Chapter 04: Social Engineering, Physical and Password Attacks

Question 1

_____ is the practice of manipulating people through a variety of strategies to accomplish desired actions.

Answer 1

Social Engineering

Question 2

______ relies on the fact that most people will obey someone who appears in charge or knowledgeable, regardless if they are or not.

Answer 2

Authority

Question 3

____ relies on scaring or bullying an individual into taking a desired action.

Answer 3

Intimidation

Question 4

A ________ social engineering attack uses the fact that people tend to want to do what others are doing to persuade them to take an action.

Answer 4

Consensus-based

Question 5

____ is used for social engineering in scenarios that make something look more desirable because it may be the last one available.

Answer 5

Scarcity

Question 6

_____ attacks rely on you liking the individual or even the organization the individual is claiming to represent.

Answer 6

Familiarity-based attacks

Question 7

____ relies on a connection with the individual they are targeting so they will take actions the hacker wants them to take.

Answer 7

Trust

Question 8

_____ relies on creating feeling that the action must be taken quickly due to some reason or reasons.

Answer 8

Urgency

Question 9

Which type of social engineering principle uses something like “Everyone else is the department has already clicked on the link.”

Answer 9

Consensus based social engineering

Question 10

_____ describes the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data.

Answer 10

Phishing

Question 11

____ is phishing via SMS messages.

Answer 11

smishing

Question 12

____ is phishing through telephones.

Answer 12

vishing

Question 13

____ targets specific individuals or groups in an organization in an attempt to gather desired information or access.

Answer 13

Spear Phishing

Question 14

_____ targets specific high profiled people, like senior employees, or CFO/CIOs.

Answer 14

Whaling

Question 15

Best defense against phishing attacks.

Answer 15

Security Awareness

Question 16

____ is the process of gathering credentials like usernames and passwords.

Answer 16

Credential Harvesting

Question 17

_____ is often performed via phishing attacks but may also be accomplished through system compromise resulting in the acquisition of user databases and passwords.

Answer 17

Credential Harvesting

Question 18

Defense against Credential Harvesting

Answer 18

Multifactor authentication

Question 19

____ attacks redirect traffic away from legitimate websites to malicious versions.

Answer 19

Pharming

Question 20

_____ attacks are done by using misspelled or slightly off URLs compared to their legitimate sites.

Answer 20

Typosquatting attacks

Question 21

_____ attacks use websites that are targeted frequently by clients to inject malware to attack the clients.

Answer 21

Watering Hole attack

Question 22

____ often employs social engineering techniques to attempt to get recipients to open the message or click on links inside of it. It relies on one underlying truth that if you send enough tempting messages, you will have someone fall for it.

Answer 22

Spam

Question 23

_____ describes instance messaging spam.

Answer 23

Spam over Instance Message (SPIM)

Question 24

______ is a technique used to gather information without targets realizing they are providing it.

Answer 24

Eliciting information

Question 25

Flattery, false ignorance, or even acting as a counselor are all common elements of a(n) ________ effort.

Answer 25

elicitation effort

Question 26

______ is the process of using a made-up scenario to justify why you are approaching an individual.

Answer 26

Pretexting

Question 27

______ is the use of someone else’s identity.

Answer 27

Identity fraud

Question 28

_____ is when you act like someone else.

Answer 28

impersonation

Question 29

______ are intentional falsehoods, which comes in a variety of forms ranging from viruses to fake news.

Answer 29

Hoaxes

Question 30

______ involves sending fake invoices to organizations in hopes of receiving payment. These can be either physical or electronic and rely’s upon the user not validating whether it is real if the invoice is legitimate.

Answer 30

Invoice Scams

Question 31

_____ iterates through passwords until they find one that works.

Answer 31

Brute-force

Question 32

____ are a form of brute-force attack that attempts to use a single password or small set of passwords against many accounts.

Answer 32

Password Spraying

Question 33

This type of attack iterates through a list of common passwords.

Answer 33

Brute-force attack

Question 34

This type of password attack uses attempts to use passwords that may include: common chants for the fans, names of well-known players, and other common terms related to the team, on a sports website.

Answer 34

Password Spraying

Question 35

_____ uses a list of words for their attempts.

Answer 35

Dictionary attacks

Question 36

What open source tool is good for brute-force dictionary attacks.

Answer 36

John the Ripper

Question 37

_____ are an easily searchable database of precomputed hashes using the same methodology as the captured password file. For instance, you can use this to compare against the hashes on a table the hacker is attempting to hack.

Answer 37

Rainbow tables

Question 38

_____ attacks focus on capturing information from cards like RFID and magnetic stripe cards often used for entry access.

Answer 38

Card Cloning

Question 39

____ attacks are done by using hidden or fake readers or social engineering and hand-held readers to capture cards, then employ cloning tools to use credit cards.

Answer 39

Skimming attacks

Question 40

What makes Card Cloning difficult?

Answer 40

If cards contain cryptographic signatures and smart chips.

Question 41

Which type of cards are easily clonable?

Answer 41

Magnetic Striped and RFID-based cards.

Question 42

______ attempts to compromise devices, systems, or software before it even reaches the organization.

Answer 42

Supply Chain Attacks

Question 43

True / False: Malicious USB cables exists. They require dedicated engineering to make them malicious and may not be noticed the same way as USB drives.

Answer 43

True