message. The phishing mail interaction tracker (235) detects and tracks when the user responds to a simulated email phishing. One embodiment of the phishing mail interaction tracker 235 detects when the user forwards an simulated phishing message and tracks it.
“The user group management function 218 also includes a user remediation course completion counter 218 which counts, tracks, and/or manages remediation training and courses. One embodiment keeps track of how many courses of user remediation training an individual has taken. One embodiment keeps track of user remediation training completion number 218 to determine if a user has completed a specific type of user remediation training. One embodiment of the user remediation tracking completion counter 218 tracks whether the user has completed any subset or minimum of the electronically tracked remediation training. The user remediation training completion count 218 tracks the time the user spent on electronic tracked remediation training. The user remediation training completion count 218 tracks the time it took for the user to complete the electronic tracked remediation training.
“The remediation tracking tracker 236 tracks and detects any electronic tracked remediation training that has been assigned to a user using the user remediation completion counter 218. The user remediation tracking tracker 236 may receive indications from the counter 218 that a user has completed remediation training. The remediation tracker 236 may use the user remediation completion counter 218 in order to track any electronic tracked remediation training which has been assigned to users. This information can be counted and stored as a database. The remediation tracking tracker 236 tracks one or more courses of the electronic tracked remediation training. One embodiment of the remediation tracking tracker 236 tracks one or more live or in-person trainings that are assigned to users. The remediation training tracker 236 tracks both mandatory and non-mandatory training in one embodiment. The remediation tracker 236 tracks the time spent on remediation training in one embodiment. The remediation tracking tracker 236 tracks how many courses of electronically tracked remediation training the user has completed in a certain time period.
“The user group selector 238 chooses a user for a simulated campaign of phishing. A user group can contain a list of users or a collection of users that are identified by a username or user identifier. A user group select can select a group of users to which to add or delete a user. This is based on how the user has interacted with training, events, simulated phishing campaigns, and other factors. The processor can be used by the user group selector 238, for example, to select one or more storage module (e.g. users storage 241 or user groups storage 242) to add or delete the user. One embodiment of the user group selector 238 allows users to be added to user groups if they are able to interact with simulated phishing emails. One embodiment of the user group selector 238 allows you to select a user group to add users if they interact with a simulated email phishing scam and then complete the electronically tracked remediation training. One embodiment uses the user group selector 238, which allows the simulated phishing campaign manager to choose predetermined groups to add users in response to certain events.
“In an implementation, the simulated campaign manager 250 may be used as another name for a system administrator such as a security manager or third-party security consultant. Server 106 might want to conduct a simulated attack using the 250-installed simulated campaign manager. The simulated campaign manager 212 could be a desktop, laptop, mobile, or other computing device. For example, the simulated phishing manager 250 could be an application that allows a user to interact with server 106. purpose of creating, configuring and/or tailoring a simulated attack on phishing and/or viewing, processing, and/or analysing the results of such an attack.
“A simulated phishing campaign manger 250 causes a graphical interface to be displayed on the server 106. The simulated phishing manager 250, in other embodiments, allows user input via a non-graphical interface. This includes a user interface that accepts text and vocal input but does not display an interactive image. The graphical user interface can be displayed on a display on a mobile phone screen, or on a monitor connected with a desktop computer or laptop computer. It may also be displayed on any other display. You can interact with the graphical user interface by typing, tapping, speaking or clicking a mouse. The user can interact with the graphical interface by tapping, typing, tapping, speaking or using any other method to interact with the interface. A web browser may provide a web-based interface for the graphical user interface. GOOGLE CHROME or Microsoft INTERNET Explorer, Mozilla Firefox, Mozilla Foundation of Mountain View (Calif.), or an application that can open a network connection to simulated Phishing Campaign Manager 250, or any other type, may be installed on the user device.
“In an implementation, the simulated phishing campaign manager 250 or server 106 can make choices about how to execute a simulated attack. The server 106 may see a graphical user interface that is run by the 250-simulated phishing campaign manager. The server 106 allows users to input parameters that will affect the attack’s execution. A user can, for example, choose which users will be targeted in an attack. They may also decide the timing and method of attack. You can make these choices by choosing options from dropdown menus or being presented with options through a simulated attack wizard.
“In an implementation, the simulated phishing campaign manger 250 may permit the server 106 (via application programming interfaces, APIs) to access and/or modify settings of an accounts maintained with any party with the attack. Or may allow the user group manager function 212 access to and/or modify settings of an accounts maintained with a 3rd party security provider such as e.g. Manages an exploit server. View bills and/or pay a third-party security service provider. These functions can be shared with third parties or any other functions necessary to facilitate communications between server 106, any other parties in the attack.
“The system 200 also includes the client 102. Any simulated phishing attack could make a client a target. The client could be an employee, member or contractor who is conducting a security checkup, or performing ongoing simulated attacks to maintain security. Any device that the client uses may be considered client 102. To be considered a client device, 102 the client does not need to own the device. Any computing device may be considered a client 102, including a desktop computer or laptop. In some cases, the client 102 could be a server or a set of servers that the client accesses. The client could be an employee or member of an organisation. A server may be accessible by the client, e.g. The server may be owned, managed, or otherwise associated with the company. This server could be called a client 102.
“In some embodiments, client 102 may also include a user interface 266, such as a keyboard or mouse, or any other suitable user interface. It could be a user interface, e.g. It can be directly connected to client 102 such as a keyboard that is connected to a mobile phone or indirectly to client 102 such as a user interface for a client device that allows access to server client 102. A display 268 may be included in client 102, such as a screen connected to the device in some way or another display.
“In an implementation, client 102 might include a messaging app 270. Any application that can view, edit, and/or send messages may be called the messaging application 270. The messaging application 270, for example, may allow viewing of desired message types, such as Gmail, any web browser or any other email client. Microsoft Outlook?, WhatsApp? or any other suitable application. The messaging application 270 can display fake phishing attacks emails in some instances. The messaging application 270 can also be configured to allow the target send replies or forward messages to the messages displayed by the messaging app 270.
“In certain embodiments, the client102 may include a communication module 264. This could be a library or application programming interface (API), a set of scripts or any other code that facilitates communications between client 102 and any server 106, third-party servers, or any other server. The communications module 264 may determine when information should be transmitted from client 102 to external servers over a network. The information sent by the communications module 262 may correspond to an email message generated by the messaging app 270.
“In certain embodiments, the server106 contains a simulated campaign manager 250. The simulated phishing manager 250 analyses which phishing templates are most successful in generating user errors when they are used in a simulated attack. A simulated phishing manager 250 also determines the most frequent failure types for a particular template. A simulated phishing manager 250 can perform additional analysis on many templates to determine which failure indicators are leading to the highest failure rate.
“For example, the simulated phishing campaign manager 250 could include data from targets, records about failures (e.g. a list of who replied to a fake phishing email), systemic or other security precautions in place during the simulated attacks, time logs, user IDs, data detailing attack results and data that links them together, as well as data detailing attack results. The attack results may be viewed, saved, shared, printed, or performed by server 106. A simulated phishing campaign administrator 250 may analyze the attack results upon request from the server 106. This analysis could include, for example, determining which users pose a security threat if they have a high number of failures beyond a threshold. Also, evaluating whether security systems are working by e.g. Correlating the presence such security systems to a lower than average rate of failures. A simulated phishing campaign administrator 250 might allow an attacker manager to see, via a graphical user interface running on the attack management app 214, a timeline showing overall failure rates. This may help to determine if a security policy was implemented at a specific time.
The simulated phishing campaign administrator 250 can process reply emails from clients to server 106 in certain embodiments. A simulated phishing manager 250, for example, can be set up to process replies emails from target clients 260 in order to identify the recipients of those emails. The unique identifiers contained in each reply email sent by the server may help determine the identities of the targets.
“The system 200 could include a network number 104. The network 104 can be of any type or form. The network 104’s geographical coverage can vary greatly. It could be a body-area network (BAN), personal area network, or a local-area network. Intranet, metropolitan area network (MAN), wide area network(WAN), or Internet. The network 104’s topology can be any type and could include any combination of: bus, star or ring, tree, point-to-point, bus, star or ring, mesh, mesh, or tree. The network 104 could be an overlay network that is virtual and sits on top one or more layers from other networks 104?. The network 104 can be any network topology known to ordinary skill in the art and capable of supporting operations. The network 104 can use different protocols and layers, such as the Ethernet protocol, TCP/IP, the ATM (Asynchronous Transfer Mode), SONET (Synchronous Optical Networking), or SDH (Synchronous Digital Hierarchy). TCP/IP’s internet protocol suite can include the application layer, transport layer and internet layer (including IPv6). The network 104 could be classified as a broadcast network or a telecommunications network. It also may include a data communication network or computer network. The network 104 links the client 102 and server 106. Client 102 includes a communications module 266, a user interface 266, and a display 268, as well as a messaging app 270. The client 102 also receives email from the server 106. The email is based on the campaign created by the simulated campaign manager 250. The client 102 can receive the simulated email phishing via the messaging app 270. It also displays the email to the user via the display 268 and allows the user to interact with the email using the user interface 266, responsive to the email. The client can interact with the simulated Phishing email and navigate to the landing page that is used by the fake phishing campaign manager 250.
