CH 10 - Social Engineering

Question 1

You get a phone call from someone telling you they are from the IRS and they are sending the police to your house now to arrest you unless you provide a method of payment immediately.

What tactic is the caller using?

A. Pretexting
B. Biometrics
C. Smishing
D. Rogue access

Answer 1

A.
Pretexting

Question 2

You are working on a red team engagement. Your team leader has asked you to use baiting as a way to get in.

What are you being asked to do?

A. Make phone calls
B. Clone a website
C. Leave USB sticks around
D. Spoof an RFID ID

Answer 2

C.
Leave USB sticks around

Question 3

Which of the social engineering principles is in use when you see a line of people at a vendor booth at a security conference waiting to grab free USB sticks and CDs?

A. Reciprocity
B. Social proof
C. Authority
D. Scarcity

Answer 3

B.
Social proof

Question 4

What is a viable approach to protecting against tailgaiting?

A. Biometrics
B. Badge access
C. Phone verification
D. Man traps

Answer 4

D.
Man traps

Question 5

Why would you use wireless social engineering?

A. To send phishing messages
B. To gather credentials
C. To get email addresses
D. To make phone calls

Answer 5

B.
To gather credentials

Question 6

Which social engineering principle may allow a phony call from the help desk to be effective?

A. Social proof
B. Imitation
C. Scarcity
D. Authority

Answer 6

D.
Authority

Question 7

Why would you use automated tools for social engineering attacks?

A. Better control over outcomes
B. Reduce complexity
C. Implement social proof
D. Demonstrate authority

Answer 7

B.
Reduce complexity

Question 8

What social engineering vector would you use if you wanted to gain access to a building?

A. Impersonation
B. Scarcity
C. Vishing
D. Smishing

Answer 8

A.
Impersonation

Question 9

Which of these would be an example of pretexting?

A. Web page asking for credentials
B. A cloned badge
C. An email from a former coworker
D. Rogue wireless access point

Answer 9

C.
An email from a former coworker

Question 10

What tool could you use to clone a website?

A. httclone
B. curl‐get
C. wget
D. wclone

Answer 10

C.
wget

Question 11

How would someone keep a baiting attack from being successful?

A. Disable Registry cloning.
B. Disable autorun.
C. Epoxy external ports.
D. Don’t browse the Internet.

Answer 11

B.
Disable autorun.

Question 12

What statistic are you more likely to be concerned about when thinking about implementing biometrics?

A. False positive rate
B. False negative rate
C. False failure rate
D. False acceptance rate

Answer 12

D.
False acceptance rate

Question 13

Which of these forms of biometrics is least likely to give a high true accept rate while minimizing false reject rates?

A. Voiceprint
B. Iris scanning
C. Retinal scanning
D. Fingerprint scanning

Answer 13

A.
Voiceprint

Question 14

What attack can a proximity card be susceptible to?

A. Tailgating
B. Phishing
C. Credential theft
D. Cloning

Answer 14

D.
Cloning

Question 15

Which form of biometrics scans a pattern in the area of the eye around the pupil?

A. Retinal scanning
B. Fingerprint scanning
C. Iris scanning
D. Uvea scanning

Answer 15

C.
Iris scanning

Question 16

What would the result of a high false failure rate be?

A. People having to call security
B. Unauthorized people being allowed in
C. Forcing the use of a man trap
D. Reduction in the use of biometrics

Answer 16

A.
People having to call security

Question 17

You’ve received a text message from an unknown number that is only five digits long. It doesn’t have any text, just a URL. What might this be an example of?

A. Vishing
B. Smishing
C. Phishing
D. Impersonation

Answer 17

B.
Smishing

Question 18

What is an advantage of a phone call over a phishing email?

A. You are able to go into more detail with pretexting.
B. Phishing attacks are unreliable.
C. Not everyone has email, but everyone has a phone.
D. Pretexting works only over the phone.

Answer 18

A.
You are able to go into more detail with pretexting.

Question 19

What is the web page you may be presented with when connecting to a wireless access point, especially in a public place?

A. Credential harvester
B. Captive portal
C. Wi‐Fi portal
D. Authentication point

Answer 19

B.
Captive portal

Question 20

What tool could you use to generate email attacks as well as wireless attacks?

A. Meterpreter
B. wifiphisher
C. SE Toolkit
D. Social Automator

Answer 20

C.
SE Toolkit

Question 21

What type of social engineering technique are you using if you are leaving USB sticks with malware on them around an office, expecting users to plug them into their systems?

A. Pretexting
B. Identity theft
C. Contact spamming
D. Baiting

Answer 21

D.
Baiting

Question 22

Your colleagues are suddenly calling you to indicate they received a strange email from you and are wondering what you are up to. If you didn’t send the message, what should you suspect?

A. Quid pro quo
B. Cloning
C. Contact spamming
D. Man traps

Answer 22

C.
Contact spamming

Question 23

Which of these pieces of information would not be of interest to an attacker trying to steal your identity?

A. Birthplace
B. First book you ever read
C. Mother’s maiden name
D. Social Security number

Answer 23

B.
First book you ever read

Question 24

If an attacker is using quid pro quo as a tactic to get you to provide information to them, who may they be most likely to indicate they are?

A. Your car dealer
B. Help‐desk staff
C. Your mother
D. Your dog

Answer 24

B.
Help‐desk staff

Question 25

Which of these is not a good way to protect against identity theft?

A. Shredding bank records
B. Using long and strong passwords
C. Encrypting your file system
D. Using a safe to store sensitive documents

Answer 25

C.
Encrypting your file system