Practice Exam 12 Flashcards

1
Q

PE12.1 While observing a target organization’s building, you note the lone entrance has a guard posted just inside the door. After entering the external door, you note the lobby of the building is separated from the external door by a small glass-paneled room, with a closed door facing the exterior and a closed door to the interior. There appears to be an RFID scanning device and a small keyboard with video display in the room. Which of the following best defines this physical security control?

A. Guard shack
B. Turnstile
C. Man shack
D. Man trap

A

D
D. If you took a test on college football history, you know it would contain a question about Alabama. If you took one on trumpet players, there’d be one about Dizzy Gillespie. And if you take a test on physical security measures for Certified Ethical Hacker, you’re going to be asked about the man trap. EC-Council loves it that much. A man trap is nothing more than a locked space you can hold someone in while verifying their right to proceed into the secured area. It’s usually a glass (or clear plastic) walled room that locks the exterior door as soon as the person enters. Then there is some sort of authentication mechanism, such as a smartcard with a PIN or a biometric system. Assuming the authentication is successful, the second door leading to the interior of the building will unlock, and the person is allowed to proceed. If it’s not successful, the doors will remain locked until the guard can check things out. As an aside, in addition to authentication, some man traps add other checks, such as measuring the person’s weight to see if they’ve mysteriously gained or lost 20 pounds since Friday. A few other notes here may be of use to you: First, I’ve seen a man trap defined as either manual or automatic, where manual has a guard locking and unlocking the doors, and automatic has the locks tied to the authentication system, as described previously. Second, a man trap is also referred to in some definitions as an air lock. Should you see that term on the exam, know that it is referring to the man trap. Lastly, man traps in the real world can sometimes come in the form of a rotating door or turnstile, locking partway around if the person doesn’t authenticate properly. And, on some of the really fancy ones, sensors will lock the man trap if two people are trying to get through at the same time.

A is incorrect because this question is not describing a small location at a gate where guards are stationed. Traditionally, guard shacks are positioned at gates to the exterior wall or the gate of the facility, where guards can verify identity before allowing people through to the parking lot.

B is incorrect because a turnstile is not being described here, and, frankly, it does absolutely nothing for physical security. Anyone who has spent any time in subway systems knows this is true: watching people jump the turnstiles is a great spectator sport.

C is incorrect because, so far as I know, man shack is not a physical security term within CEH. It’s maybe the title of a 1970s disco hit, but not a physical security term you’ll need to know for the exam.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

PE12.2 In your social engineering efforts, you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here?

A. Piggybacking
B. Reverse social engineering
C. Technical support
D. Halo effect

A

C
C. Although it may seem silly to label social engineering attacks (because many of them contain the same steps and bleed over into one another), you’ll need to memorize them for your exam. A technical support attack is one in which the attacker calls the support desk in an effort to gain a password reset or other useful information. This is a valuable method because if you get the right help desk person (that is, someone susceptible to a smooth-talking social engineer), you can get the keys to the kingdom.

A is incorrect because piggybacking refers to a method to gain entrance to a facility—not to gain passwords or other information. Piggybacking is a tactic whereby the attacker follows authorized users through an open door without any visible authorization badge at all.

B is incorrect because reverse social engineering refers to a method where an attacker convinces a target to call him with information. The method involves marketing services (providing the target with your phone number or e-mail address in the event of a problem), sabotaging the device, and then awaiting for a phone call from the user.

D is incorrect because halo effect refers to a psychological principle that states a person’s overall impression (appearance or pleasantness) can impact another person’s judgment of them. For example, a good-looking, pleasant person will be judged as more competent and knowledgeable simply because of their appearance. The lesson here is to look good and act nice while you’re trying to steal all the target’s information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

PE12.3 Which of the following is a true statement regarding biometric systems?

A.The lower the CER, the better the biometric system.
B.The higher the CER, the better the biometric system.
C.The higher the FRR, the better the biometric system.
D.The higher the FAR, the better the biometric system.