“Referring at FIG. FIG. 2B provides a general overview. 2B shows an architecture that can implement smart groups. System 200 can include additional architectural elements that provide smart group functionality in some embodiments. Server 106 may include smart group criteria selector 274, smart groups criteria tracker 276, and smart group reporter 281. Smart group management application 271. System 200 could include smart group criteria 272 or additional storage. Smart group management software 271 may be included in System 200.
Referring to FIG. “Referring to FIG. 2B in greater detail, system 200 might include smart group criteria selector 274, which allows a system administrator or company administrator select one or more criteria that can be applied to, associated with, or applied to a smart group. Smart group criteria tracker 276, which monitors and updates all criteria that could be applied to or associated with a smart group, 276 is a monitoring tool. Smart group reporter 280 creates reports about members of smart groups. Smart group management application 271 can be used to create the membership of the smart groups at the time that an indication is given that the smart groups are to be used in the computer-based cybersecurity awareness system. Smart group storage 272 can be used to store one or more criteria that are associated with a smart groups. Smart groups criteria storage 273 can be used to store all criteria that could be applied to or associated with a smart group. They are created only when they will be used and are not kept as static group membership list. Some embodiments allow for the preservation of historical smart group membership lists to permit administrators to see changes in smart group population. Administrators can request a list containing the current members of a smart groups. This will allow them to query the criteria of smart groups to generate the list. This ensures that the membership list does not become outdated. Smart groups are not only useful for simulated phishing campaigns, report generation, or training campaigns.
Each of the server 106 user group management functions 212, 214 and phishing emails user interaction counter 218, user remediation tracking tracker 236 and smart group criteria tracker 274, phishing mail interaction tracker 235, simulated email campaign manager 252, user interface manager 252, smart phishing, smart group manager 254, smart gang criteria tracker 276 and smart group manager application 271 may contain a program, service or task, script, library or application, or any other type of executable instructions and/code that can be executed on one or multiple processors. Any server 106, user-group management function 212 and user group application 214 may contain phishing emails interaction counter 216. User remediation tracking counter 218 includes phishing mail interaction tracker 235 and remediation tracker 236. Simulated phishing campaign manager 250, smart group criteria selector 274, smart team criteria tracker 276, smart reporter 280, smart group management app 271. These programs, services, scripts, libraries or executable codes can be combined to create one or more modules.
“In certain embodiments, system administrators or company administrators may be able use the smart group management app 271 to create one, two, or more smart groups with unique identifications such as a name or number, handle, or any other unique identifier known in the art. The smart group management software 271 can be coupled to or integrated into the memory 122 to allow the simulated group application 271 to access parameters related to users, user groups smart groups smart group criteria, remediation, training, and other parameters that are associated with computer-based security alert training. The server 106 and any module or component of server 112 may be integrated or coupled with memory, a memory store, or other storage, such a database of server 106, or another device such as an external server or data source, software system, or other device that may contain information about the plurality.
“The administrator might wish to apply smart group to all users or to a selected subset of them.”
The smart group management software 271 allows the administrator to rename or merge existing smart groups. Smart group criteria selector 274 can be used to manage the selection of criteria that a company administrator or system administrator uses to identify users who belong to the smart groups. Smart group management application 271 or smart group criteria selector 274, may process input from server 106, and/or provide access as required to various applications and modules and other components of the servers 106 to other applications, modules and software components of server 106. Administrators may have the option to choose from a variety of criteria using smart group criteria selector 274. This interface may be provided by user interface manger 252 or simulated phishing campaign supervisor 250. The criteria could be displayed as a drop-down list from which the administrator can select one or more criteria to be included in the smart group. Administrators can store the criteria in smart group criteria storage 273. These criteria can be modified from time to time. Smart group management application 271 can be any application, service, daemon or routine that generates messages. The smart group management application can generate messages in any format.
“In certain embodiments, smart-group management application 271 can indicate which group is smart when it appears in a list with all groups. The smart groups can be listed before or after the normal? Each type of console static group can be given a heading. Administrators can set up and configure smart groups using the smart group management app 271 This interface can be fully graphical and include drop-down boxes (i.e. operators) to allow you to select criteria (e.g.?all users who have been phished?). Or?all users who have not been phished within the past 30 days? The administrator can modify or enter the time period or date for tracking criteria in some cases. Administrators can add criteria by pressing a plus (+) button in some embodiments. “To create the smart group, click on the plus (+) button.
Smart group criteria selector 274 allows a system administrator or company administrator select one or more criteria that will be applied to or associated with a smart group. The smart group selection tool 274 can be integrated or coupled with the memory 122 to allow the simulated group management software 271 to access parameters related to users, user groups smart groups, smart criteria, remediation training, as well as other parameters that are associated with computer-based security awareness training. The server 106 and any modules or components of server106 may be integrated or coupled with memory or another storage device such as server 106, or an external server, data source or software system that may contain information about the plurality.
Administrators (may include system administrators or company administrators) can create smart groups at any time. This includes before a simulated Phishing campaign, before asking for a report, after the company active directory is integrated, and when a computer-based training program has been established. The system 200 may save a name and the criteria for the smart groups created using smart group criteria selector 274. Smart groups storage 272 may store the name and criteria of the smart group. Although the criteria for the smart groups do not change, the users who meet the criteria may change over time. When an indication is received that the smart groups are to be used for a specific purpose, the list of smart group users is generated.
Administrators can use the smart group criteria selector 274 to modify the criteria of any smart group at any time after it is created. Smart groups can be based on multiple criteria. For example, the system may combine multiple logical operators with multiple criteria (e.g., users who have not been trained). AND?users who were phished within the last x months? criteria). The system 200 may restrict the number of criteria that can be combined to create a smart group in some embodiments.
“In certain embodiments, system 200 allows you to nest static groups within smart group. Instead of having criteria that determine which users belong to a group based on specific criteria or attributes only, smart group criteria selector 274, which may be used by administrators to allow them to select existing smart groups and static groups so that members of the first smart group or static group also become members of the second smart. The smart group criteria selector 274, the system 200, and some other examples can be used to select administrative or organizational groups. For example, all accounting group members. The criteria for the next and subsequent groups within a nest can vary depending on the situation.
In one embodiment, an administrator creates a smart group before initiating a campaign. Administrators name the smart group (Group 1) and select criteria such as?all users who have not been trained? or?users that have not been phished within the last five months. Next, the administrator creates training campaigns and directs the system via a user interface to use members from Group A in the training campaign. The system creates a list with users who meet Group A criteria before the campaign begins. These users are then added to the training campaign at that specific moment. These users are now considered to be members of smart group “Group A”. This example shows that users who have not completed training would be removed from the smart group. Smart group membership is limited to users who have never been trained. The smart group membership is dynamic and changes with the events that take place.
Smart group criteria can include any attribute that is applicable to a user. Smart group criteria tracker 276 tracks and updates all criteria that could be applied to, or associated, with a smart group. These are some examples of smart group criteria:
Summary for “Using smart groups to computer-based security awareness training system”
It is possible to simulate phishing attacks against a user or group of users as part of a computer-based security alert training system. Phishing is a malicious attempt to obtain sensitive information, such as usernames, passwords and credit card details. It can also be used to disguise as a trusted entity. An email could be sent to a target with an attachment that performs malicious actions when executed, or a link to a webpage which either prompts the user or performs malicious action when accessed. Malicious actions can include malicious data collection, actions that are harmful to the normal operation of the device from which the email was activated or any other malicious actions that could be performed by a program (or a group of programs). An organization can determine its vulnerability to phishing attacks by using simulated attacks. Organizations can use this knowledge to reduce vulnerability via tools and training.
Reporting can be done using dynamic groups. A report can be saved and generated when an administrator searches users who meet certain criteria using Boolean logic. Data is generated every time an administrator runs a report based on query.
Conceptually, similar types have been used in active directories that use groups for distribution lists (e.g. dynamic distribution groups as they are used in IT environment). You can use dynamic group systems in both a manual way to manage security groups or in scripts that are run regularly for group management. These groups are used for reporting, where you can set criteria about what you want to include in your report.
In some cases, campaign management systems, such as a computer-based security awareness system that can run simulated attacks campaigns, may only use static group. You can either manually manage static groups or you use a workflow process to manage them. Users that meet certain criteria may be manually added to a static group. They can be removed only by a workflow process, or by taking a manual action.
Static groups can cause workflow inefficiencies and inaccuracies. They are used to create different user groups according to different criteria. If company administrators attempt to remove users from one static group and place them in another, it can lead to many users who have been trained, phished, failed a phishing exam, gone through remediation training, and so on. A large number of logic branches can be required to manage user groups that are based on workflow. Administrators can easily lose track of these rules, making it difficult to manage. You can have infinite numbers of static groups, both driven by workflows or manual actions. Users will be missed if a workflow process doesn’t get done correctly. Mistakes can happen because static groups are controlled by administrator workflows and users. Administrators will need to correctly place users in static groups from the beginning. This leads to a large number of groups.
Smart groups, also known as dynamic groups, are a solution to these limitations. They automatically build a list that meets specified criteria when the list is requested. Smart groups are query-based groups.
