Chapter 04: Social Engineering, Physical and Password Attacks Flashcards
_____ is the practice of manipulating people through a variety of strategies to accomplish desired actions.
Social Engineering
______ relies on the fact that most people will obey someone who appears in charge or knowledgeable, regardless if they are or not.
Authority
____ relies on scaring or bullying an individual into taking a desired action.
Intimidation
A ________ social engineering attack uses the fact that people tend to want to do what others are doing to persuade them to take an action.
Consensus-based
____ is used for social engineering in scenarios that make something look more desirable because it may be the last one available.
Scarcity
_____ attacks rely on you liking the individual or even the organization the individual is claiming to represent.
Familiarity-based attacks
____ relies on a connection with the individual they are targeting so they will take actions the hacker wants them to take.
Trust
_____ relies on creating feeling that the action must be taken quickly due to some reason or reasons.
Urgency
Which type of social engineering principle uses something like “Everyone else is the department has already clicked on the link.”
Consensus based social engineering
_____ describes the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data.
Phishing
____ is phishing via SMS messages.
smishing
____ is phishing through telephones.
vishing
____ targets specific individuals or groups in an organization in an attempt to gather desired information or access.
Spear Phishing
_____ targets specific high profiled people, like senior employees, or CFO/CIOs.
Whaling
Best defense against phishing attacks.
Security Awareness
____ is the process of gathering credentials like usernames and passwords.
Credential Harvesting
_____ is often performed via phishing attacks but may also be accomplished through system compromise resulting in the acquisition of user databases and passwords.
Credential Harvesting
Defense against Credential Harvesting
Multifactor authentication
____ attacks redirect traffic away from legitimate websites to malicious versions.
Pharming
_____ attacks are done by using misspelled or slightly off URLs compared to their legitimate sites.
Typosquatting attacks
_____ attacks use websites that are targeted frequently by clients to inject malware to attack the clients.
Watering Hole attack
____ often employs social engineering techniques to attempt to get recipients to open the message or click on links inside of it. It relies on one underlying truth that if you send enough tempting messages, you will have someone fall for it.
Spam
_____ describes instance messaging spam.
Spam over Instance Message (SPIM)
______ is a technique used to gather information without targets realizing they are providing it.
Eliciting information
Flattery, false ignorance, or even acting as a counselor are all common elements of a(n) ________ effort.
elicitation effort
______ is the process of using a made-up scenario to justify why you are approaching an individual.
Pretexting
______ is the use of someone else’s identity.
Identity fraud
_____ is when you act like someone else.
impersonation
______ are intentional falsehoods, which comes in a variety of forms ranging from viruses to fake news.
Hoaxes
______ involves sending fake invoices to organizations in hopes of receiving payment. These can be either physical or electronic and rely’s upon the user not validating whether it is real if the invoice is legitimate.
Invoice Scams
_____ iterates through passwords until they find one that works.
Brute-force
____ are a form of brute-force attack that attempts to use a single password or small set of passwords against many accounts.
Password Spraying
This type of attack iterates through a list of common passwords.
Brute-force attack
This type of password attack uses attempts to use passwords that may include: common chants for the fans, names of well-known players, and other common terms related to the team, on a sports website.
Password Spraying
_____ uses a list of words for their attempts.
Dictionary attacks
What open source tool is good for brute-force dictionary attacks.
John the Ripper
_____ are an easily searchable database of precomputed hashes using the same methodology as the captured password file. For instance, you can use this to compare against the hashes on a table the hacker is attempting to hack.
Rainbow tables
_____ attacks focus on capturing information from cards like RFID and magnetic stripe cards often used for entry access.
Card Cloning
____ attacks are done by using hidden or fake readers or social engineering and hand-held readers to capture cards, then employ cloning tools to use credit cards.
Skimming attacks
What makes Card Cloning difficult?
If cards contain cryptographic signatures and smart chips.
Which type of cards are easily clonable?
Magnetic Striped and RFID-based cards.
______ attempts to compromise devices, systems, or software before it even reaches the organization.
Supply Chain Attacks
True / False: Malicious USB cables exists. They require dedicated engineering to make them malicious and may not be noticed the same way as USB drives.
True