A

A
A. The crossover error rate (CER) is the point on a chart where the false acceptance rate (FAR) and false rejection rate (FRR) meet, and the lower the number, the better the system. It’s a means by which biometric systems are calibrated—getting the FAR and FRR the same. All that said, though, keep in mind that in certain circumstances a client may be more interested in a lower FAR than FRR, or vice versa, and therefore the CER isn’t as much a concern. For example, a bank may be far more interested in preventing false acceptance than it is in preventing false rejection. In other words, so what if a user is upset they can’t log on, so long as their money is safe from a false acceptance?

B is incorrect because this is exactly the opposite of what you want. A high CER indicates a system that more commonly allows unauthorized users through and rejects truly authorized people from access.
C is incorrect because the false rejection rate needs to be as low as possible. The FRR represents the amount of time a true, legitimate user is denied access by the biometric system.

D is incorrect because the false acceptance rate needs to be as low as possible. The FAR represents the amount of time an unauthorized user is allowed access to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

PE12.4 A pen tester sends an unsolicited e-mail to several users in the target organization. The e-mail is well crafted and appears to be from the company’s help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event a user is adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here?

A. Technical support

B. Impersonation

C. Phishing

D. Reverse social engineering

A

D
D. This may turn out to be a somewhat confusing question for some folks, but it’s actually pretty easy. Reverse social engineering involves three steps. First, in the marketing phase, an attacker advertises himself as a technical point of contact for problems that may be occurring soon. Second, in the sabotage phase, the attacker performs a denial of service or other attack on the user. Third, in the tech support phase, the user calls the attacker and freely hands over information, thinking they are being assisted by company’s technical support team. As an aside, there are two things to remember about employing this social engineering practice in the real world. First, be sure to market to the appropriate audience: attempting this against IT staff probably won’t work as well as the “average” user and may get you caught. Second, and perhaps more important, you’ll need to remember that the more lies you tell, the more things you have to make true. Complexity is risky, and reverse social engineering involves a lot of complexity. It’s best used in special cases, and then only if you can’t find something else to do.

A is incorrect because a technical support attack involves the attacker calling a technical support help desk, not having the user calling back with information.

B is incorrect because this is not just impersonation—the attack described in the question revolves around the user contacting the attacker, not the other way around. Impersonation can cover anybody, from a “normal” user to a company executive. And impersonating a technical support person can result in excellent results; just remember if you’re going through steps to have the user call you back, you’ve moved into reverse social engineering.

C is incorrect because a phishing attack is an e-mail crafted to appear legitimate but in fact contains links to fake websites or to download malicious content. In this example, there is no link to click—just a phone number to call in case of trouble. Oddly enough, in my experience, people will question a link in an e-mail far more than just a phone number.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

PE12.5 A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here?

A. Eavesdropping
B. Tailgating
C. Shoulder surfing
D. Piggybacking

A

C
C. This one is so easy I hope you maintain your composure and stifle the urge to whoop and yell in the test room. Shoulder surfing doesn’t necessarily require you to actually be on the victim’s shoulder—you just have to be able to watch their onscreen activity. I once shoulder surfed in front of someone (a mirror behind her showed her screen clear as day). You don’t even really need to be close to the victim—there are plenty of optics that can zoom in a field of vision from a very long distance away. As an aside, in the real world, if you are close enough to see someone’s screen, you’re probably close enough to listen to them as well. EC-Council puts the emphasis of shoulder surfing on the visual aspect—eavesdropping would be auditory.

A is incorrect because eavesdropping is a social engineering method where the attacker simply remains close enough to targets to overhear conversations. Although it’s doubtful users will stand around shouting passwords at each other, you’d be surprised how much useful information can be gleaned by just listening in on conversations.

B is incorrect because tailgating is a method for gaining entrance to a facility by flashing a fake badge and following an authorized user through an open door.

D is incorrect because piggybacking is another method to gain entrance to a facility. In this effort, though, you don’t have a badge at all; you just follow people through the door.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PE12.6 A recent incident investigated by the local IR team involved a user receiving an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to?

