8) Human Element Security Flashcards
Persuading a targeted victim to perform some action or release information to you because of the fake identity you have created.
Pretexting
Taking advantage of entering a secured access control point without having proper credentials by following someone with the credentials.
Tailgating
An email well researched to look authentic and appear to come from someone the recipient knows and trusts.
Spear phishing
An email designed to trick the recipient into clicking a web link, but the majority of these attacks are seen as fake by the potential victims.
Phishing
What type of control is the following security action:
The policy to stop tailgating activity.
Administrative
What type of control is the following security action:
A list of personal devices and instructions for connecting them at work.
Administrative
What type of control is the following security action:
A camera captures all activity at the server room entrance.
Physical
What type of control is the following security action:
On log in, the password is checked for strength and the time since the last password change.
Technical
What type of control is the following security action:
A laptop computer that automatically uses a secured VPN to access the corporate network.
Technical
A technique used by an attacker that relies on the willingness of people to help others.
Social engineering
A technique involving a fake identity and a believable scenario that elicits the target to give out sensitive information or perform some action which they would not normally do for a stranger.
Pretexting
A social engineering technique that uses electronic communications to convince a potential victim to give out sensitive information or perform some action.
Phishing
A social engineering technique that targets a specific company, organization, or person, and involves knowing specifics about the target to appear valid.
Spear phishing
A method by which a person follows directly behind another person who authenticates to the physical access control measure, thus allowing the follower to gain access without authenticating.
Tailgating (piggybacking)
A program that seeks to make users aware of the risk they are accepting through their current actions and attempts to change their behavior through targeted efforts.
SATE
SATE is a program that seeks to make users aware of the risk they are accepting through their current actions and attempts to change their behavior through targeted efforts. What does SATE stand for?
Security Awareness, Training, and Education
Which social engineering technique involves impersonating someone else to convince the target to perform some action that they wouldn’t normally do for a stranger?
Pretexting
You swipe your key card to gain access to a secure area of the building. As you pass through the door, you notice someone right behind you. You don’t recall that he was walking behind you a moment ago, nor do you see a key card in his hand. What social engineering technique is demonstrated in this example?
Tailgating
Which of the following is NOT a best practice for password security?
a) Enforcing complex password requirements
b) Creating a password policy
c) Educating users on password management
d) Teaching users how to manually sync passwords between systems
e) Forcing password expiration intervals.
d) Teaching users how to manually sync passwords between systems
Your IT department has implemented a comprehensive defense in depth strategy to protect your company resources. The buildings are protected by key card swipes and video surveillance, logins and passwords are required for access to any digital resource, and your network and workstation equipment is properly configured, patched, and protected. Policies are in place to recover from any major security risk. What single entity can invalidate all of these efforts?
A person
Which of the options below is an example of an effective Security Awareness, Training, and Education strategy?
a) A periodic email that references the Employee Handbook and includes a link to a required quiz.
b) A 3-hour CBT course with a completion certificate, required yearly.
c) A daily “security check” question that, if answered correctly, enters the user into a giveaway.
d) A biannual conference room training session that offers free coffee and is four hours long.
c) A daily “security check” question that, if answered correctly, enters the user into a giveaway.
What does an SATE strategy stand for?
Security Awareness, Training, and Education.