“The present solution extends on similar concepts in report-making. You can create a group that contains users who meet certain criteria and then generate a report based upon the list. Smart groups allow for the creation of similar dynamic groups for other purposes, such as training or phishing campaigns.
This solution is an improvement on static groups because administrators only need to specify the criteria they are interested in. Smart groups are different from static groups. Instead of having to track users’ status and move them around between static groups when they change, smart groups allow for the automatic identification of relevant users whenever an action is required. This feature automates user administration for enrollment in phishing or training campaigns.
The smart group membership is established as soon as the group is being used for something. This ensures that the smart group membership remains accurate and is never out of date. When you’re about to run a campaign, or take any other action that requires information about the membership of the group, the query that determines smart group membership is run. The criteria that was set by the administrator when the group was formed will always be used to determine how smart groups are created. The system bases a smart group’s membership upon criteria, and adds only users who meet those criteria at the time the group is being used. This ensures that the group membership is up-to-date and accurate. Training campaign, simulated hacking campaign, report, etc. are the right users at the time that the action is taken.”
A server might create a group using criteria to identify users at the time the group will be used. A server might be notified that a group membership is required. The server can query a user population to determine if they meet the criteria and identify them as members of the group. In some implementations, the server sets the criteria for a group. In other implementations, the server receives these criteria. One or more criteria can be combined using logical operators in some instances to create a group criteria.
In an implementation, the server might receive a request for the execution of a simulated campaign for a group. This request indicates to the server that the group members are to be identified using a query using group criteria. Other implementations may include a request to join the group or a request to obtain a report on the group. These requests indicate to the server that the query using the group criteria will be used to identify the group members.
“In an implementation the server might address to query to the database containing information regarding the users that is located at a different device, server, or in the cloud.”
“In an implementation the server might receive an additional indication of user the group and may conduct a new query among a population to determine which users match the criteria associated with this group. The new population of group members is different to the population that was identified as being part of the group in the previous query.”
“The following sections of the specification with their respective contents can be useful for reading the descriptions of various embodiments:”
“Section A” describes a computing environment and network environment that may be helpful in the practice of embodiments.
“Section B” describes embodiments of systems, methods, and devices for adding users to user group and systems and methods that allow for the use of smart groups.
“A. Computing and Network Environment.”
“Before we discuss specific embodiments of this solution, it might be useful to describe aspects such as the operating environment and associated system components (e.g. hardware elements) in relation to the methods or systems described herein. Referring to FIG. FIG. 1A shows an example of a network environment. The network environment includes one to three clients 102a-102n (also known as client(s), 102 and client(s), 102), client node(s), 102 and client(s), 102), client computer(s), 102, and client machine(s), 102), client client(s), 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102. Client device(s), 102. Endpoint(s), 106 or remote machine(s). A client 102 can be used as both a client node that seeks access to server resources and as a server that provides access to server resources for other clients.
“Although FIG. FIG. 1A depicts a network of 104 between clients 102, servers 106. However, clients 102 may be on the same network (104). Some embodiments may have multiple networks 104 connecting the servers 106 and clients 102. One of these embodiments may have a network 104. A network 104 could be a private network, while a network (not shown), may be public. A network 104 could be a private network, while a network 104.1 may be a public network. A public network. Networks 104 and104 are also possible in another embodiment. Both networks 104 and 104 may be private networks.”
“The network 104 can be connected via either wired or wireless links. Digital Subscriber Line (DSL), coaxial cables lines or optical fiber lines can all be connected via wired links. Wireless links can include BLUETOOTH and Wi-Fi (Worldwide Interoperability for Microwave Access) as well as an infrared channel, satellite band, or BLUETOOTH. Wireless links can also include any cellular network standard used to communicate between mobile devices. This includes standards that are 1G, 2G or 3G. If the network standards meet a specified or set of standards, they may be considered one or more generations of mobile telecommunications standards. The 3G standards, for example, may correspond to the International Mobile Telecommunications-2000 (IMT-2000) specification, and the 4G standards may correspond to the International Mobile Telecommunications Advanced (IMT-Advanced) specification. AMPS, GSM and UMTS are some examples of cellular network standards. Cellular network standards may use various channel access methods e.g. FDMA/TDMA/CDMA, SDMA. Different types of data can be transmitted using different standards and links in some embodiments. Other embodiments allow the transmission of identical data via different standards and links.
The network 104 can be any type or form of network. The network 104’s geographical coverage can vary greatly. It could be a body-area network (BAN), personal area network, or a local-area network. Intranet, metropolitan area network (MAN), wide area network(WAN), or Internet. The network 104’s topology can be any type and could include any combination of: bus, star or ring, tree, point-to-point, bus or star. The network 104 could be an overlay network that is virtual and sits on top one or more layers from other networks 104?. The network 104 can be any network topology known to ordinary skill in the art and capable of supporting operations. The network 104 can use different protocols and layers, such as the Ethernet protocol, TCP/IP, the ATM (Asynchronous Transfer Mode), SONET (Synchronous Optical Networking), or SDH (Synchronous Digital Hierarchy). TCP/IP’s internet protocol suite can include the application layer, transport layer and internet layer (including IPv6). Network 104 could be classified as a broadcast network or a telecommunications network. It also may include a data communication network or computer network.
“In some embodiments, multiple servers may be logically grouped 106. One of these embodiments may refer to the logical grouping of servers as either a server farm 38 (not illustrated) or a computer farm 38. Another embodiment may allow the servers 106 to be geographically dispersed. A machine farm 38 can be managed as one entity in other embodiments. Another embodiment of the machine farm 38 may include a number of machine farms 38. Each machine farm 38 may contain multiple machines farms 38.
In one embodiment, the servers 106 of the machine farm 38 could be stored in rack systems with high density and associated storage systems. They would then be located in an enterprise-level data center. This embodiment consolidates the servers 106 to improve system management, data security, and system performance. Servers 106 are located on high-performance localized networks. The centralization of the servers 106, storage systems, and their coupling with advanced system management tools allows for more efficient use.
“Servers 106 and 106 from each machine farm 38 don’t need to be physically close to other servers 106 in the machine farm 38. The machine farm 38 group of servers 106 may be connected using either a metropolitan-area (MAN) or wide-area (WAN) connection. A machine farm 38 could include servers 106 located on different continents, in different areas of a country, state, city or campus. The data transmission speeds between the server 106 of the machine farm 38 can increase if they are connected via a local-area networking (LAN) connection, or another type of direct connection. A heterogeneous machine farms 38 could also include servers 106 that operate according to one type of operating system and one or two other servers 106 that run one or several types of hypervisors. Hypervisors can be used in these embodiments to simulate virtual hardware, partition and virtualize physical hardware, as well as to execute virtual machines that allow access to computing environments. Multiple operating systems may run simultaneously on the host computer. Native hypervisors can run directly on the host machine. VMware ESX/ESXi, made by VMWare, Inc. of Palo Alto, Calif., and the Xen hypervisor, which is an open-source product whose development was overseen by Citrix System, Inc., as well as the HYPERV hypervisors that Microsoft or other companies provide. Hosted hypervisors can run in an operating system at a second level. VIRTUALBOX and VMware Workstation are two examples of hosted hypervisors.
“Management of the machine farms 38 could be decentralized. One or more servers 106 could be composed of components, subsystems, and modules that support one or several management services for the machine farms 38. One or more servers 106 are used to manage dynamic data. This includes techniques for managing failover, replication and increasing the resilience of the machine farm. Each server 106 can communicate with both a persistent store or, in certain embodiments, a dynamic store.
“Server106” may be a file, application, web, proxy, server, firewall, gateway, gateway, virtualization, deployment, SSL VPN server or firewall. The server 106 can be called a remote machine, or a node in one embodiment. A plurality of nodes (290) may be located in the path between two communicating servers.
Referring to FIG. “Referring to FIG. 1B, a cloud computing ecosystem is depicted. Client 102 may have access to one or more resources through a cloud computing environment. One or more clients 102a-102n may be part of the cloud computing environment. They can communicate with the cloud 108 via one or several networks 104. Clients 102 could include thick clients, thin client, or zero clients. Even if the client is disconnected from servers 106 or cloud 108, a thick client can still provide some functionality. To provide functionality, a thin client or zero client might depend on the connection with the cloud 108 and server 106. Zero clients may depend on the cloud108, other networks 104, or servers 106 for operating system data retrieval. The cloud 108 could include back end platforms such as servers 106, storage, data centers, or server farms.
“Cloud 108 can be either public, private or hybrid. Public clouds could include public servers106 that are managed by third parties for clients 102 or their owners. Servers 106 could be located in remote locations, as described above. The servers 106 may be connected over public networks to other public clouds. Private clouds could include servers 106 that are owned by clients 102. Private clouds can be connected to servers 106 via a private network. Hybrid clouds (108) may connect to both public and private networks 104 and servers106.