A. Phishing
B. Internet level
C. Reverse social engineering
D. Impersonation

A

A
A. Phishing is one of the most pervasive and effective social engineering attacks on the planet. It’s successful because crafting a legitimate-looking e-mail that links a user to an illegitimate site or malware package is easy to do. What’s more, the e-mail is easy to spread, and it preys on our human nature to trust. If the source of the e-mail looks legitimate or the layout looks legitimate, most people will click away without even thinking about it. Phishing e-mails can often include pictures lifted directly off the legitimate website and use creative means of spelling that aren’t easy to spot: www.regions.com is a legitimate bank website that could be spelled in a phishing e-mail as www.regi0ns.com. When it comes to real-world use of phishing by ethical hackers and pen testers, there are a couple items of note: First, phishing has an extreme liability aspect to it when spoofing a legitimate business. If you’re pen testing an organization and phish using a variant of a real business name, you could be opening yourself up to some serious costs: the first time someone calls the real Regions bank to complain is the moment that the attacker just became liable for the costs associated with the attack. Second is the risk involved with people simply forwarding your phishing attempt to recipients you never intended, allowing it to take on a life of its own. In short, the pen tester will certainly limit the bait (malware or website link embedded in the phishing attempt), but they will have no control over what a user decides to do with the e-mail. Suppose the pen tester doesn’t know the exact IP range or makes a simple mistake in the configuration of the malware, and a user sends it home. Or to a banking friend. Or to the FBI. Or to a friend who works on a DoD system. Now you’ve not only hooked the wrong fish, but maybe infected something in the government. That’s nothing to joke about, and it may be a lot worse than a simple mistake. The bottom line is, in the real world, phishing is dangerous if not planned and implemented almost perfectly, and pen test teams need to use extreme caution in implementing it.

B is incorrect because Internet level is not a recognized form of social engineering attack by this exam. It’s included here as a distractor.

C is incorrect because reverse social engineering is an attack where the attacker cons the target into calling back with useful information.

D is incorrect because this particular description does not cover impersonation. Impersonation is an attack where a social engineer pretends to be an employee, a valid user, or even an executive (or other VIP). Generally speaking, when it comes to the exam, any impersonation question will revolve around an in-person visit or a telephone call.

Walker, Matt. CEH Certified Ethical Hacker Practice Exams, Fourth Edition (pp. 290-291). McGraw-Hill Education. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PE12.7 Which type of social engineering attack uses phishing, pop-ups, and IRC channels?

A.Technical
B.Computer based
C.Human based
D.Physical

A

B. All social engineering attacks fall into one of two categories: human based or computer based. Computer-based attacks are those carried out with the use of a computer or other data-processing device. Some examples are fake pop-up windows, SMS texts, e-mails, and chat rooms or services. Social media sites (such as Facebook and LinkedIn) are consistent examples as well, and spoofing entire websites isn’t out of the realm here either.

A is incorrect because technical is not a social engineering attack type and is included here as a distractor.

C is incorrect because human-based social engineering involves the art of human interaction for information gathering. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.

D is incorrect because physical is not a social engineering attack type and is included here as a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PE12.8 An attacker identifies a potential target and spends some time profiling her. After gaining some information, the attacker sends a text to the target’s cell phone. The text appears to be from her bank and advises her to call a provided phone number immediately regarding her account information. She dials the number and provides sensitive information to the attacker, who is posing as a bank employee. Which of the following best defines this attack?

A.Vishing
B.Smishing
C.Phishing
D.Tishing

A

B. Aren’t you excited to have another memorization term added to your CEH vocabulary? In smishing (for SMS text-based phishing), the attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response.

A is incorrect because vishing is an attack using a phone call or voice message. In vishing, the attacker calls the target or leaves them a voicemail with instructions to follow.

C. is incorrect because phishing makes use of specially crafted e-mails to elicit responses and actions.

D is incorrect because this term does not exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

PE12.9 Which of the following constitutes the highest risk to the organization?

