Social Engineering and Other Foes

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

- Social Engineering and Other Foes - administrative control

A control implemented through administrative policies or procedures.

- Social Engineering and Other Foes - mantrap

A device, such as a small room, that limits access to one or a few individuals. Mantraps typically use electronic locks and other methods to control access.

- Social Engineering and Other Foes - spear phishing

A form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party.

- Social Engineering and Other Foes - phishing

A form of social engineering in which you simply ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. Commonly sent via email.

- Social Engineering and Other Foes - cable lock

A physical security deterrent used to protect a computer.

- Social Engineering and Other Foes - hot aisles

A server room aisle that removes hot air.

- Social Engineering and Other Foes - privacy

A state of security in which information isn't seen by unauthorized parties without the express permission of the party involved.

- Social Engineering and Other Foes - compensating controls

Gap controls that fill in the coverage between other types of vulnerability mitigation techniques. (Where there are holes in coverage, we compensate for them.)

- Social Engineering and Other Foes - As part of your training program, you're trying to educate users on the importance of security. You explain to them that not every attack depends on implementing advanced technological methods. Some attacks take advantage of human shortcomings to gain access that should otherwise be denied. What term do you use to describe attacks of this type? A. Social engineering B. IDS system C. Perimeter security D. Biometrics

A. Social engineering attacks take advantage of our inherent trust as human beings, as opposed to technology, to gain access to your environment.

- Social Engineering and Other Foes - Which of the following is the best description of tailgating? A. Following someone through a door they just unlocked B. Figuring out how to unlock a secured area C. Sitting close to someone in a meeting D. Stealing information from someone's desk

A. Tailgating is best defined as following someone through a door they just unlocked.

- Social Engineering and Other Foes - social engineering

An attack that uses others by deceiving them. It does not directly target hardware or software, but instead it targets and manipulates people.

- Social Engineering and Other Foes - Faraday cage

An electrically conductive wire mesh or other conductor woven into a "cage" that surrounds a room and prevents electromagnetic signals from entering or leaving the room through the walls.

- Social Engineering and Other Foes - Which of the following is another name for social engineering? A. Social disguise B. Social hacking C. Wetware D. Wetfire

C. Wetware is another name for social engineering

- Social Engineering and Other Foes - PTZ

Cameras that can pan, tilt, and zoom.

- Social Engineering and Other Foes - Personal Identity Verification (PIV)

Card required of federal employees and contractors to gain access (physical and logical) to government resources.

- Social Engineering and Other Foes - What is the form of social engineering in which you simply ask someone for a piece of information that you want by making it look as if it is a legitimate request? A. Hoaxing B. Swimming C. Spamming D. Phishing

D. Phishing is the form of social engineering in which you simply ask someone for a piece of information that you want by making it look as if it is a legitimate request.

- Social Engineering and Other Foes - EXAM ESSENTIALS: Be able to discuss aspects of environmental systems and functions.

Environmental systems include heating, air conditioning, humidity control, fire suppression, and power systems. All of these functions are critical to a well-designed physical plant.

- Social Engineering and Other Foes - EXAM ESSENTIALS: Be able to describe the types of fire-suppression systems in use today

Fire-suppression systems can be either fixed or portable. Portable systems are most commonly fire extinguishers. Fixed systems are part of the building, and they're generally water- or gas-based. Gas-based systems are usually found only in computer rooms or other locations where water-based systems would cause more damage than is warranted. Gas systems work only in environments where airflow can be limited; they remove oxygen from the fire, causing the fire to go out. Water systems usually remove heat from a fire, causing the fire to go out.

- Social Engineering and Other Foes - tailgating

Following someone through an entry point.

- Social Engineering and Other Foes - FYI: TEMPTEST was concerned with reducing electronic noise from devices that would divulge intelligence about systems and information. TEMPEST-certified equipment frequently costs twice as much as non-TEMPEST equipment.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: A major concern with electrical fires is that they can recur quickly if the voltage isn't removed. Make sure that you remove voltage from systems when a fire occurs.

Intentionally Left Blank

- Social Engineering and Other Foes - EXAM ESSENTIALS: Know the importance of security awareness and training

Security awareness and training are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management

- Social Engineering and Other Foes - Technical controls

Security controls that are carried out or managed by devices.

- Social Engineering and Other Foes - perimeter security

Security set up on the outside of the network or server to protect it.

- Social Engineering and Other Foes - cold aisles

Server room aisles that blow cold air from the floor.