“Cloud 108 may also include cloud-based delivery, such as. Software as a Service 110, Platform as a Service 112, and Infrastructure as a Service 114. IaaS can refer to renting infrastructure resources for a specific time period. IaaS providers can offer large amounts of storage, networking, servers, or virtualization resources. This allows users to scale up quickly and access more resources as they need them. IaaS may include AMAZON WEB Services provided by Amazon.com, Inc., Seattle, Wash., Rackspace US, Inc., San Antonio, Tex., and RACKSPACE CLUD provided by Rackspace US, Inc., San Antonio, Tex., Google Compute Engine offered by Google Inc., Mountain View, Calif., or RIGHTSCALE supplied by RightScale, Inc., Santa Barbara, Calif. Additional resources, such as the operating system, middleware, and runtime resources, like the operating system, software, or other than Iaa. Examples of PaaS are WINDOWS AZURE, provided by Microsoft Corporation of Redmond, Wash., Google App Engine, provided by Google Inc., or HEROKU, provided by Heroku, Inc. of San Francisco, Calif. SaaS providers might offer the same resources as PaaS, including storage, networking, servers, virtualization, operation system, middleware, runtime resources, and virtualization. SaaS providers can offer additional resources, such as data and application resources, in some instances. SaaS includes GOOGLE APPS offered by Google Inc., SALESFORCE offered by Salesforce.com Inc. San Francisco, Calif. or OFFICE 365 offered by Microsoft Corporation. Data storage providers may also be included in SaaS, for example. DROPBOX provided Dropbox, Inc., San Francisco, Calif., Microsoft SKYDRIVE provided Microsoft Corporation, Google Drive provided Google Inc., and Apple ICLOUD provided Apple Inc., Cupertino, Calif.
Clients 102 can access IaaS resources using one or more IaaS standard, such as Open Cloud Computing Interface, Open Cloud Computing Interface, Cloud Infrastructure Management Interface (CIMI), and Amazon Elastic Compute Cloud. Clients may be able to access resources via HTTP using some IaaS standards. These standards may use the Representational state Transfer (REST), Simple Object Access Protocol, or both. Clients with 102 clients may have access to PaaS resources using different PaaS interfaces. Some PaaS interfaces may use HTTP packages, JavaMail APIs, Java Data Objects(JDO), Java Persistence APIs (JPA), Python APIs and web integration APIs. These APIs can be used for various programming languages, such as Rack for Ruby, WSGI For Python, PSGI for Perl or any other APIs that are built on REST or HTTP, XML or other protocols. Clients 102 can access SaaS resources via web-based user interfaces provided by a browser (e.g. GOOGLE CHROME and Microsoft INTERNET Explorer are some examples of SaaS resources that clients 102 can access. Clients 102 can also access SaaS resources via smartphone or tablet apps, such as Salesforce Sales Cloud or Google Drive app. Clients 102 can also access SaaS resources via the client operating system. This includes, e.g. Windows file system for Dropbox.
“In certain embodiments, access may be authenticated to IaaS or PaaS resources. A server or authentication server might authenticate a user using security certificates, HTTPS, and API keys. API keys can include different encryption standards, such as Advanced Encryption Standard, (AES). “Data resources can be sent via Transport Layer Security (TLS), or Secure Sockets Layers (SSL).
“The client102 and server106 can be deployed on any type of computing device and/or executed from it, e.g. A computer, network device, or appliance that can communicate on any type of network and perform the operations described herein. FIGS. FIGS. 1C and 1D show block diagrams of a computing unit 100 that can be used to practice an embodiment of client 102 or server 106. FIGS. 1C and 1D show that each computing device 100 has a central processing module 121 and a main storage unit 122. FIG. FIG. 1C shows that a computing device 100 can include a storage device 128, a installation device 116 and a network interface 118. Display devices 124 a-124 n are shown. A keyboard 126 is also shown. A mouse. Without limitation, the storage device 128 can include an operating system, software, or a software of a simulating phishing attache system 120. FIG. FIG. 1D shows that each computing device 100 can also have additional elements, e.g. A memory port 103, bridge 170, input/output devices 130a-130n (generally referred by using reference number 130) and a cache memory 140 in communications with the central processing unit.
“The central processing module 121 is any logic circuitry which responds and processes instructions from the main memory device 122. A microprocessor unit is often used to provide the central processing unit (121) in many embodiments. Those manufactured by Intel Corporation, Mountain View, Calif., and those manufactured at Motorola Corporation, Schaumburg (Ill.); the ARM processor with TEGRA system on a Chip (SoC), manufactured by Nvidia, Santa Clara, Calif. ; the POWER7 process, manufactured by International Business Machines, White Plains, N.Y., or those manufactured at Advanced Micro Devices, Sunnyvale, Calif. These processors or any other processor that can operate as described herein may be used to create the computing device 100. The central processing unit (121) may use instruction level parallelism or thread level parallelism. It can also utilize different levels of cache and multi-core processors. Multi-core processors may contain multiple processing units within a single component. The AMD PHENOM IIX2, the INTEL Core i5 or INTEL CPU i7 are examples of multi-core processors.
“Main memory unit (122) may contain one or more memory chips that can store data and allow any storage location to directly be accessed by the microprocessor. 121 Main memory unit 122, which may be volatile, can store more data than 128 memory. The main memory unit 122 can be Dynamic random-access memory (DRAM), or any variants thereof, Burst SRAM/SynchBurst SRAM(BSRAM), Fast Page Mode (FPM) DRAM, Extended Data Output RAM/EDO RAM, Extended Data Output (EDO DRAM), Burst Extended DRAM/BEDO DRAM), Single data rate synchronous DRAM/SDR SDRAM), Double data rate SDRAM/DDR SDRAM), Direct Rambus RAMbus DRAM/DRDRAM (DRDRAM/XDRDRAM/DRDRAM (DRDRAM), and DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRAM), DRAM/DRDRAM (DRDRAM), DRAM/DR DRAM/XDR DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), Direct Rambus DRAM/DRAM (DRDRAM), DRAM), or DRAM adRAM), In some embodiments, the main memory 122 or the storage 128 may be non-volatile; e.g., non-volatile read access memory (NVRAM), flash memory non-volatile static RAM (nvSRAM), Ferroelectric RAM (FeRAM), Magnetoresistive RAM (MRAM), Phase-change memory (PRAM), conductive-bridging RAM (CBRAM), Silicon-Oxide-Nitride-Oxide-Silicon (SONOS), Resistive RAM (RRAM), Racetrack, Nano-RAM (NRAM), or Millipede memory. You can use any of the memory chips described above, or any other memory chips that are capable of operating in accordance with this invention. FIG. FIG. 1C shows how the processor 121 communicates via a system bus 150 with main memory (described below). FIG. FIG. 1D shows an embodiment of a computing system 100, in which the processor communicates with main memory via a memory port. FIG. FIG. 1D may show DRDRAM as the main memory 122.
“FIG. “FIG. Other embodiments of the main processor 121 connect with cache memory 140 via the system bus 150. Cache memory 140 is usually faster than main memory 122 in response times and is typically supplied by SRAM (BSRAM), EDRAM or EDRAM. FIG. 1D shows how the processor 121 communicates via a local bus 150 with I/O devices 130. There are many buses that can be used to link the central processing unit 121 with any I/O device 130. These include a PCI bus or a PCIX bus or a PCI Express bus or a NuBus. In embodiments where the I/O device 124 is a video monitor, the processor 121 can use an Advanced Graphics Port to communicate with the display (124) or the I/O controller (123 for the monitor 124). FIG. FIG. 1D shows an example of a computer 100 where the main processor 121 can communicate directly with I/O device 130b or other processors. via HYPERTRANSPORT or RAPIDIO communications technology. FIG. FIG. 1D shows another embodiment where local buses and direct communications are combined: processor 121 communicates directly with I/O devices 130a via a local interconnect bus, while I/O devices 130b uses a local bus to communicate with it.
The computing device 100 may contain a variety of I/O devices 130a-130n. Trackpads, trackpads and trackballs can be used as input devices. Video displays, graphical displays and speakers can be output devices.
“Devices 130a-130n may contain multiple input or output devices such as Microsoft KINECT or Nintendo Wiimote, Nintendo WII U GAMEPAD or Apple IPHONE. Some devices 130 a-13 n can combine some inputs and outputs to allow gesture recognition inputs. Devices 130 a-130n allow facial recognition, which can be used for authentication or other commands. Devices 130 a-130n provide voice recognition and inputs such as Microsoft KINECT by Apple, SIRI to IPHONE by Apple or Google Now.
“Additional devices 130a-130n can be used as input or output devices. They include haptic feedback devices and touchscreen displays. Multi-touch screens, touchpads and touch mice may use different technologies to sense touch. These technologies include capacitive (surface capacitive), projected capacitive (PCT), resistive (infrared), waveguide, dispersive touch (DST), in cell optical, surface acoustic (SAW), bendingwave touch (BWT) or force-based sensing technology. Multi-touch devices can allow for two or more contact points with the surfaces, which allows advanced functionality such as pinch, rotate, scroll or other gestures. Some touchscreen devices, such as Microsoft PIXELSENSE and Multi-Touch Collaboration Wall may have larger surfaces like on a table-top, or on a wall. They may also interact with other electronic gadgets. A group of I/O devices 130a-130n, display devices 124-64 n and some other devices could be augment reality. An I/O controller 123 may control the I/O devices as shown in FIG. 1C. 1C. An I/O device can also be used to store and/or install the computing device 100. Other embodiments may also provide USB connections (not illustrated) for receiving handheld USB storage devices. An I/O device 130 can be used as a bridge between system bus 150, external communication buses, e.g. A USB bus, a SCSI Bus, a FireWire Bus, a FireWire Bus, an Ethernet Bus, a Gigabit Ethernetbus, a Fibre Channel Bus, or a Thunderboltbus.