A.Black-hat hacker
B.White-hat hacker
C.Gray-hat hacker
D.Disgruntled employee

A

D. When we consider security measures, most of our attention is usually aimed outside the company, because that’s where all the bad guys are, right? Unfortunately, this line of thinking leads to all sorts of exposure, for many reasons, and it’s more common than you might think. A disgruntled employee is still an employee, after all, which leads to the main reason they’re so dangerous: location. They are already inside the network. Inside attacks are generally easier to launch, are more successful, and are harder to prevent. When you add the human element of having an axe to grind, this can boil over quickly—whether or not the employee has the technical knowledge to pull off the attack. The idea that someone wanting to do harm to our organization’s network not only already has the access to do so but has it because we gave it to them and we’re not watching them should be frightening to us all.

A is incorrect because black-hat hackers aren’t necessarily already inside the network. They have a lot of work to do in getting access and a lot of security levels to wade through to do it.

B is incorrect because a white-hat hacker is one of the good guys—an ethical hacker, hired for a specific purpose.…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

PE12.10 After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here?

A.Offline
B.Physical
C.Piggybacking
D.Dumpster diving

A

D. Dumpster diving doesn’t necessarily mean you’re actually taking a header into a dumpster outside. It could be any waste canister, in any location, and you don’t even have to place any more of your body in the canister than you need to extract the old paperwork with. And you’d be amazed what people just throw away without thinking about it: password lists, network diagrams, employee name and number listings, and financial documents are all examples. Lastly, don’t forget that EC-Council defines this as a passive activity. Sure, in the real world, you run a real risk of discovery and questioning by any number of the organization’s staff, but on your exam it’s considered passive.

A is incorrect because offline is not a social engineering…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
PE12.11 An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred? 

A.Tailgating 
B.Piggybacking 
C.Identity theft 
D.Impersonation 
A

B. This is one of those questions that just drives everyone batty—especially people who actually perform pen tests for a living. Does knowing that gaining entry without flashing a fake ID badge of any kind is called piggybacking make it any easier or harder to pull off? I submit having two terms for what is essentially the same attack, separated by one small detail, is a bit unfair, but there’s not a whole lot we can do about it. If it makes it easier to memorize, just keep in mind that pigs wouldn’t wear a badge—they don’t have any clothes to attach it to.

A is incorrect because a tailgating attack requires the attacker to be holding a fake badge of some sort. I know it’s silly, but that’s the only differentiation between these two items: tailgaters have badges, piggybackers do not. If it makes it any easier, just keep in mind a lot of tailgaters at a football game should have a badge on them—to prove they are of legal drinking age.

C is incorrect because this attack has nothing to do with identity theft. Identity theft occurs when an attacker uses personal…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

PE12.12 Tim is part of a pen test team and is attempting to gain access to a secured area of the campus. He stands outside a badged entry gate and pretends to be engaged in a contentious cell phone conversation. An organization employee walks past and badges the gate open. Tim asks the employee to hold the gate while flashing a fake ID badge and continuing his phone conversation. He then follows the employee through the gate. Which of the following best defines this effort?

A.Shoulder surfing
B.Piggybacking
C.Tailgating
D.Drafting

A

C. This type of question is so annoying I added it twice, back to back, in this chapter—almost as if I was nearly certain you’ll see it on your exam. Tailgating involves following someone through an open door or gate just like piggybacking does; however, in tailgating, a fake identification badge of some sort is used. As an aside, if your exam question does not include both terms—tailgating and piggybacking—but the effort is the same (an attacker following a badged employee through a gate or door), you won’t have to choose between them. Usually, in this case, tailgating will be used more frequently than piggybacking.

