Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
TestOut Ethical Hack
TestOut Ethical Hacker Pro Q&A Chapter 3 Soc. Eng. and Phy Sec
| Question | Answer |
|---|---|
| Question 1: Social engineers are master manipulators. Which of the following are tactics they might use? 1. Shoulder surfing, eavesdropping, and keylogging 2. Eavesdropping, ignorance, and threatening 3. Moral obligation, ignorance, and threatening 4. Keylogging, shoulder surfing, and moral obligation | 3 |
| Question 2: Which of the following best describes a script kiddie? 1. A hacker who helps companies see the vulnerabilities in their security. 2. A hacker who uses scripts written by much more talented individuals. 3. A hacker willing to take more risks because the payoff is a lot higher. 4. A hacker whose main purpose is to draw attention to their political views. | 2 |
| Question 3: Any attack involving human interaction of some kind is referred to as: 1. An opportunistic attack 2. Attacker manipulation 3. Social engineering 4. A white hat hacker | 3 |
| Question 4: Using a fictitious scenario to persuade someone to perform an action or give information they aren't authorized to share is called: 1. Pretexting 2. Preloading 3. Footprinting 4. Impersonation | 1 |
| Question 5: Ron, a hacker, wants to get access to a prestigious law firm he has been watching for a while. June, an administrative assistant at the law firm, is having lunch at the food court around the corner from her office. Ron notices that June has a picture of a dog on her phone. He casually walks by and starts a conversation about dogs. Which phase of the social engineering process is Ron in? 1. Development phase 2. Research phase 3. Exploitation phase 4. Elicitation phase | 1 |
| Question 6: You are instant messaging a coworker, and you get a malicious link. Which type of social engineering attack is this? 1. Spim 2. Surf 3. Hoax 4. Spam | 1 |
| Question 7: Brandon is helping Fred with his computer. He needs Fred to enter his username and password into the system. Fred enters the username and password while Brandon is watching him. Brandon explains to Fred that it is not a good idea to allow anyone to watch you type in usernames or passwords. Which type of social engineering attack is Fred referring to? 1. Eavesdropping 2. Spam and spim 3. Shoulder surfing 4. Keyloggers | 3 |
| Question 8: Which of the following best describes an inside attacker? 1. An agent who uses their technical knowledge to bypass security. 2. A good guy who tries to help a company see their vulnerabilities. 3. An unintentional threat actor; the most common threat. 4. An attacker with lots of resources and money at their disposal. | 3 |
| Question 9: Compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique? 1. Interrogation 2. Impersonation 3. Preloading 4. Elictitation | 4 |
| Question 10: You get a call from one of your best customers. The customer is asking about your company's employees, teams, and managers. What should you do? 1. You should not provide any information except your manager's name and number. 2. You should not provide any information and forward the call to the help desk. 3. You should provide the information as part of quality customer service. 4. You should put the caller on hold and then hang up. | 2 |
| Question 11: Jason is at home, attempting to access the website for his music store. When he goes to the website, it has a simple form asking for name, email, and phone number. This is not the music store website. Jason is sure the website has been hacked. How did the attacker accomplish this hack? 1. Host file modification 2. Feigning ignorance 3. DNS cache poisoning 4. Social networking | 3 |
| Question 12: An attack that targets senior executives and high-profile victims is referred to as: 1. Pharming 2. Whaling 3. Scrubbing 4. Vishing | 2 |
| What is social engineering? | |
| What are the phases of a social engineering attack? | |
| What is pretexting? How is it used in social engineering? | |
| What are some of the most common social engineering techniques? | |
| How are attackers different in their motivations and approaches? | |
| How are motivation techniques effective in convincing targets to comply with a hacker's desires? | |
| What are elicitation techniques? How are they effective for social engineering? | |
| How do hackers use interview and interrogation techniques for social engineering? | |
| Social engineering | Social engineering is an attack involving human interaction. |
| Footprinting | Footprinting is similar to stalking, but in a social engineering context. |
| Pretexting | Pretexting is a fictitious scenario to persuade someone to perform an action or give information. |
| Elicitation | Elicitation is a technique to extract information from a target without arousing suspicion. |
| Preloading | Preloading is influencing a target’s thoughts, opinions, and emotions before something happens. |
| SMiShing | SMiShing is doing phishing through SMS. |
| Impersonation | Impersonation is pretending to be somebody else and approaching a target to extract information. |
| Spim | Spim is similar to spam, but the malicious link is sent to the target over instant messaging instead of email. |
| Hoax | A hoax is a type of malicious email with some type of urgent or alarming message to deceive the target. |
| Hacktivist | A hacktivist is a hacker with a political motive. |
| Script kiddie | A script kiddie is a hacker who uses scripts written by much more talented individuals. |
| White hat hacker | A white hat hacker is a professional who helps companies see the vulnerabilities in their security. |
| Cybercriminal | A cybercriminal is a hacker willing to take more risks because the payoff is higher. Cybercriminals are often associated with large organized crime syndicates such as the mafia |