In some embodiments, display devices 124a-124n can be connected to I/O control 123. Display devices include liquid crystal displays (LCD), thin-film transistor LCD (TFTLCD), blue-phase LCD, electronic papers, (e-ink), and liquid crystal on silicon displays (LCOS). They may also be connected to I/O controller 123. Some examples of 3D displays include: Stereoscopy, active shutters or polarization filters are some examples of 3D displays. Display devices 124a-124n can also be head-mounted displays (HMD). Display devices 124 a?124 n and the corresponding I/O control units 123 can be controlled or have hardware support OPENGL, DIRECTX API, or other graphics libraries in some embodiments.
“In some instances, the computing device 100 can connect to multiple display devices (124 a-124n), which may be the same type or different. Any of the I/O device 130 a?130 n or the I/O controller123 can include any type or combination of hardware, software, and hardware to enable, support, enable, or provide for multiple display devices 124a?124n. The computing device 100 could include any type or form of video adapter or video card, driver and/or library to connect, communicate, connect, or otherwise use multiple display devices. Software may be developed and built to work with another computer’s display device 124a. One example is that an Apple iPad can connect to a computing device 100, and the display of the 100 may be used as an additional screen. This could allow the user to use the 100’s display as an extended desktop. A computing device 100 can be configured to support multiple display devices 124a-124n. One who is skilled in the art will appreciate and recognize the many ways that this configuration may be possible.
“Referring to FIG. “Referring again to FIG. One or more hard drives, or redundant arrays or independent disks, for the storage of an operating system or related software. Also for storing software programs related to the simulated hacking attack system software 120. One example of a storage device 128 is a hard disk drive (HDD), optical drive including CD, DVD, or Blu-ray drive; solid-state drives (SSD); USB flash drive; and any other device that can store data. Many storage devices can include both volatile and nonvolatile memories. This includes solid-state hybrid drives, which combine hard disks with solid states cache. One storage device 128 could be read-only, non-volatile or mutable. One storage device 128 could be internal and connect via a bus 150 to the computing device 100. One storage device 128 can be external and connects to the computing device 100 via an I/O device 130. This provides an external bus. One storage device 128 can connect to the computing devices 100 via the network interface 118. This network 104 includes, e.g. the Remote Disk For MACBOOK AIR from Apple. Client devices 100 may not need a non-volatile data storage device 128. They may also be thin clients or zero clients. A storage device 128 can also be used to install software or programs 116. The operating system and software can also be run from a bootable media, such as a CD or DVD. KNOPPIX is a bootable CD that runs GNU/Linux. It can be downloaded from knoppix.net.
Client device 100 can also download software from an application distribution platform. The App Store for iOS, provided by Apple, Inc., is the Mac App Store provided to Apple, Inc., GOOGLE LAY for Android OS provided o Google Inc., Chrome Webstore CHROME OS provided o Google Inc., Amazon Appstore for Android OS, KINDLE FIRE, provided by Amazon.com, Inc., are all examples of application distribution platforms. A repository of applications may be included in an application distribution platform. This can be on a server (106) or cloud 108 that clients 102 a-102n can access via a network (104). A distribution platform could include applications developed by different developers. An application distribution platform allows users of client devices 102 to select, buy and/or download applications.
“Moreover, the computing device 100 can include a network interface 118 that allows it to connect to the network 104 via a variety connections such as standard telephone lines LAN/WAN links (e.g. 802.11, T3, Gigabit Ethernet and Infiniband), broadband connections (e.g. ISDN, Frame Relay ATM, Gigabit Ethernet or Ethernet-over-SONET), ADSL, VDSL BPON, GPON or fiber optical including FiOS), or a combination of all of these connections. TCP/IP can establish connections using a variety communication protocols, such as Ethernet, ARCNET and SONET, SDH. Fiber Distributed Data Interface (FDDI), IEEE 802.21/b/g/n/ac CDMA. GSM, WiMax, and direct asynchronous connections. One embodiment shows that the computing device 100 can communicate with computing devices 100. Any type and/or combination of tunneling protocols or gateways, e.g. Secure Socket Layer, Transport Layer Security, or Citrix Gateway Protocol, manufactured by Citrix Systems, Inc., Ft. Lauderdale, Fla. The network interface 118 can include a built-in network connector, network card or PCMCIA network card. It may also contain an EXPRESSCARD networkcard, EXPRESSCARD card network card, card bus adapter and wireless network adapter. Modems, or any other device that is capable of interfacing with the computing device 100 to any network that can communicate the operations described in this article.
“A computing device 100, of the type shown in FIGS. “A computing device 100 of the type shown in FIGS. 1B and 1C can be controlled by an operating system that controls access to system resources and scheduling. Any operating system can run on computing device 100, including any version of MICROSOFT WINDOWS, Unix or Linux releases, any embedded operating software, any real-time operation system, any proprietary system, any mobile operating system or any other operating program that is capable of running on the device. WINDOWS 2000, WINDOWS server 2012, WINDOWS CE, WINDOWS Phone, WINDOWS XP, WINDOWS VISTA and WINDOWS 7 all manufactured by Microsoft Corporation of Redmond, Wash., MAC OS, iOS, and Linux, a freely available operating system, e.g. Linux Mint distribution (?distro?) Linux Mint distribution (?distro?) You can use some operating systems, such as the CHROME OS from Google, on thin clients or zero clients.
“The computer system 100 may include any computer system that can communicate with a computer network, such as a desktop, phone, notebook, computer, computer or telephone, netbook, ULTRABOOK or tablet, server or handheld computer, mobile telephone, smartphone, tablet or mobile computing device, media player, gaming system, mobile computing device or any other form of computing, telecommunications, or media device. The computer system 100 is equipped with sufficient memory and processor power to carry out the operations described. The computing device 100 can have different operating systems and processors depending on its configuration. Samsung GALAXY smartphones, for example, are controlled by the Android operating system, developed by Google, Inc. GALAXY phones receive input via a touch interface.
“In some embodiments, a computing device 100 may be a gaming system. The computer system 100 could include, for example, a PLAYSTATION 3 or PERSONAL PLAYSTATION PORTABLE(PSP), or a PLAYSTATION VITA manufactured by the Sony Corporation, Tokyo, Japan, a NINTENDO DS, NINTENDO 3DS, NINTENDO WII, NINTENDO WII, NINTENDO WII U manufactured by Nintendo Co., Ltd., Kyoto, Japan, and an XBOX 360 manufactured by Microsoft Corporation, Redmond, Wash
“In certain embodiments, the computing devices 100 are digital audio players such as the Apple IPOD Touch, IPOD Touch and IPOD NANO line of devices manufactured by Apple Computer in Cupertino (Calif.). Other functionality may be available for some digital audio players, such as a gaming system, or functionality that is made available by applications from a digital distribution platform. The IPOD Touch can access the Apple App Store. The computing device 100 may be a portable media player, digital audio player, or a portable media player that supports file formats such as MP3, WAV and M4A/AAC Protected AAC AIFF and.mov, H.264/MPEG-4 AVC video file formats.
“In certain embodiments, the computing devices 100 are a tablet e.g. The IPAD line of Apple devices; the GALAXY TAB series of Samsung devices; or KINDLE IRE, by Amazon.com, Inc., Seattle, Wash. The computing device 100 can also be used as an eBook reader. The KINDLE family devices by Amazon.com, and the NOOK family devices by Barnes & Noble, Inc., New York City, N.Y.”
“In some embodiments, the communication device 102 may include a combination of devices. A combination of a smartphone and a digital audio or portable media player. One example of one of these embodiments would be a smartphone. The IPHONE smartphone family manufactured by Apple, Inc., a Samsung GALAXY smartphone family manufactured by Samsung, Inc., or a Motorola DROID smartphone family. Another embodiment of the communications device102 is a computer or laptop that has a web browser, microphone, and speaker system. a telephony headset. These communications devices 102 can be web-enabled to receive and initiate calls. A laptop or desktop computer may also be equipped with a webcam, or another video capture device that allows for video chat and video calling.
“In some embodiments, one or more machines 102 and 106 are monitored as part of network management. One of these embodiments may identify the machine’s status, such as the number of processes running on it, their CPU utilization, memory usage, or port information. This could include information about the available communication ports and addresses, or the session status, which can include the type and duration of the processes and whether they are active or inactive. Another embodiment of this type of information can be identified using a variety of metrics. The plurality may be used at least partially to make decisions regarding load distribution, network traffic management and network failure recovery, as well as other aspects of the operations described herein. The systems and methods described herein will make it easy to see aspects of the components and operating environments mentioned above.
“B. “B.