A is incorrect because shoulder surfing isn’t about following someone anywhere; instead, it’s about positioning…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

PE12.13 Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)

A.Security policies
B.Operational guidelines
C.Appropriately configured IDS
D.User education and training
E.Strong firewall configuration

A

A, B, D. ECC identifies several countermeasures against social engineering, but in the real world none of them, by themselves or grouped, is really the key. The problem with most countermeasures against social engineering is they’re almost totally out of your control. Sure you can draft strong policy requiring users to comply with security measures, implement guidelines on everything imaginable to reduce risks and streamline efficiency, and hold educational briefings and training sessions for each and every user in your organization, but when it comes down to it, it’s the user who has to do the right thing. All countermeasures for social engineering have…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

PE12.14 Which of the following are indicators of a phishing e-mail? (Choose all that apply.)

A.It does not reference you by name.
B.It contains misspelled words or grammatical errors.
C.It contains spoofed links.
D.It comes from an unverified source.

A

A, B, C, D. One of the objectives EC-Council has kept around in its many CEH versions is, and I quote, to “understand phishing attacks.” Part of the official curriculum to study for the exam covers detecting phishing e-mail in depth, and all of these answers are indicators an e-mail might not be legitimate. First, most companies now sending e-mail to customers will reference you by name and sometimes by account number. An e-mail starting with “Dear Customer” or something to that effect may be an indicator something is amiss. Misspellings and grammatical errors from a business are usually dead giveaways because companies do their best to proofread items before they are released. There are, occasionally, some slipups (Internet search some of these; they’re truly funny), but those are definitely the exception and not the rule. Spoofed links can be found by hovering a mouse over them (or by looking at their properties). The link text may read www.yourbank.com, but the hyperlink properties will be sending you to some IP address you don’t want to go to.

As an aside, while these are all great answers to a question on an exam, don’t let them dictate your day-to-day Internet life outside of your exam. A perfectly written, grammatically correct e-mail containing real links and originating from someone you trust could still be part of a phishing campaign. Never click a link in an e-mail without knowing exactly what it is and where it’s taking you—no matter who you think the message is…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
PE12.15 You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measures are being discussed? 
A.Physical 
B.Technical 
C.Operational 
D.Practical 
A

C. Physical security has three major facets: physical measures, technical measures, and operational measures. Operational measures (sometimes referred to as procedural controls) are the policies and procedures you put into place to assist with security. Background checks on employees and any kind of written policy for operational behaviors are prime examples.

A is incorrect because physical measures can be seen or touched. Examples include guards (although you’d probably want to be careful touching one of them), fences, and locked doors.

B is incorrect because technical measures include authentication systems (biometrics anyone…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PE12.16 Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.)

A.Phishkill
B.Netcraft
C.Phishtank
D.IDA Pro

A

B, C. For obvious reasons, there are not a lot of questions from these objectives concerning tools—mainly because social engineering is all about the human side of things, not necessarily using technology or tools. However, you can put into place more than a few protective applications to help stem the tide. There are innumerable e-mail-filtering applications and appliances you can put on an e-mail network boundary to cut down on the vast amount of traffic (spam or otherwise) headed to your network. Additionally, Netcraft’s phishing toolbar and Phishtank are two client-side, host-based options you can use (there are others, but these are pointed out specifically in EC-Council’s official courseware).
Netcraft’s (http://toolbar.netcraft.com/) and Phishtank’s (www.phishtank.com/) toolbars are like neighborhood watches on virtual steroids, where eagle-eyed neighbors can see suspicious traffic and alert everyone else. The following is from the Netcraft site: “Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL.”

These tools, although useful, are not designed to completely protect against phishing.

17
Q

PE12.17 An attacker targets a specific group inside the organization. After some time profiling the group, she notes several websites the individual members of the group all visit on a regular basis. She spends time inserting various malware and malicious codes into some of the more susceptible websites. Within a matter of days, one of the group member’s system installs the malware from an infected site, and the attacker uses the infected machine as a pivot point inside the network. Which of the following best defines this attack?

