US2020153852A1PendingUtilityA1

Locally Detecting Phishing Weakness

55
Assignee: XM Cyber LtdPriority: Jul 9, 2017Filed: Jan 9, 2020Published: May 14, 2020
Est. expiryJul 9, 2037(~11 yrs left)· nominal 20-yr term from priority
H04L 63/1483G06F 21/554H04L 63/1433H04L 63/1416
55
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and systems of testing for phishing security vulnerabilities are disclosed, including methods of penetration testing of a network node by a penetration testing system comprising a reconnaissance agent software module installed in the network node, and a penetration testing software module installed on a remote computing device. Penetration testing systems are provided so as to locally detect weaknesses that would expose network nodes to phishing-based attacks.

Claims

exact text as granted — not AI-modified
1 - 28 . (canceled) 
     
     
         29 . A method of penetration testing of a network node by a penetration testing system, the penetration testing system comprising (A) a reconnaissance agent software module installed in the network node, and (B) a penetration testing software module installed on a remote computing device, the method comprising:
 a. detecting, in the network node and by the reconnaissance agent software module installed in the network node, an event occurring in the network node, the event being a member the group consisting of an event of accessing a specific Internet address by the network node, an event caused by the accessing of the specific Internet address by the network node, an event related to or caused by a portable storage device having a specific characteristic, and an event related to or caused by a shared folder to which the network node has access;   b. sending, by the reconnaissance agent software module installed in the network node, a reporting message to the remote computing device, the reporting message containing information concerning an occurrence of the detected event;   c. making a determination, by the penetration testing software module, that the network node is vulnerable to an attack, the determination being based on the information concerning an occurrence of the detected event in the reporting message; and   d. reporting the determination by the penetration testing software module, the reporting comprising at least one operation selected from the group consisting of: (i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.   
     
     
         30 . The method of  claim 29 , wherein the detected event is one member of the group consisting of the event of: (i) the event of accessing the specific Internet address by the network node and (ii) the event caused by the accessing of the specific Internet address by the network node. 
     
     
         31 . The method of  claim 29 , wherein the detected event is the event related to or caused by the portable storage device having the specific characteristic. 
     
     
         32 . The method of  claim 29 , wherein the detected event is the event related to or caused by the shared folder to which the network node has access. 
     
     
         33 . The method of  claim 30 , wherein the accessing of the specific Internet address includes manually typing of the specific Internet address into an Internet browser by a user of the network node. 
     
     
         34 . The method of  claim 31 , wherein the detecting of the event comprises detecting that the portable storage device is being inserted into the network node. 
     
     
         35 . The method of  claim 31 , wherein the detecting of the event comprises detecting that a file having a specific name that resides on the portable storage device is opened. 
     
     
         36 . The method of  claim 31 , wherein the specific characteristic of the portable storage device is one of: (i) a specific identification number of the portable storage device; (ii) a specific volume name of the portable storage device; and (iii) having a file with a specific name residing in he portable storage device. 
     
     
         37 - 38 . (canceled) 
     
     
         39 . The method of  claim 32 , wherein the detecting of the event comprises detecting that a file having a specific name is retrieved from the shared folder and is opened. 
     
     
         40 . The method of  claim 32 , wherein the detecting of the event comprises: (i) detecting that a file having a specific name is retrieved from the shared folder and (ii) detecting that a link contained in the file is being selected. 
     
     
         41 . The method of  claim 29 , wherein the detecting of the event comprises detecting an outgoing message sent by the network node and having a specific characteristic. 
     
     
         42 . The method of  claim 41 , wherein the specific characteristic of the outgoing message includes a specific characteristic of the content of the outgoing message. 
     
     
         43 . The method of  claim 41 , wherein the specific characteristic of the outgoing message includes a specific characteristic of the address to which the message is being sent. 
     
     
         44 . The method of  claim 43 , wherein the specific characteristic of the address is that the address is a specific address. 
     
     
         45 . The method of  claim 43 , wherein the outgoing message is an email message and the specific characteristic of the address is that a domain name of the address is a specific domain name. 
     
     
         46 . The method of  claim 43 , wherein the outgoing message is an email message and the specific characteristic of the address is that the address is a loopback address. 
     
     
         47 . The method of  claim 29 , wherein the detecting of the event comprises detecting an execution of a specific executable file by the network node. 
     
     
         48 . (canceled) 
     
     
         49 . (canceled) 
     
     
         50 . The method of  claim 29 , wherein the detecting of the event comprises detecting a specific registry-related operation. 
     
     
         51 . (canceled) 
     
     
         52 . (canceled) 
     
     
         53 . The method of  claim 29 , wherein the detecting of the event comprises detecting a specific file-related operation. 
     
     
         54 - 79 . (canceled) 
     
     
         80 . A penetration testing system for testing a network node on which a reconnaissance agent software module is installed, the penetration testing system comprising:
 a. a remote computing device in electronic communication with the network node and comprising one or more processors, wherein a penetration testing software module of the penetration testing system is installed on the remote computing device;   b. a first non-transitory computer-readable storage medium containing first program instructions, wherein execution of the first program instructions by one or more processors of the network node causes the one or more processors of the network node to carry out the following:
 i. detecting, in the network node and by the reconnaissance agent software module, an event occurring in the network node, the event being a member of the group consisting of an event of accessing a specific Internet address by the network node, an event caused by the accessing of the specific Internet address by the network node, an event related to or caused by a portable storage device having a specific characteristic, and an event related to or caused by a shared folder to which the network node has access, and 
 ii. sending, by the reconnaissance agent software module, a reporting message to the remote computing device, the reporting message containing information concerning an occurrence of the detected event; and 
   c. a second non-transitory computer-readable storage medium containing second program instructions, wherein execution of the second program instructions by one or more processors of the remote computing device causes the one or more processors of the remote computing device to carry out the following:
 i. in response to receiving the reporting message from the reconnaissance agent software module installed in the network node, making a determination, by the penetration testing software module, that the network node is vulnerable to an attack, the determination being based on the information concerning the occurrence of the detected event included in the reporting message, and 
 ii. reporting the determination by the penetration testing software module, the reporting comprising at least one operation selected from the group consisting of: (i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination. 
   
     
     
         81 . (canceled)

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.