This disclosure generally refers to systems and methods of using smart user groups (also known as dynamic groups) in computer-based security alert training systems. Some systems and methods for adding users to user groups can be based on user interactions with simulated malware attacks and remediation training. These systems and methods enable a server to add a user to a first group to a second group if that user interacts with a simulated email that contains phishing messages. Some embodiments allow users to be removed from a user group when they are added to another group. The user who is added to the second group is then removed from the original user group. The server can also electronically track remediation training that the user has completed. In some cases, the server will add the user back to the original user group. The server can automatically add the user to any of the user groups if it detects an event related to the user.
In some embodiments, users can remain members of the same user group even if they are added to another group. The user can, for example, remain a member the first user group even if the user is added to a second user group. Another example is that the user does not lose their membership in the second user group if they are added back to either the first or third user groups.
A simulated phishing attack can be used to test security systems or users in order to prevent malicious actions. For example, a simulated phishing attack could target large numbers of users such as employees. This attack can be carried out by either a friendly or neutral party to the victims of the simulated attack. One type of simulated attack on phishing is where sensitive information is attempted to be extracted using phishing methods. Any information that is obtained is not used maliciously but is part of a process to detect security weaknesses. Simulated phishing attacks can expose weaknesses in security and help to minimize the risk. Targeted, real-time training can improve user knowledge.
The following is a method for adding users to user group. The system administrator (or a third party acting on behalf of security managers) creates a fake phishing email template that is used to generate phishing emails. These emails can be disguised as emails from an employee of the company. The email could be intended to be interesting and offer the user access to interesting news, useful software, knowledge about money-making schemes, or other information. The email might ask the user to respond to it or transfer money to an attacker’s account. A reply email will confirm that money was transferred. A simulated campaign manager creates a fake phishing attack based on selections made either by the system administrator or by another person. The system administrator chooses the first user group that contains the users who will be part of the simulated campaign. The system administrator creates a second user account to include users who interact with the simulated email. This second user account is used to electronically track remediation training. The selection of the second and first user groups is sent to the system.
“The system sends one or more simulated Phishing emails to users in the first user groups, depending on the created simulated campaign. If a user from the first user group contacts the server with a simulated email phishing campaign, the server will receive a first indication. The server responds to the first indication by adding the user who is part of the first group to the second group. A user interaction with a fake phishing email can be illustrated by the sending of a reply or forwarding an email. A user interaction with a simulated email phishing is also possible by clicking on a link within the email. The server may track the number times the user interacts simulated phishing email links and add the user to that group when the threshold is reached. Some embodiments allow the server to detect an event and add the user to another user group.
“Once a user is added to the first user group responsive to interfacing with a simulated email from a phishing campaign, they will start to receive electronic tracked remediation training. The server will receive a second indication once the user has completed the remediation training. The server will respond to the second indicator by adding the user to the first or third user groups. The server may track the number of courses the user has taken in electronic tracked remediation training. The server may automatically add the user to the second user group. This corresponds to the number of courses that the user has taken. The server may add the user who is a member the second user group back to the original user group in some cases. This applies to embodiments where the user has been removed from the first group or to a third group based on the number of courses completed electronically tracked remediation training. Further embodiments allow the user to be removed from the second group by adding the user to the predetermined group, or when they are added back to either the first or third user groups.
“Referring at FIG. FIG. 2A provides a broad overview of the architecture. 2A shows some architecture for a system 200 that can add users to user groups in response events. FIG. In response to events, the system 200 can also remove users from user groups.
“Referring at FIG. 2A explains in greater detail the system 200 that includes a server number 106. The server 106 also includes a user-group management function 212 that interacts with a virtual phishing campaign manager 250. This is responsible for the execution of the simulated campaign. Further, the server 106 includes an event tracker 234, which tracks phishing emails 235 and 236, as well as a remediation training tracker 236, 236 and a user group selector 238, respectively. The user group management function 212 includes a user management application 214, an phishing email user interaction counter 221 and a user remediation completion counter 218. There are several storage modules in the server 106. Storage 240 houses remediation training. Storage 241 contains users. Storage 242 stores user groups, while storage 244 holds simulated phishing email.
Each of the server 106 user group management functions 212, 214, phishing mail user interaction counter 217, user remediation tracking completion counter 218 and user group selector 238 may contain a program, service or task, script library, application, or any other type of executable instructions or codes that can be executed on one or more processors. Any server 106, user-group management function 212 and user group application 214 can be combined to create one or more modules, apps, programs, services or scripts.
The simulated phishing campaign administrator 250 contains a simulated email generator 254, which can be used as or contain virtual machines 256. The simulated campaign manager 250 responds to user input and generates a campaign to simulate phishing attacks. It includes one or two selected phishing templates, one, or more chosen landing page templates, as well as one or several targeted user groups.
“System 200 is an implementation that includes server 106. A cluster of servers may include the server 106. In some cases, the tasks performed by server 106 can be shared by multiple servers. These tasks can be assigned among the cluster of servers using an application, service or daemon routine. Server 106 could include memory and a processor.
“In an implementation, system 200 also includes client 102. The client may contain a communications module 266, a user interface 266, and a display 268, as well as a messaging application 272. In some cases, the client can also include a communications program 264. Client 102 can interact with server 106 via a network, which is 104.
“In certain embodiments, the server contains a simulated campaign manager 250 that may manage different aspects of a simulated attack campaign. The simulated phishing manager 250, for example, may process input from server 106 and/or provide access as required to various software components of server 106. The 250-year-old simulated phishing manager may be responsible for monitoring and controlling the timing of various aspects of an attack campaign. He/she may also process requests to access simulated attack campaigns results and/or perform other tasks that are related to the management and operation of an attack campaign.
“In some cases, the simulated campaign for phishing module 250 can be integrated or coupled with memory 122. The memory can include any type of storage such as a file system or database in some embodiments. The memory 122 can store parameters and scripts that are associated with a specific simulated phishing campaign. For example, memory 122 could store scripts and parameters that correspond to the selections made by server 106 via simulated phishing campaign administrator 250. “A simulated phishing attack is described as follows:
“In an implementation, a simulated Phishing Campaign Manager 250 includes a simulated Phishing Email Generator 254. The memory 122 may have the simulated email generator 254 integrated or coupled to it. This allows the simulated email generator 254 to access parameters that are associated with the messaging choices for a specific simulated campaign, e.g. The server 106. The simulated phishing email generator 254 can be connected to memory, a memory store, or another storage, such as a database containing failure remediation training 241. The simulated phishing mail generator 254 can be coupled with memory, a memory store, or another storage, such a database containing users 241. The simulated phishing generator 254 can be coupled or integrated with memory, a memory store, or another storage, such a database, that contains user groups 242. The simulated email generator for phishing 254 can be coupled to memory, a memory store, or another storage such as a database containing simulated scam emails 244. The simulated email generator 254 could be an application, a service, daemon or routine that generates messages. The simulated phishing mail generator 254 can generate messages in any format. They could be text messages, email messages, messages sent by specific messaging apps like WhatsApp?, or other types of messages. E.g. A server 106 is simulated to use a 250-word phishing campaign manager. You can generate the messages in any way you like, e.g. You can run an instance of the application that generates the desired type of message, such as running e.g. Gmail? Gmail? You can generate the messages by running a messaging program on e.g. The messages can be generated by running a messaging application on e.g. You can have messages formatted to conform with certain messaging platforms such as Outlook 365, Outlook Web Access, Webmail, iOS, Gmail client and so forth.
“In certain embodiments, the simulated phishing email generator 254 may be configured to generate messages that can be traversed users who interact with them to a particular landing page.
“In certain embodiments, the simulated email phishing generator 254 can be used to generate a fake phishing mail. It is possible for the email to appear to have been sent from a trusted address such as an email address belonging to an executive at the company where the target is located. The email may also have a “Subject:?” The subject field is designed to prompt the user to perform an action such as initiating wire transfers. The simulated email phishing generator 254 may generate one or more simulated emails that are stored in the virtual phishing mail storage 244. The simulated phishing generator 254 may generate multiple instances of an email that can be sent to different users from the storage 241. This includes employees or subsets of them. The simulated phishing generator 254 may generate multiple instances of an email that can be delivered to a user who is stored in the users storage 242. The server 106, for example, can choose any number of employees to be the target of a simulated attack and can create a user account. This user account can then be stored in the user groups storage 246. This information can be retrieved by the simulated phishing generator 254, which can then generate similar emails to the original email. Each email will be addressed to a target identified in the information stored within the memory 122. The simulated phishing generator 254 can create emails with the following messages:?From? The simulated phishing email generator 254 can generate emails such that the?From:???? and?Subject? fields are identical. Each email has the same fields, but the?To? field is different. Each email has identical fields, while the?To:? field is modified according to the targets.
The event tracker 234 tracks and detects events that are associated with users in simulated phishing campaign. An event can be any activity, interaction or behavior that occurs in conjunction with a user or a simulated campaign. An event may be defined as the number of interactions a user has with a simulated email phishing scam. Another embodiment of an event includes a number courses of electronically tracked remediation training that the user has completed since the last time they interacted with a simulated email phishing. One embodiment of an event includes a series of simulated campaigns that were run since the last time the user interacted using a simulated email phishing. An event can be described as the time since the last interaction with a simulated email phishing. An event, in one embodiment, is the time since the user completed the electronic tracked remediation training course.