A.Spear phishing 
B.Whaling 
C.Web-ishing 
D.Watering hole attack 
A

D. Have you ever watched nature documentaries on the Discovery Channel? It seems predators frequently hang out in places where the prey tends to show up. For example, a pride of lions might just hang out near a watering hole—knowing full well their prey will eventually just come to them. This attack uses the same principle, except we’re talking about the virtual world. And none of us are lions (at least not outside our imaginations, anyway). In a watering hole attack, the bad guy spends a lot of time profiling the group that is being targeted (note the key wording in this is that a group is targeted, not an individual). The attacker can observe or even guess websites the group would visit, and then infect those sites with some sort of malware or malicious code. Eventually someone from the group will visit the virtual watering hole and—voilà—success.

A is incorrect because spear phishing involves phishing (sending specially crafted e-mails that include links to malicious code) targeted at a specific group of people. In this question, there was no phishing involved.

B is incorrect because whaling is a special type of spear phishing targeting high-level employees.

C is incorrect because this is not a valid term.

18
Q

PE12.18 Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating?

A.Physical
B.Technical
C.Human based
D.Computer based

A

C. Once again, we’re back to the two major forms of social engineering: human based and computer based. Human-based attacks include all the attacks mentioned here and a few more. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information. This can be as blatant as simply asking someone for their password or pretending to be a known entity (authorized user, tech support, or company executive) in order to gain information.

A is incorrect because social engineering attacks do not fall into a physical category.

B is incorrect because social engineering attacks do not fall into a technical category.

D is incorrect because computer-based social engineering attacks are carried out with the use of a computer or other data-processing device. These attacks can include everything from specially crafted pop-up windows for tricking the user into clicking through to a fake website, to SMS texts that provide false technical support messages and dial-in information to a user.

19
Q

PE12.19. In examining the About Us link in the menu of a target organization’s website, an attacker discovers several different individual contacts within the
company. To one of these contacts, she crafts an e-mail asking for information that appears to come from an individual within the company who would be
expected to make such a request. The e-mail provides a link to click, which then prompts for the contact’s user ID and password. Which of the following best
describes this attack?

A. Trojan e-mailing
B. Spear phishing
C. Social networking
D. Operational engineering

A

B. Yes, sometimes you’ll get an easy one. Phishing is using e-mail to accomplish the social engineering task. Spear phishing is actually targeting those e-mails to
specific individuals or groups within an organization. This usually has a much higher success rate than just a blind-fire phishing effort.

A, C, and D are incorrect because they are all added as distractors and do not match the circumstances listed. Trojan e-mailing and operational engineering aren’t valid
terms in regard to social engineering attacks. A social networking attack, per EC-Council, is one that involves using Facebook, LinkedIn, Twitter, or some other social media to elicit information or credentials from a target.

20
Q

PE12.20. A security admin has a control in place that embeds a unique image into emails on specific topics in order to verify the message as authentic and trusted.
Which anti-phishing method is being used?

A. Steganography
B. Sign-in seal
C. PKI
D. CAPTCHA

A

B. Sign-in seal is an e-mail protection method in use at a variety of business locations. The practice is to use a secret message or image that can be referenced on any
official communication with the site. If you receive an e-mail purportedly from the business but it does not include the image or message, you’re aware it’s
probably a phishing attempt. This sign-in seal is kept locally on your computer, so the theory is that no one can copy or spoof it.

A is incorrect because steganography is not used for this purpose. As you know, steganography is a method of hiding information inside another file—usually an image file.

C is incorrect because PKI refers to an encryption system using public and private keys for security of information between members of an organization.

D is incorrect because a CAPTCHA is an authentication
test of sorts, which I am sure you’ve seen hundreds of times already. CAPTCHA (actually an acronym meaning Completely Automated Public Turing test to tell
Computers and Humans Apart) is a type of challenge-response method where an image is shown, and the client is required to type the word from the image
into a challenge box. An example is on a contest entry form—you type in your information at the top and then see an image with a word (or two) in a crazy font at the bottom. If you type the correct word in, it’s somewhat reasonable for the page to assume you’re a human (as opposed to a script), and the request is sent forward.

21
Q

PE12.21. Which of the following should be in place to assist as a social engineering
countermeasure? (Choose all that apply.)

