diplomsko delo
Gašper Božič (Author), Dejan Lavbič (Mentor)


Diplomska naloga zajema področje poslovne kibernetske varnosti, specifično problem napadov preko elektronskih pošt, kjer napadalec poskuša z uporabo socialnega inženiringa žrtev pripraviti do tega, da mu zaupa, ter posledično izda zasebne podatke, ki bi utegnili biti priročni za vdor v poslovni sistem oz. za lažno predstavljanje drugim organom sistema, do katerih ima žrtev dostop. Za namene diplomske naloge je bila izdelana aplikacija, ki je služila kot interna spletna aplikacija, zgrajena na temeljih tehnologije sklada MEAN, ki je omogočala izvajanje penetracijskih testov in tako nudila podroben vpogled v to, kakšni uslužbenci so ranljivi na različne vrste napadov, kjer se je uslužbence delilo glede na njihove demografske in poslovne karakteristike (spol, leto rojstva, leta izkušenj, položaj v podjetju ...). Osrednji rezultat diplomskega dela je dober vpogled v to, kateri uslužbenci so najbolj ranljivi in katere vrste zlonamernih elektronskih pošt so najbolj uspešne, hkrati pa je dodatni rezultat diplomske naloge sama aplikacija kot izdelek. Pri izvedbi eksperimenta v podjetju je od 1.384 poslanih elektronskih pošt (173 udeležencem je bilo poslanih po 8 različnih primerov zlonamerne elektronske pošte) pri 8 % (110) bila zapisana interakcija s telesom e-pošte. Iz pridobljenih rezultatov je bilo mogoče dobro analizirati uspešnost posameznih elektronskih pošt, kjer je s 26 % uspešnostjo prevladovala e-pošta, ki je subjekte nagovarjala k temu, da preverijo zapis svojega dopusta v novem sistemu podjetja in rizičnost različnih sektorjev v podjetju, kjer so bili napadi lažnega predstavljanja najbolj uspešni pri komercialnem sektorju. Pri statistiki stopnje rizičnosti glede na starost je razvidno, da občutljivost subjekta na tovrstne napade raste sorazmerno z njegovo starostjo, kjer je najmlajši interval (od vključno 20 do vključno 29 let) dosegel 3 % stopnjo rizičnosti, najstarejši (od vključno 60 do vključno 69 let) pa 13 % občutljivost. Prav tako je stopnja rizičnosti naraščala sorazmerno z delovno dobo subjekta z izjemo ene anomalije, ki o je predstavljal interval od vključno 20 do vključno 24 let. Med najbolj kritične po stopnji rizičnosti izmed položajev v podjetju sta se na prvo mesto s 50 % stopnjo rizičnosti uvrstila vodja interne logistike in predpripravnik dela v proizvodnji.


kibernetska varnost podjetij;zlonamerna elektronska pošta;aplikacija;testiranje;analiza;računalništvo in informatika;univerzitetni študij;diplomske naloge;


Language: Slovenian
Typology: 2.11 - Undergraduate Thesis
Organization: UL FRI - Faculty of Computer and Information Science
Secondary language: English
Secondary title: Enterprise cyber security - security breaches of internal business systems via phishing attacks
Secondary abstract: The diploma thesis covers the field of business cyber security, specifically the problem of phishing attacks, where the attacker tries to use social engineering techniques to persuade the victim to trust him and consequently issue private data that could be convenient for a security breach of a business system or to misrepresent other organs of the system to which the victim has access. For the diploma thesis, an application was created that served as an internal web application, built on the foundations of MEAN stack technology, which enabled the implementation of penetration tests and thus provided a detailed insight into which types of employees are vulnerable to different types of attacks. Employees were examined according to their demographic and business characteristics (gender, year of birth, years of experience, position in the company ...). The expected outcome of the experiment was a good insight into which types of employees are most vulnerable and which types of malicious e-mails are the most successful, and at the same time, the additional result of this project was the application itself as a product. During the experiment at the company, out of 1.384 e-mails sent (173 participants were sent 8 different cases of malicious e-mail), approximately 8 % (110) recorded interaction with the body of the e-mail. From the obtained results it was possible to well analyze the performance of individual e-mails, where a 26 % success rate was dominated by an e-mail, which encouraged subjects to check the record of their leave of absence in the new system of the company. In the field of risk rates for different business sectors, phishing attacks were most successful in the commercial sector. Age-related risk level statistics show that a subject's susceptibility to such attacks increases in proportion to his or her age, with the youngest interval (20 to 29 years inclusive) reaching a 3 % risk level and the oldest interval (60 to 69 inclusive years) a 13 % sensitivity. Furthermore, the level of risk increased in proportion to the length of service (measured in years) of the subject except for one anomaly, which was represented by an interval of 20 to 24 years inclusive. Among the most critical in terms of the level of risk among the positions in the company, the "head of internal logistics" and "preparation for work" ranked first with a 50 % level of risk.
Secondary keywords: enterprise cyber security;malicious e-mail;application;testing;analysis;computer and information science;diploma;Računalništvo;Varnost računalniških sistemov;Računalniški kriminal;Gospodarska varnost;Univerzitetna in visokošolska dela;