“The user groups management function 212 includes a user management application 214 which manages the addition of users to user groups. In some cases, the user management application 214 can also be used to remove a user from a group. One embodiment of the user group management app 214 allows for the addition of a user to another user group in response to the interaction of a user with a simulated email phishing. The user group management software 214 can also be used to remove a user from one user group after they are added to another user group. This is in response to the user engaging with the simulated Phishing email. The user group management software 214 can manage the addition of a user to another user group in response to the completion of electronically tracked remediation training. The user group management software 214 can also be used to remove the same user from a user group when they are added to another user groups in response to the completion of electronically tracked remediation training. One embodiment of the user group management app 214 allows for the addition of users to other user groups in response to an event related the simulated Phishing campaign. A further embodiment of the user group management app 214 allows for the removal of the same user from one user group after the user is added or removed to another user group in response to an event related to the simulated phishing campaign.
“The user group management function (212) also includes a phishing mail user interaction counter 216, which tracks, counts and/or manages the interactions of users with simulated email phishing. One embodiment of the phishing user interaction counter 216 tracks how many times users interact with a given simulated email. The phishing mail user interaction counter (216) keeps track of the number of times any given user interacts simulated phishing emails. The phishing mail user interaction counter (216) keeps track of how long it takes for a user to interact with a specific simulated email phishing or any other simulated email phishing. One embodiment keeps track of the number of times users interact with a particular simulated phishing mail. One embodiment of the phishing mail user interaction counter 216 tracks the user’s interactions with a specific simulated email. This includes the number and type of clicks that the user makes on a link in the email or the number or number of replies that the user forwards to a simulated email.
“The phishing mail interaction tracker (235) detects and tracks user interactions with simulated Phishing emails using the phishing user interaction counter (216). The phishing mail interaction tracker (235) may receive indications from phishing user interaction counter 221 whenever a user interacts a simulated email phishing. The phishing mail interaction tracker 235, for example, uses the phishing user interaction counter 216, to track user interactions that may be counted or stored in a database. The phishing mail interaction tracker (235) detects and tracks when the user clicks on a link in a fake phishing message. The phishing mail interaction tracker (235) detects and tracks when the user responds to a simulated email phishing. One embodiment of the phishing mail interaction tracker 235 detects when the user forwards an simulated phishing message and tracks it.
“The user group management function 218 also includes a user remediation course completion counter 218 which counts, tracks, and/or manages remediation training and courses. One embodiment keeps track of how many courses of user remediation training an individual has taken. One embodiment keeps track of user remediation training completion number 218 to determine if a user has completed a specific type of user remediation training. One embodiment of the user remediation tracking completion counter 218 tracks whether the user has completed any subset or minimum of the electronically tracked remediation training. The user remediation training completion count 218 tracks the time the user spent on electronic tracked remediation training. The user remediation training completion count 218 tracks the time it took for the user to complete the electronic tracked remediation training.
“The remediation tracking tracker 236 tracks and detects any electronic tracked remediation training that has been assigned to a user using the user remediation completion counter 218. The user remediation tracking tracker 236 may receive indications from the counter 218 that a user has completed remediation training. The remediation tracker 236 may use the user remediation completion counter 218 in order to track any electronic tracked remediation training which has been assigned to users. This information can be counted and stored as a database. The remediation tracking tracker 236 tracks one or more courses of the electronic tracked remediation training. One embodiment of the remediation tracking tracker 236 tracks one or more live or in-person trainings that are assigned to users. The remediation training tracker 236 tracks both mandatory and non-mandatory training in one embodiment. The remediation tracker 236 tracks the time spent on remediation training in one embodiment. The remediation tracking tracker 236 tracks how many courses of electronically tracked remediation training the user has completed in a certain time period.
“The user group selector 238 chooses a user for a simulated campaign of phishing. A user group can contain a list of users or a collection of users that are identified by a username or user identifier. A user group select can select a group of users to which to add or delete a user. This is based on how the user has interacted with training, events, simulated phishing campaigns, and other factors. The processor can be used by the user group selector 238, for example, to select one or more storage module (e.g. users storage 241 or user groups storage 242) to add or delete the user. One embodiment of the user group selector 238 allows users to be added to user groups if they are able to interact with simulated phishing emails. One embodiment of the user group selector 238 allows you to select a user group to add users if they interact with a simulated email phishing scam and then complete the electronically tracked remediation training. One embodiment uses the user group selector 238, which allows the simulated phishing campaign manager to choose predetermined groups to add users in response to certain events.
“In an implementation, the simulated campaign manager 250 may be used as another name for a system administrator such as a security manager or third-party security consultant. Server 106 might want to conduct a simulated attack using the 250-installed simulated campaign manager. The simulated campaign manager 212 could be a desktop, laptop, mobile, or other computing device. For example, the simulated phishing manager 250 could be an application that allows a user to interact with server 106. purpose of creating, configuring and/or tailoring a simulated attack on phishing and/or viewing, processing, and/or analysing the results of such an attack.
“A simulated phishing campaign manger 250 causes a graphical interface to be displayed on the server 106. The simulated phishing manager 250, in other embodiments, allows user input via a non-graphical interface. This includes a user interface that accepts text and vocal input but does not display an interactive image. The graphical user interface can be displayed on a display on a mobile phone screen, or on a monitor connected with a desktop computer or laptop computer. It may also be displayed on any other display. You can interact with the graphical user interface by typing, tapping, speaking or clicking a mouse. The user can interact with the graphical interface by tapping, typing, tapping, speaking or using any other method to interact with the interface. A web browser may provide a web-based interface for the graphical user interface. GOOGLE CHROME or Microsoft INTERNET Explorer, Mozilla Firefox, Mozilla Foundation of Mountain View (Calif.), or an application that can open a network connection to simulated Phishing Campaign Manager 250, or any other type, may be installed on the user device.
“In an implementation, the simulated phishing campaign manager 250 or server 106 can make choices about how to execute a simulated attack. The server 106 may see a graphical user interface that is run by the 250-simulated phishing campaign manager. The server 106 allows users to input parameters that will affect the attack’s execution. A user can, for example, choose which users will be targeted in an attack. They may also decide the timing and method of attack. You can make these choices by choosing options from dropdown menus or being presented with options through a simulated attack wizard.
“In an implementation, the simulated phishing campaign manger 250 may permit the server 106 (via application programming interfaces, APIs) to access and/or modify settings of an accounts maintained with any party with the attack. Or may allow the user group manager function 212 access to and/or modify settings of an accounts maintained with a 3rd party security provider such as e.g. Manages an exploit server. View bills and/or pay a third-party security service provider. These functions can be shared with third parties or any other functions necessary to facilitate communications between server 106, any other parties in the attack.
“The system 200 also includes the client 102. Any simulated phishing attack could make a client a target. The client could be an employee, member or contractor who is conducting a security checkup, or performing ongoing simulated attacks to maintain security. Any device that the client uses may be considered client 102. To be considered a client device, 102 the client does not need to own the device. Any computing device may be considered a client 102, including a desktop computer or laptop. In some cases, the client 102 could be a server or a set of servers that the client accesses. The client could be an employee or member of an organisation. A server may be accessible by the client, e.g. The server may be owned, managed, or otherwise associated with the company. This server could be called a client 102.
“In some embodiments, client 102 may also include a user interface 266, such as a keyboard or mouse, or any other suitable user interface. It could be a user interface, e.g. It can be directly connected to client 102 such as a keyboard that is connected to a mobile phone or indirectly to client 102 such as a user interface for a client device that allows access to server client 102. A display 268 may be included in client 102, such as a screen connected to the device in some way or another display.
“In an implementation, client 102 might include a messaging app 270. Any application that can view, edit, and/or send messages may be called the messaging application 270. The messaging application 270, for example, may allow viewing of desired message types, such as Gmail, any web browser or any other email client. Microsoft Outlook?, WhatsApp? or any other suitable application. The messaging application 270 can display fake phishing attacks emails in some instances. The messaging application 270 can also be configured to allow the target send replies or forward messages to the messages displayed by the messaging app 270.
“In certain embodiments, the client102 may include a communication module 264. This could be a library or application programming interface (API), a set of scripts or any other code that facilitates communications between client 102 and any server 106, third-party servers, or any other server. The communications module 264 may determine when information should be transmitted from client 102 to external servers over a network. The information sent by the communications module 262 may correspond to an email message generated by the messaging app 270.
“In certain embodiments, the server106 contains a simulated campaign manager 250. The simulated phishing manager 250 analyses which phishing templates are most successful in generating user errors when they are used in a simulated attack. A simulated phishing manager 250 also determines the most frequent failure types for a particular template. A simulated phishing manager 250 can perform additional analysis on many templates to determine which failure indicators are leading to the highest failure rate.