- Social Engineering and Other Foes - EXAM ESSENTIALS: Know the purposes of shielding in the environment

Shielding primarily prevents interference from EMI and RFI sources. Most shielding is attached to an effective ground, thereby neutralizing or reducing interference susceptibility.

- Social Engineering and Other Foes - NOTE: A type K extinguisher that is marketed for use on cooking oil fires can also be found in stores. In actuality, this is a subset of class B extinguishers. Several multipurpose extinguishers combine several extinguisher capabilities in a single bottle. The more common multipurpose extinguishers are A-B, B-C, and ABC. The recommended procedure for using a fire extinguisher is called the PASS method: Pull, Aim, Squeeze, and Sweep.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: Discussions at home with a spouse, or casual conversations with associates where we are bragging or trying to impress others, can lead to sharing more information than we should.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: Environmental systems should be monitored to prevent the computer center's humidity level from dropping below 50 percent. Electrostatic damage is likely to occur when humidity levels get too low.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: In the event of power failure, HVAC for the server room should be on the uninterruptable power supply (UPS) in order to keep it cool.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: More than one principle can be used in any given attack. It is not uncommon, for example, to see both scarcity and urgency used together.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: NDAs are common in the technology arena. Make sure that you read any NDA thoroughly before you sign it. You don't have to sign an NDA to be bound by it: if you agree that you'll treat the information as private and then receive the information, you have, in essence, agreed to an NDA. In most cases, this form of verbal NDA is valid for only one year.

Intentionally Left Blank

- Social Engineering and Other Foes - control types

Technical, physical, or administrative measures in place to assist with resource management.

- Social Engineering and Other Foes - fire suppression

The act of stopping a fire and preventing it from spreading.

- Social Engineering and Other Foes - PASS method

The correct method of extinguishing a fire with an extinguisher: Pull, Aim, Squeeze, and Sweep.

- Social Engineering and Other Foes - NOTE: Proximity reader is a catchall term for any ID or card reader capable of reading proximity cards. Proximity cards go by a number of different titles, but they are just RFID (radio frequency identification) cards that can be read when close to a reader and truly never need to touch anything. The readers work with 13.56 MHz smart cards and 125 kHz proximity cards, and they can open turnstiles, gates, and any other physical security safeguards once the signal is read.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: Some EULAs now limit the information that users can disclose about problems with their software. These new statements have not yet been challenged in court. Try to avoid being the test case for this new and alarming element of some software licenses; read the EULA before you agree to it.

Intentionally Left Blank

- Social Engineering and Other Foes - NOTE: When "trusting" another firm—whether it be a shredding service, a pulping operation, or other—always insist on receiving a Certificate of Destruction. This document should be kept on record for some time in case an audit is done to discover what became of certain files.

Intentionally Left Blank

- Social Engineering and Other Foes - Note: Lighting can also serve as a deterrent. Bright lighting in a parking lot, access way, or storage area, for example, can help reduce the risk of theft.

Intentionally Left Blank

- Social Engineering and Other Foes - TIP: Any temporary access individual, such as a vending machine repair person or HVAC technician, should be escorted at all times and never left alone in secure areas.

Intentionally Left Blank

- Social Engineering and Other Foes - TIP: One of the best counters to phishing is simply to mouse over the Click Here link and read the URL. Almost every time it is pointing to an adaptation of the legitimate URL as opposed to a link to the real thing.

Intentionally Left Blank

- Social Engineering and Other Foes - TIP: Symantec and other vendors maintain pages devoted to bogus hoaxes (www.symantec.com/business/security_response/threatexplorer/risks/hoaxes.jsp You can always check there to verify whether an email you've received is indeed a hoax.

Intentionally Left Blank

- Social Engineering and Other Foes - TIP: The three critical components of any fire are heat, fuel, and oxygen. If any component of this trilogy is removed, a fire isn't possible. Most fire-suppression systems work on this concept.

Intentionally Left Blank

- Social Engineering and Other Foes - WARNING: Evacuate the room immediately in the event of a fire. Halon-based systems work by removing oxygen from the fire, and this can suffocate anyone in the room as well.

Intentionally Left Blank

NOTE: Where it can be used, shredding has an advantage over most other methods of destruction in that the equipment used is portable, inexpensive, and easily available.

Intentionally Left Blank

- Social Engineering and Other Foes - dumpster diving

Looking through trash for clues—often in the form of paper scraps—to find users' passwords and other pertinent information.

- Social Engineering and Other Foes - Private

Private information is intended only for internal use within the organization. This type of information could potentially embarrass the company, disclose trade secrets, or adversely affect personnel.

