Sec+ Chapter 04: Social Engineering, Physical, and Password Attacks

Question 1

Social engineering

Answer 1

The practice of manipulating people to accomplish a desired action

Question 2

7 social engineering principles

Answer 2

1) Authority

2) Intimidation

3) Consensus

4) Scarcity

5) Familiarity

6) Trust

7) Urgency

Question 3

Phishing

Answer 3

Fraudulent acquisition credentials, sensitive PII, etc

Usually done over email

Question 4

Smishing

Answer 4

Phishing via SMS text messages

Question 5

Vishing

Answer 5

Phishing over the phone

Question 6

Spearphishing

Answer 6

Targets specific individuals or groups to gather desired information or access

Question 7

Whaling

Answer 7

Aimed at senior employees like CEOs and CFOs (the big fish)

Question 8

Phishing defense

Answer 8

Security awareness

Reputation tools

Spam filters on email

Question 9

Credential harvesting

Answer 9

The process of gathering credentials like user / pass combos

Often done via phishing attacks

Question 10

Pharming

Answer 10

Attack that redirects traffic from legit sites to bad ones

Requires altered DNS entries

Question 11

Typosquatting

Answer 11

Misspelled and slightly off, but similar, to legit website URL

Question 12

Watering hole attacks

Answer 12

Attacks on websites users frequent to infect them there, and they take it back home

Question 13

Spam

Answer 13

Unsolicited or junk email

Employs SE techniques to get you to open a message or click a link

Question 14

SPIM

Answer 14

Spam over IM

Question 15

Dumpster diving

Answer 15

Retrieving potentially sensitive information from a dumpster or trash

Question 16

Dumpster diving defense

Answer 16

Use secure disposal services for documents, secure dumpsters, ensure trash doesn’t have sensitive info in it

Question 17

Shoulder surfing

Answer 17

Looking over a person’s shoulder, through mirrors, etc, etc to capture info

Question 18

Shoulder surfing defense

Answer 18

Security awareness

Security screens

Polarized screen covers

Question 19

Tailgating

Answer 19

Following someone who has authorized access into an area as they open secure doors.

Question 20

Tailgating defnese

Answer 20

Make anyone present show credentials if they follow you in

Question 21

Elicitation

Answer 21

Technique to gather info without targets realizing they’re providing it

Question 22

Elicitation defense

Answer 22

Be aware, don’t be an idiot

Question 23

Prepending

Answer 23

Adding expression or phrase to emails to make it look like it passed spam filter

Question 24

Pretexting

Answer 24

Using a made up scenario to justify why you’re approaching an individual

Question 25

Identity fraud / theft

Answer 25

The illicit use of someone else's identity

Question 26

Hoaxes

Answer 26

Intentional falsehoods

Question 27

Invoice scam

Answer 27

Sending fake invoices to organizations in the hopes of receiving payment

Question 28

Brute force attack

Answer 28

An attack that iterates through passwords until you find one that works

Question 29

Password spraying

Answer 29

Brute force attack that attempts to use a single password or small set of passwords against many accounts

Question 30

Dictionary attacks

Answer 30

Brute force attack that uses a word list for its attempts

Question 31

Hashing

Answer 31

One-way cryptographic function that takes an input and generates a unique, repeatable output

Question 32

Malicious flash drive attacks

Answer 32

Drop flash drives in a place where they'll be picked up and plugged in by victim Drives will have malicious code / programs on them

Question 33

Malicious USB cables

Answer 33

Cables that can capture keystrokes, capture data, or deploy malware

Question 34

Card cloning

Answer 34

Focuses on capturing information from cards like RFID and magnetic stripes often used for entry access

Question 35

Skimming

Answer 35

Attacks that use hidden or fake readers to skim cards

Question 36

Supply chain attacks

Answer 36

Attacks that compromise devices, systems, or software before it ever reaches and organization