“For example, the simulated phishing campaign manager 250 could include data from targets, records about failures (e.g. a list of who replied to a fake phishing email), systemic or other security precautions in place during the simulated attacks, time logs, user IDs, data detailing attack results and data that links them together, as well as data detailing attack results. The attack results may be viewed, saved, shared, printed, or performed by server 106. A simulated phishing campaign administrator 250 may analyze the attack results upon request from the server 106. This analysis could include, for example, determining which users pose a security threat if they have a high number of failures beyond a threshold. Also, evaluating whether security systems are working by e.g. Correlating the presence such security systems to a lower than average rate of failures. A simulated phishing campaign administrator 250 might allow an attacker manager to see, via a graphical user interface running on the attack management app 214, a timeline showing overall failure rates. This may help to determine if a security policy was implemented at a specific time.
The simulated phishing campaign administrator 250 can process reply emails from clients to server 106 in certain embodiments. A simulated phishing manager 250, for example, can be set up to process replies emails from target clients 260 in order to identify the recipients of those emails. The unique identifiers contained in each reply email sent by the server may help determine the identities of the targets.
“The system 200 could include a network number 104. The network 104 can be of any type or form. The network 104’s geographical coverage can vary greatly. It could be a body-area network (BAN), personal area network, or a local-area network. Intranet, metropolitan area network (MAN), wide area network(WAN), or Internet. The network 104’s topology can be any type and could include any combination of: bus, star or ring, tree, point-to-point, bus, star or ring, mesh, mesh, or tree. The network 104 could be an overlay network that is virtual and sits on top one or more layers from other networks 104?. The network 104 can be any network topology known to ordinary skill in the art and capable of supporting operations. The network 104 can use different protocols and layers, such as the Ethernet protocol, TCP/IP, the ATM (Asynchronous Transfer Mode), SONET (Synchronous Optical Networking), or SDH (Synchronous Digital Hierarchy). TCP/IP’s internet protocol suite can include the application layer, transport layer and internet layer (including IPv6). The network 104 could be classified as a broadcast network or a telecommunications network. It also may include a data communication network or computer network. The network 104 links the client 102 and server 106. Client 102 includes a communications module 266, a user interface 266, and a display 268, as well as a messaging app 270. The client 102 also receives email from the server 106. The email is based on the campaign created by the simulated campaign manager 250. The client 102 can receive the simulated email phishing via the messaging app 270. It also displays the email to the user via the display 268 and allows the user to interact with the email using the user interface 266, responsive to the email. The client can interact with the simulated Phishing email and navigate to the landing page that is used by the fake phishing campaign manager 250.
“Referring at FIG. FIG. 2B provides a general overview. 2B shows an architecture that can implement smart groups. System 200 can include additional architectural elements that provide smart group functionality in some embodiments. Server 106 may include smart group criteria selector 274, smart groups criteria tracker 276, and smart group reporter 281. Smart group management application 271. System 200 could include smart group criteria 272 or additional storage. Smart group management software 271 may be included in System 200.
Referring to FIG. “Referring to FIG. 2B in greater detail, system 200 might include smart group criteria selector 274, which allows a system administrator or company administrator select one or more criteria that can be applied to, associated with, or applied to a smart group. Smart group criteria tracker 276, which monitors and updates all criteria that could be applied to or associated with a smart group, 276 is a monitoring tool. Smart group reporter 280 creates reports about members of smart groups. Smart group management application 271 can be used to create the membership of the smart groups at the time that an indication is given that the smart groups are to be used in the computer-based cybersecurity awareness system. Smart group storage 272 can be used to store one or more criteria that are associated with a smart groups. Smart groups criteria storage 273 can be used to store all criteria that could be applied to or associated with a smart group. They are created only when they will be used and are not kept as static group membership list. Some embodiments allow for the preservation of historical smart group membership lists to permit administrators to see changes in smart group population. Administrators can request a list containing the current members of a smart groups. This will allow them to query the criteria of smart groups to generate the list. This ensures that the membership list does not become outdated. Smart groups are not only useful for simulated phishing campaigns, report generation, or training campaigns.
Each of the server 106 user group management functions 212, 214 and phishing emails user interaction counter 218, user remediation tracking tracker 236 and smart group criteria tracker 274, phishing mail interaction tracker 235, simulated email campaign manager 252, user interface manager 252, smart phishing, smart group manager 254, smart gang criteria tracker 276 and smart group manager application 271 may contain a program, service or task, script, library or application, or any other type of executable instructions and/code that can be executed on one or multiple processors. Any server 106, user-group management function 212 and user group application 214 may contain phishing emails interaction counter 216. User remediation tracking counter 218 includes phishing mail interaction tracker 235 and remediation tracker 236. Simulated phishing campaign manager 250, smart group criteria selector 274, smart team criteria tracker 276, smart reporter 280, smart group management app 271. These programs, services, scripts, libraries or executable codes can be combined to create one or more modules.
“In certain embodiments, system administrators or company administrators may be able use the smart group management app 271 to create one, two, or more smart groups with unique identifications such as a name or number, handle, or any other unique identifier known in the art. The smart group management software 271 can be coupled to or integrated into the memory 122 to allow the simulated group application 271 to access parameters related to users, user groups smart groups smart group criteria, remediation, training, and other parameters that are associated with computer-based security alert training. The server 106 and any module or component of server 112 may be integrated or coupled with memory, a memory store, or other storage, such a database of server 106, or another device such as an external server or data source, software system, or other device that may contain information about the plurality.
“The administrator might wish to apply smart group to all users or to a selected subset of them.”
The smart group management software 271 allows the administrator to rename or merge existing smart groups. Smart group criteria selector 274 can be used to manage the selection of criteria that a company administrator or system administrator uses to identify users who belong to the smart groups. Smart group management application 271 or smart group criteria selector 274, may process input from server 106, and/or provide access as required to various applications and modules and other components of the servers 106 to other applications, modules and software components of server 106. Administrators may have the option to choose from a variety of criteria using smart group criteria selector 274. This interface may be provided by user interface manger 252 or simulated phishing campaign supervisor 250. The criteria could be displayed as a drop-down list from which the administrator can select one or more criteria to be included in the smart group. Administrators can store the criteria in smart group criteria storage 273. These criteria can be modified from time to time. Smart group management application 271 can be any application, service, daemon or routine that generates messages. The smart group management application can generate messages in any format.
“In certain embodiments, smart-group management application 271 can indicate which group is smart when it appears in a list with all groups. The smart groups can be listed before or after the normal? Each type of console static group can be given a heading. Administrators can set up and configure smart groups using the smart group management app 271 This interface can be fully graphical and include drop-down boxes (i.e. operators) to allow you to select criteria (e.g.?all users who have been phished?). Or?all users who have not been phished within the past 30 days? The administrator can modify or enter the time period or date for tracking criteria in some cases. Administrators can add criteria by pressing a plus (+) button in some embodiments. “To create the smart group, click on the plus (+) button.
Smart group criteria selector 274 allows a system administrator or company administrator select one or more criteria that will be applied to or associated with a smart group. The smart group selection tool 274 can be integrated or coupled with the memory 122 to allow the simulated group management software 271 to access parameters related to users, user groups smart groups, smart criteria, remediation training, as well as other parameters that are associated with computer-based security awareness training. The server 106 and any modules or components of server106 may be integrated or coupled with memory or another storage device such as server 106, or an external server, data source or software system that may contain information about the plurality.
Administrators (may include system administrators or company administrators) can create smart groups at any time. This includes before a simulated Phishing campaign, before asking for a report, after the company active directory is integrated, and when a computer-based training program has been established. The system 200 may save a name and the criteria for the smart groups created using smart group criteria selector 274. Smart groups storage 272 may store the name and criteria of the smart group. Although the criteria for the smart groups do not change, the users who meet the criteria may change over time. When an indication is received that the smart groups are to be used for a specific purpose, the list of smart group users is generated.
Administrators can use the smart group criteria selector 274 to modify the criteria of any smart group at any time after it is created. Smart groups can be based on multiple criteria. For example, the system may combine multiple logical operators with multiple criteria (e.g., users who have not been trained). AND?users who were phished within the last x months? criteria). The system 200 may restrict the number of criteria that can be combined to create a smart group in some embodiments.
“In certain embodiments, system 200 allows you to nest static groups within smart group. Instead of having criteria that determine which users belong to a group based on specific criteria or attributes only, smart group criteria selector 274, which may be used by administrators to allow them to select existing smart groups and static groups so that members of the first smart group or static group also become members of the second smart. The smart group criteria selector 274, the system 200, and some other examples can be used to select administrative or organizational groups. For example, all accounting group members. The criteria for the next and subsequent groups within a nest can vary depending on the situation.
In one embodiment, an administrator creates a smart group before initiating a campaign. Administrators name the smart group (Group 1) and select criteria such as?all users who have not been trained? or?users that have not been phished within the last five months. Next, the administrator creates training campaigns and directs the system via a user interface to use members from Group A in the training campaign. The system creates a list with users who meet Group A criteria before the campaign begins. These users are then added to the training campaign at that specific moment. These users are now considered to be members of smart group “Group A”. This example shows that users who have not completed training would be removed from the smart group. Smart group membership is limited to users who have never been trained. The smart group membership is dynamic and changes with the events that take place.
Smart group criteria can include any attribute that is applicable to a user. Smart group criteria tracker 276 tracks and updates all criteria that could be applied to, or associated, with a smart group. These are some examples of smart group criteria:
Click here to view the patent on Google Patents.