3.5
Which of the following is not a form of social engineering?
Impersonating a user by logging on with stolen credentials
You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that, as part of a system upgrade, you are to go to a website and enter your user name and password at a new website so you can manage your email and spam using the new service. What should you do?
Verify that the email was sent by the administrator and that this new service is legitimate.
Which of the following are examples of social engineering? (Select two.)
1) Shoulder surfing 2) Dumpster diving
What is the primary countermeasure to social engineering?
Awareness
Which of the following is a common social engineering attack?
Distributing hoax virus information emails.
What is the weakest point in an organization's security infrastructure?
People
Dumpster diving is a low-tech way to gathering information that may be useful in gaining unauthorized access or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving?
Establish and enforce a document destruction policy
How can an organization help prevent social engineering attacks? (Select two.)
1) Educate employees on the risks and countermeasures. 2) Publish and enforce clearly-written security policies.
The receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. The individual is engaging in which type of social engineering?
Authority
Identify and label the following attacks by dragging the term on the left to the definition on the right. Not all terms are used.
1) An attacker convinces personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Masquerading 2) An attacker pretending to be from a trusted organization sends emails to senior executives and high-profile personnel asking them to verify personal information or send money. Whaling 3) Attackers use Voice over IP (VoIP) to pretend to be from a trusted organization and ask victims to verify personal information or send money. Vishing 4) Attackers send emails with specific information about the victim (such as which online banks they use) that ask them to verify personal information or send money. Spear phishing 5) Attackers attempts to make the person believe that if they don't act quickly, they will miss out on an item, opportunity or experience. Scarcity
Which of the following attacks tricks victims into providing confidential information (such as identity information or login credentials) through emails or websites that impersonate an online entity that the victim trusts?
Phishing
Match the social engineering description on the left with the appropriate attack type on the right.
Phishing: An attacker pretending to be from a trusted organization sends an email asking users to access a website to verify personal information. Whaling: An attacker gathers personal information about the target individual, who is a CEO. Spear phishing: An attacker gathers personal information about the target individual in an organization. Dumpster diving: An attacker searches through an organization's trash looking for sensitive information. Piggybacking: An attacker enters a secured building by following an authorized employee through a secure door without providing identification. Vishing: An attacker uses a telephone to convince target individuals to reveal their credit card information.
You've just received an email message explaining that a new and serious malicious code threat is ravaging across the internet. The message contains detailed information about the threat, its source code, and the damage it can inflict. The message states that you can easily detect whether or not you have already been a victim of this threat by the presence of three files in the \Windows\System32 folder. As a countermeasure, the message suggests that you delete these three files from your system. In response to this message, which action should you take first?
Verify the information on well-known malicious code threat management websites
Which of the following social engineering attacks use Voice over IP (VoIP) to gain sensitive information?
Vishing
A senior executive reports that she received a suspicious email concerning a sensitive internal project that is behind production. The email was sent from someone she doesn't know, and he is asking for immediate clarification on several of the project's details so the project can get back on schedule. Which type of an attack best describes the scenario?
Whaling