| Moral obligation | An attacker uses moral obligation to exploit the target’s willingness to be helpful and assist them out of a sense of responsibility. |
| Innate human trust | Attackers often exploit a target’s natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust. |
| Threatening | An attacker threatens when they intimidate a target with threats convincing enough to make them comply with the attacker’s request. |
| Offering something for very little to nothing | Offering something for very little to nothing refers to an attacker promising huge rewards if the target is willing to do a very small favor or share what the target thinks is a very trivial piece of information. |
| Ignorance | Ignorance means the target is not educated in social engineering tactics and prevention, so the target can’t recognize social engineering when it is happening. The attacker knows this and exploits the ignorance to his or her advantage. |
| Research | In the research phase, the attacker gathers information about the target organization. Attackers use a process called footprinting, which is using all resources available to gain information, including going through the target organization’s official websites and social media; performing dumpster diving; searching sources for employees’ names, email addresses, and IDs; going through a organization tour; and other kinds of onsite observation. Research may provide information for pretexting. |
| Development | The development phase involves two parts: selecting individual targets within the organization being attacked and forming a relationship with the selected targets. Usually, attackers select people who not only will have access to the information or object they desire, but that also show signs of being frustrated, overconfident, arrogant, or somehow easy to extract information from. |
| Exploitation | In the exploitation phase, the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker’s purposes in some way. Some examples include disclosing password and username; introducing the attacker to other personnel, providing social credibility for the attacker; inserting a USB flash drive with a malicious payload into a organization's computer; opening an infected. |
| Shoulder surfing | Shoulder surfing involves looking over someone's shoulder while they work on a computer or review documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information. |
| Eavesdropping | Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed. |
| USB and keyloggers | When on site, a social engineer also has the ability to stealing data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit. |
| Spam and spim | When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email. |
| Hoax | Email hoaxes are often easy to spot because of their bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real. |
| Insider | An insider could be a customer, a janitor, or even a security guard. But most of the time, it's an employee. Employees pose one of the biggest threats to any organization. There are many reasons why an employee might become a threat. The employee could: Be motivated by a personal vendetta because they are disgruntled.,,Want to make money. Be bribed into stealing information. |
| Hacker | Generally speaking, a hacker is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information. Hackers could attack for several different reasons. Some types of hackers are:Those motivated by bragging rights, attention, and the thrill. Hacktivists with a political motive. Script kiddies, who use applications or scripts written by much more talented individuals. |
| Nation state | Attacks from nation states have several key components that make them especially powerful. Typically, nation state attacks: |
| Authority and fear | Authority techniques rely on power to get a target to comply without questioning the attacker. The attacker pretends to be a superior with enough power that the target will comply right away without question. The attacker could also pretend to be there in the name of or upon the request of a superior. Authority is often combined with fear. If an authority figure threatens a target with being fired or demoted, the target is more likely to comply without a second thought. |
| Social proof | Social proof means the attacker uses social pressure to convince the target that it’s okay to share or do something. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too." |
| Scarcity | Scarcity appeals to the target's greed. If something is in short supply and will not be available, the target is more likely to fall for it. |
| Likeability | Likeability works well because humans tend to do more to please a person they like as opposed to a person they don’t like. |
| Urgency | To create a sense of urgency, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary. |
| Common ground and shared interest | Common ground and shared interest work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties. |
| Opportunistic | An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities, such as old software, exposed ports, poorly secured networks, and default configurations. When one is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out. |
| Targeted | A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the hackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target. |
| Compliments | Attackers may give a target a compliment about something they know the target did in hopes that the target will take the bait and elaborate on the subject. Even if the target downplays the skill or ability involved, talking about it might give the attacker valuable information. |
