System Security Management Quiz 4
Which of the following is not a motivation technique used by social engineers? A. A phishing campaign using whaling B. Likeness and fear C. Social proof D. Scarcity and urgency
A phishing campaign using whaling
Which of the following is not true about elicitation and interrogation? A. An interrogator cannot use closed-ended questions to gain more control of the conversation. B. An interrogator uses closed-ended questions to gain more control of the conversation and to lead the conversation or to stop it. C. An interrogator uses any information revealed to continue to gather additional information or to obtain information from another victim. D. An interrogator asks good open-ended questions to learn about the individual's viewpoints, values, and goals.
An interrogator cannot use closed-ended questions to gain more control of the conversation.
Which of the following is true about interrogation? A. It is illegal to pay attention to the victim's posture, body language, color of the skin, and eye movement during an interrogation. B. An interrogator pays attention to the victim's posture, body language, skin color, and eye movement. C. The victim pays close attention to the interrogator's gestures, but the interrogator does not need to pay attention to the victim's posture or body language. D. An interrogation should not take longer than five minutes.
An interrogator pays attention to the victim's posture, body language, skin color, and eye movement.
In a _________ attack, a user visits a legitimate website and clicks on a malicious ad. Then the user is redirected to a malicious site and downloads malware. A. Denial-of-Service (DoS) B. Privilege escalation C. Malvertising D. Whaling
Malvertising
Which of the following refers to the act of incorporating malicious ads on trusted websites, which results in users' browsers being inadvertently redirected to sites hosting malware? A. Pharming B. Active ad exploitation C. Whaling D. Malvertising
Malvertising
Which of the following is not true about pharming? A. In a pharming attack, a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to look like the valid site to the user. B. Pharming can be done by exploiting a buffer overflow using Windows PowerShell. C. Pharming can be done by altering the host file on a victim's system. D. Threat actors performing a pharming attack can leverage DNS poisoning and exploit DNS-based vulnerabilities.
Pharming can be done by exploiting a buffer overflow using Windows PowerShell.
Which of the following is the term for an attacker presenting to a user a link or an attachment that looks like a valid, trusted resource? A. Pretexting B. Email exploitation C. Phishing D. Elicitation
Phishing
Which of the following is true about pretexting? A. Pretexting or impersonation involves sending a phishing email to someone inside your organization. B. Pretexting or impersonation is not effective anymore because of current anti-phishing security solutions. C. Pretexting or impersonation involves presenting yourself as someone else in order to gain access to information. D. Pretexting or impersonation involves correctly identifying yourself in order to gain access to information.
Pretexting or impersonation involves presenting yourself as someone else in order to gain access to information.
Which of the following is an example of a social engineering attack that is not related to email? A. SMS command injection B. Pretexting C. SMS phishing D. SMS buffer overflow
SMS phishing
Which of the following is true about social engineering motivation techniques? A. Scarcity cannot be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate your victim. B. Social proof cannot be used in an interrogation because it is illegal. It is not legal to use specific language in an interaction to present a sense of urgency and manipulate your victim. C. Social proof can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim. D. Scarcity can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim.
Scarcity can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim.
Which of the following involves obtaining information such as personally identifiable information (PII), passwords, and other confidential data by looking at someone's laptop, desktop, or mobile device screen? A. Display surfing B. Shoulder phishing C. Shoulder surfing D. Screen surfing
Shoulder surfing
____________ is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies. A. Malvertising B. Spear phishing C. Whaling D. Pretexting
Spear phishing
Which of the following is true about spear phishing? A. Spear phishing attacks use the Windows Administrative Center. B. Spear phishing is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies. C. Spear phishing, whaling, and phishing are the same type of attack. D. Spear phishing attacks use the Windows PowerShell.
Spear phishing is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.
Which of the following is not true? A. The main goal in all phishing attacks, including whaling, is to steal sensitive information or compromise the victim's system and then target other key high-profile victims. B. Voice phishing is a social engineering attack carried out over a phone conversation. C. The Social-Engineer Toolkit (SET) can be used to impersonate websites. D. The main goal in all mass mail attacks, including whaling, is to steal sensitive information or compromise the victim's system and then target other key high-profile victims.
The main goal in all mass mail attacks, including whaling, is to steal sensitive information or compromise the victim's system and then target other key high-profile victims.
Which of the following is not true about USB key drop attacks? A. USB key drop is a type of social engineering attack. B. USB keys can contain malware and also infect an attacker. C. USB key drop attacks are not effective anymore. D. USB key drop can be combined with other social engineering attacks.
USB key drop attacks are not effective anymore.
Which of the following is true about voice phishing? A. Voice phishing is also referred to as "vhaling." B. Voice phishing is also referred to as "vishing." C. Voice phishing is not a social engineering attack but an information disclosure attack carried out over a phone conversation. D. Voice phishing is also referred to as "whaling."
Voice phishing is also referred to as "vishing."
Which of the following is not true about whaling? A. Whaling attacks target high-profile business executives. B. Whaling attacks are similar to spear phishing. C. Whaling attacks target high-profile business executives. D. Whaling attacks use DNS poisoning to impersonate a legitimate website.
Whaling attacks use DNS poisoning to impersonate a legitimate website.
Which of the following is true? A. Whaling is similar to phishing and spear phishing. B. Pretexting is not the same as impersonation. C. Spear phishing is not a social engineering attack. D. Malvertising is a type of phishing attack.
Whaling is similar to phishing and spear phishing.