- Social Engineering and Other Foes - control

Processes or actions used to respond to situations or events.

- Social Engineering and Other Foes - Pulping (Data Destruction and Media Sanitation)

Pulping reduces paper to liquid slurry before making it available for reuse in post-consumer products.

- Social Engineering and Other Foes - Consensus (Social Engineering)

Putting the person being tricked at ease by putting the focus on them—listening intently to what they are saying, validating their thoughts, charming them—is the key to this element. The name comes from a desire that we all have to be told that we are right, attractive, intelligent, and so forth.

- Social Engineering and Other Foes - privacy filters

Screens that restrict viewing of monitors to only those sitting in front of them.

- Social Engineering and Other Foes - hoax

Typically, an email message warning of something that isn't true, such as an outbreak of a new virus. A hoax can send users into a panic and cause more harm than the virus.

- Social Engineering and Other Foes - Compensating controls

control procedures that compensate for the deficiency in other controls

- Social Engineering and Other Foes - Restricted information (Private)

could seriously damage the organization if disclosed. It includes proprietary processes, trade secrets, strategic information, and marketing plans.

- Social Engineering and Other Foes - Wiping (Data Destruction and Media Sanitation)

goes further than purging and is also known as overwriting or shredding.

- Social Engineering and Other Foes - Internal information (Private)

includes personnel records, financial working documents, ledgers, customer lists, and virtually any other information that is needed to run a business. A school views student information as internal.

- Social Engineering and Other Foes - Limited distribution (Public)

information isn't intended for release to the public. This category of information isn't secret, but it's private. If a company is seeking to obtain a line of credit, the information provided to a bank is of a private nature.

- Social Engineering and Other Foes - corrective controls

intended to correct a situation: to prevent the recurrence of errors.

preventive controls

intended to stop something before it happens

- Social Engineering and Other Foes - Public

is primarily made available either to the larger public or to specific individuals who need it.

- Social Engineering and Other Foes - Pulverizing (Data Destruction and Media Sanitation)

media (usually documents) are fed into a pulverizer that uses hydraulic or pneumatic action to reduce the materials to loose fibers and shards.

- Social Engineering and Other Foes - personal health information (PHI)

more commonly known as protected health information and should be thought of as a subset of PII that is protected by law.

- Social Engineering and Other Foes - Steward/Custodian (Data Roles)

the person (or people) who has operational responsibility for the physical and electronic security of the data. Typically, this is the systems administrator, database administrator, or programmer/analyst.

- Social Engineering and Other Foes - detective control

uncover a violation. The only time that they would be relevant is when a preventive control has failed and they need to sound an alarm.

- Social Engineering and Other Foes - Degaussing (Data Destruction and Media Sanitation)

used to remove data from magnetic storage media such as hard drives and magnetic tapes.

- Social Engineering and Other Foes - wetware

Another term for social engineering.

- Social Engineering and Other Foes - Personally identifiable information (PII)

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. -NIST published Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

- Social Engineering and Other Foes - Intimidation (Social Engineering)

Authority can be a source of intimidation, it is possible for intimidation to occur in its absence as well. This can be done with threats, shouting, or even with guilt.

- Social Engineering and Other Foes - vishing

Combining phishing with Voice over IP (VoIP).

- Social Engineering and Other Foes - EXAM ESSENTIALS: Know the six types of controls.

CompTIA has categorized controls into six types: deterrent (warning), preventive (stopping), detective (uncovering), compensating (backup), technical (using technology), and administrative (using policies).

- Social Engineering and Other Foes - Burning (Data Destruction and Media Sanitation)

Controlled incineration, or burning, is a good method for destroying hard copies of data (paper) and some media (ancient floppy disks, for example),

- Social Engineering and Other Foes - physical controls

Controls and countermeasures of a tangible nature intended to minimize intrusions.

- Social Engineering and Other Foes - preventive controls

Controls intended to prevent attacks or intrusions

- Social Engineering and Other Foes - detective control

Controls that are intended to identify and characterize an incident in progress (for example, sounding the alarm and alerting the administrator).

- Social Engineering and Other Foes - technical controls

Controls that rely on technology.

- Social Engineering and Other Foes - Authority (Social Engineering)

Convince the person you are attempting to trick that you are in a position of authority; upper management, tech support, HR, or law enforcement.