| Misinformation | Attackers might make a statement with the wrong details. The attacker’s intent is that the target will give the accurate details that the attacker wanted to confirm. The more precise the details given by the attacker, the better the chance that the target will take the bait. |
| Feigning ignorance | Attackers might make a wrong statement and then admit to not knowing much about the subject. This statement will hopefully get the target to not only correct the attacker, but also explain why the attacker is wrong in detail. The explanation might help the attacker learn, or at least have a chance to ask questions without looking suspicious. |
| Being a good listener | An attacker may approach a target and carefully listen to what the target has to say, validate any feelings they express, and share similar experiences (which may be real or fabricated). The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds, leading the target to share more information. |
| Pretexting | Pretexting is doing research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets. |
| Preloading | Preloading is used to set up a target by influencing the target’s thoughts, opinions, and emotions. |
| Impersonation | Impersonation is pretending to be trustworthy and having a legitimate reason for approaching the target to ask for sensitive information or access to protected systems. |
| Interview vs interrogation | In the interview phase, the attacker lets the target do the talking while the attacker mostly listens. In this way, the attacker has the chance to learn more about the target and how to extract information from them. Then the attacker leads the interview phase into an interrogation phase. It’s most effective when done smoothly and naturally and when the target already feels a connection and trust with the attacker. In the interrogation phase, the attacker talks about the target's statements. |
| Environment | The environment the attacker chooses for conducting an interview and interrogation is essential to setting the mood. The location should not be overly noisy or overly crowded. It should be a relaxing and stress-free environment that puts the target at ease. The attacker shouldn’t sit between the target and the door. The target should never feel trapped in any way. |
| Observation | During these interviews and interrogations, the hacker pays attention to every change the target displays. This allows the attacker to discern the target’s thoughts and topics that should be investigated further. Every part of the human body can give a clue about what is going on inside the mind. Most people don’t even realize they give many physical cues, nor do they recognize these cues in others. |
| Spear phishing | In spear phishing, an attacker gathers information about the victim, such as their online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information. |
| Whaling | Whaling is another form of phishing that targets senior executives and high-profile victims. |
| Vishing | Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. |
| SMS phishing | In SMS phishing (smishing), the attacker sends a text message with a supposedly urgent topic to trick the victim into taking immediate action. The message usually contains a link that will either install malware on the victim's phone or extract personal information. |
| Pharming | Pharming involves the attacker executing malicious programs on the target’s computer so that any URL traffic redirects to the attacker’s malicious website. This attack is also called phishing without a lure. The attacker is then privy to the user’s sensitive data, like IDs, passwords, and banking details. Pharming attacks frequently come in the form of malware such as Trojan horses, worms, and similar programs. Pharming is commonly implemented using DNS cache poisoning or host file modification. |
| Social networking | Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information. Also, many attackers use social media to scam users. These scams are designed to entice the user to click a link that brings up a malicious site the attacker controls. Usually, the site requests personal information and sensitive data, such as an email address or credit card number. |
| National Institute of Standards and Technology (NIST) | NIST is an institute that publishes and standardizes the security controls and assessment procedures to protect the integrity of information systems. |
| Bump key | A bump key is cut to the number nine position with some of the front and shank removed. |
| Scrubbing | A lock picking method that involves running a pick over all the pins with carefully calculated pressure. |
| Lock shim | A lock shim is a thin and stiff piece of metal used to open a padlock. |
| Cold boot attack | In the cold boot attack, the attacker enters the facility and extracts data remanence from RAM that might still be available before the system is completely powered off. |
| BIOS access attack | BIOS attacks have been around for a long time, but should not be overlooked. This attack usually involves changing the boot order on a PC so that the hacker can gain access to the computer by bypassing the installed operating system. |
| Bollard | A physical barrier to deter aggressive intruders. |
| Strip-cut shredder | A device that cuts paper into long, thin strips. |
| Crosscut shredder | A device that cuts paper both vertically and horizontally, turning the paper into confetti. |
| Full backup | A process that backs up every piece of an organization's data. |
| Incremental backup | A process that backs up every file that's changed since the last full or incremental backup. |
| Differential backup | A process that backs every file that's changed since the last full backup. |
Created by:
jacobth