Which type of social engineering attack utilizes voice messaging to conduct the attack?

A. Phishing

B. War dialing

C. Vishing

D. War driving

C. 

Vishing is basically a variation of phishing that uses voice communication technology to obtain the information the attacker is seeking. Vishing takes advantage of the trust that most people place in the telephone network. The users are unaware that using Voice over IP (VoIP) technology, attackers can spoof calls from legitimate entities. Voice messaging can be compromised and used in these attempts.

Social engineering attacks work well because the individual who is the target of the attack/attempt

A. Is often not very intelligent and can’t recognize the fact that a social engineering attack is being attempted.

B. Often either genuinely wants to help or is trying to avoid a confrontation, depending on the attacker’s specific tack.

C. Is new to the organization and can’t tell that the story he is being fed is bogus.

D. Knows the attacker.

B. 

Social engineering works because people generally truly want to help an individual asking for assistance or because they are trying to avoid a confrontation. It also works because people generally want to believe that the individual really is who he claims to be, even if that’s not actually the case. The target’s intelligence isn’t an important factor; anybody can fall prey to an adept social engineer. If an employee is new to an organization it can certainly be easier for an attacker to convince a target that he is entitled to the information requested, but it is not a requirement. Long-time employees can just as easily provide sensitive information to a talented social engineer. The target and attacker generally do not know each other in a social engineering attack, so D is not a good answer.

From a security standpoint, why should an organization consider a policy of mandatory vacations?

A. To ensure that employees are not involved in illicit activity that they are attempting to hide.

B. Because employees who are tired are more prone to making errors.

C. To provide an opportunity for security personnel to go through their desks and computer systems.

D. To keep from having lawsuits filed against the organization for adverse working conditions.

A.

A common characteristic of employees who are involved in illicit activities is their reluctance to take a vacation. A prime security reason to require mandatory vacations is to discourage illicit activities in which employees are engaged.

Select all of the following that are examples of personally identifiable information:

A. An individual’s name

B. A national identification number 

C. A license plate number

D. A telephone number

E. A street address

A, B, C, D, E. 

All of these are examples of personally identifiable information. Any information that can be used to uniquely identify an individual falls into this category.

A hoax can still be a security concern because

A. It may identify a vulnerability that others can then decide to use in an attack.

B. It shows that an attacker has the contact information for an individual who might be used in a later attack.

C. It can result in a user performing some action that could lead to a compromise or that might adversely affect the system or network.

D. A hoax is never a security concern—that is why it is called a hoax.

C. 

A hoax can cause a user to perform some action, such as deleting a file that the operating system needs. Because of this, hoaxes can be considered legitimate security concerns.

How should CDs and DVDs be disposed of?

A. By shredding using a paper shredder designed also to shred CDs and DVDs.

B. By using a commercial grade degausser.

C. By overwriting the disk with 0s, then 1s, and then a random character.

D. There is no approved way of disposing of this type of media, so they must be archived in a secure facility.

A. 

Shredders that are designed to destroy CDs and DVDs are common and inexpensive. A degausser is designed for magnetic media, not optical. Writing over with 0s, 1s, and a random character is a method that can be used for other magnetic media but not CDs or DVDs.

What type of attack consists of looking through an individual’s or organization’s trash for sensitive information?

A. Phishing

B. Vishing

C. Shoulder surfing

D. Dumpster diving

D. 

This is a description of dumpster diving. From a security standpoint, you should be concerned with an attacker being able to locate information that can help in an attack on the organization. From an individual perspective, you should be concerned about the attacker obtaining information such as bank account or credit card numbers.

What type of attack can involve an attacker setting up a camera to record the entries individuals make on keypads used for access control? 

A. Phishing

B. Shoulder surfing

C. Dumpster diving

D. Vishing

B. 

This is a description of a shoulder surfing method. Other methods include simply looking over a person’s shoulder as she enters code or using binoculars to watch from a distance.

Which of the following should be included in a password policy?

A. An explanation of how complex the password should be (i.e., what types

of characters a password should be made up of)

B. The length of time the password will be valid before it expires

C. A description of how passwords should be distributed and protected

D. All of the above

D. 

All three of these were mentioned as part of what a password policy should include.

What is the best method of preventing successful phishing attacks?

A. Firewalls that can spot and eliminate the phishing e-mails 

B. Blocking sites where phishing originates

C. A viable user training and awareness program

D. There is no way to prevent successful phishing attacks.

C. 

While research is being conducted to support spotting and eliminating phishing e-mails, no effective method is currently available to do this. It may be possible to block some sites that are known to be hostile, but again this is not effective at this time since an e-mail could come from anywhere and its address can be spoofed anyway. There might be some truth to the statement (D) that there is no way to prevent successful phishing attacks, because users continue to fall for them. The best way to prevent this is an active and viable user training and awareness program.

What type of attack uses e-mails with a convincing story to encourage users to provide account or other sensitive information? 

A. Vishing

B. Shoulder surfing

C. Dumpster diving

D. Phishing

D.

This is a description of phishing, which is a type of social engineering attack as are the other options. Vishing employs the use of the telephone network. Shoulder surfing involves the attacker attempting to observe a user entering sensitive information on a form, keypad, or keyboard. Dumpster diving involves the attacker searching through the trash of an organization or individual to find useful and sensitive information.

The reason for providing a group access control policy is

A. It provides a mechanism for individual users to police the other members of the group.

B. It provides an easy mechanism to identify common user restrictions for members of the group. This means that individual profiles for each user don’t have to be created but instead each is identified as a member of the group with its associated group profile/policies.

C. It is the only way to identify individual user access restrictions.

D. It makes it easier for abnormal behaviors to be identified, as a group norm can be established.

B. 

Groups and domains provide a mechanism to organize users in a logical way. Individuals with similar access restrictions can be placed within the same group or domain. This greatly eases the process of account creation for new employees.

Which of the following is a high-level, broad statement of what the organization wants to accomplish?

A. Policy

B. Procedure

C. Guideline

D. Standard

A. 

This is the definition of a policy. Procedures are the step-by-step instructions on how to implement policies in an organization.

What is "Social Engineering?"

"Social Engineering is the process of convincing an authorized individual to provide confidential information or access to an unauthorized individual."

Takes advantage of two aspects of human nature:

1) People genuinely want to help

2) People dislike confrontation.