- Social Engineering and Other Foes - Scarcity (Social Engineering)

Convincing the person who is being tricked that there is a limited supply of something can often be effective if carefully done. For example, convincing them that there are only 100 vacation requests that will be honored for the entire year and that they need to go to a fictitious website now and fill out their information (including username and password, of course) if they want to take a vacation anytime during the current year can dupe some susceptible employees.

- Social Engineering and Other Foes - data disposal

Getting rid of/destroying media no longer needed.

- Social Engineering and Other Foes - watering hole attack

Identifying a site that is visited by those that they are targeting, poisoning that site, and then waiting for the results.

- Social Engineering and Other Foes - FYI: One of the more helpful sites to visit to get the status of the latest viruses is that of the CERT organization (www.cert.org). CERT monitors and tracks viruses and provides regular reports on this site.

Intentionally Left Blank

- Social Engineering and Other Foes - personally identifiable information (PII)

Information that can be uniquely used to identify, contact, or locate a single person. Examples include Social Security number, driver's license number, fingerprints, and handwriting.

- Social Engineering and Other Foes - restricted information

Information that isn't made available to all and to which access is granted based on some criteria.

- Social Engineering and Other Foes - FYI: Type Use - Retardant composition A Wood and paper - Largely water or chemical B Flammable liquids - Fire-retardant chemicals C Electrical - Nonconductive chemicals D Flammable metals - Varies; type specific

Intentionally Left Blank

- Social Engineering and Other Foes - FYI: Ideally, your systems should have a minimum of three physical barriers: external entrance to the building, locked door protecting the computer center, & The entrance to the computer room itself.

Intentionally Left Blank

- Social Engineering and Other Foes - Familiarity (Social Engineering)

Mental guards are often lowered, many times subconsciously, when we are dealing with other individuals that we like. The "like" part can be gained by someone having, or pretending to have, the same interests as we do, be engaged in the same activities, or otherwise working to gain positive attention.

- Social Engineering and Other Foes - Trust (Social Engineering)

One of the easiest ways to gain trust is through reciprocation. When someone does something for you, there is often a feeling that you owe that person something. For example, to gain your trust, someone may help you out of a troublesome situation or buy you lunch.

- Social Engineering and Other Foes - impersonation

Pretending to be another person to gain information.

- Social Engineering and Other Foes - whaling

Phishing only large accounts.

- Social Engineering and Other Foes - EXAM ESSENTIALS: Be able to describe the process of social engineering

Social engineering occurs when an unauthorized individual uses human or nontechnical methods to gain information or access to security information. Individuals in an organization should be trained to watch for these types of attempts, and they should report them to security professionals when they occur.

- Social Engineering and Other Foes - information classification

The process of determining what information is accessible, to what parties, and for what purposes.

- Social Engineering and Other Foes - Urgency (Social Engineering)

The secret for successfully using the urgency element is for the social engineer to convince the individual whom they are attempting to trick that time is of the essence. If they don't do something right away, money will be lost, a nonexistent intruder will get away, the company will suffer irreparable harm, or a plethora of other negative possibilities may occur.

- Social Engineering and Other Foes - Confidential

This classification is used to identify low-level secrets; it's generally the lowest level of classification used by the military.

- Social Engineering and Other Foes - shoulder surfing

Watching someone when they enter their username, password, or sensitive data.

- Social Engineering and Other Foes - administrative control

one that comes down through policies, procedures, and guidelines.

- Social Engineering and Other Foes - Privacy Officer (Data Roles)

or chief privacy officer (CPO), is the person within an organization charged with safeguarding personal information.

- Social Engineering and Other Foes - Physical controls

put in place to reduce the risk of harm coming to physical property, information, computer systems, or other assets.

- Social Engineering and Other Foes - Shredding (Data Destruction and Media Sanitation)

reduces the size of objects with the intent of making them no longer usable

- Social Engineering and Other Foes - Purging (Data Destruction and Media Sanitation)

removing it and the traces of it. This is usually done with storage devices, such as hard drives, and is often referred to as sanitation.

- Social Engineering and Other Foes - deterrent control

something that discourages or hinders

- Social Engineering and Other Foes - Owner (Data Roles)

the person (or people) identified (by law, contract, or policy) with the responsibility for granting access to users and ensuring appropriate use of the information. Usually, this is the person who created the file, but that need not always be the case.


Kaugnay na mga set ng pag-aaral

Multiple Choice Questions- ACT311

View Set

Adult Health 2 Textbook Mastery Questions

View Set

Chapter 6 Concept Questions BUSA 7

View Set

Employment Search Job Market-BCOT152 quiz 1

View Set