A. Classification of information
B. Strong security policy 
C. User education 
D. Strong
change management process
A

A, B, C, D. All of the answers are correct,
but let’s get this out of the way up front: you’ll never be able to put anything whatsoever into place that will effectively render all social engineering attacks moot.

You can do some things to limit them, and those on this list can definitely help in that regard, but an organization that responds to social engineering concerns with “We have a strong security policy and great user education” is probably one that’ll see a high turnover rate.

Classification of information is seen as a strong countermeasure because the information—and access to it—is stored and processed according to strict definitions of sensitivity. In the government/DoD world, you’d see labels such as Confidential, Secret, and Top Secret. In the commercial world, you might see Public, Sensitive, and Confidential.

I could write an entire chapter on the difference between DoD and commercial labels and argue the finer
points of various access control methods, but we’ll stick just to this chapter and what you need here. As a side note, classification of information won’t do you a bit of good if the enforcement of access to that information, and the protection of it in storage or transit, is lax. Strong security policy has been covered earlier in the chapter, so I won’t waste much print space here on it.

You must have a good one in place to help prevent a variety of security failures; however, you can’t rely on it as a countermeasure on its own. According to EC-Council, user education is not only a viable social engineering countermeasure but it’s the best measure you can take. Anyone reading this book who has spent any time at all trying to educate users on a production, enterprise-level network is probably yelling right now because results can sometimes be spotty at best.

However, the weak point in the chain is the user, so we must do our best to educate users on what to look for and what to do when they see it. There simply is no better defense than a well-educated user (and by “well-educated”…

22
Q

PE12.22. Joe uses a user ID and password to log in to the system every day. Jill uses a PIV card and a PIN. Which of the following statements is true?

A. Joe and Jill are using single-factor authentication.
B. Joe and Jill are using two-factor authentication.
C. Joe is using two-factor authentication.
D. Jill is using two-factor authentication.

A

D. When it comes to authentication systems, you can use three factors to prove your identity: something you know, something you have, and something you are. An item you know is, basically, a password or PIN. Something you have is a physical token of some sort—usually a smartcard—that is presented as part of the
authentication process. Something you are relates to biometrics—a fingerprint or retinal scan, for instance.

Generally speaking, the more factors you have in
place, the better (more secure) the authentication system. In this example, Joe is using only something he knows, whereas Jill is using something she has (PIV
card) and…

23
Q

PE12.23. A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this?

A. Technical
B. Single factor
C. Computer based
D. Operational

A

A. Physical security measures are characterized as physical (door locks and guards), operational (policies and procedures), and technical (authentications systems and permissions). This example falls into the technical
security measure category.

Sure, the door itself is physical, but the question
centers on the biometric system, which is clearly technical in origin.

B is incorrect because single factor refers to the method the authentication system uses, not the physical security measure itself. In this case, the authentication is using the “something you are” factor—a biometric retinal
scan. …

24
Q

BE12.24. Which of the following is the best representation of a technical control?

A. Air conditioning 
B. Security tokens 
C. Automated humidity control
D. Fire alarms
E. Security Policy
A

B. All security controls are put into place to minimize, or to avoid altogether, the probability of a successful exploitation of a risk or vulnerability. Logical controls
(logical is the other term used for technical ) do this through technical, system driven means. Examples include security tokens, authentication mechanisms,
and antivirus software. A, C, D, and E are incorrect because they…

25
Q

BE12.25. Which of the following best describes pharming?

A. An attacker redirects victims to a malicious website by sending an e-mail that provides a URL that appears to be legitimate.

B. An attacker redirects victims to a malicious website by modifying their host configuration file or by exploiting
vulnerabilities in DNS.

C. An attacker targets specific members of an organization based on their duties, roles, or responsibilities.

D. An attacker inserts malicious code and malware into sites employees visit on a regular basis.

A

B. I’m convinced there are folks who sit around doing
nothing more than dreaming up new terminology, acronyms, and slang for all of us to remember, and pharming falls into this category.

Pharming has the same end goal as most other attacks—redirecting folks to malicious websites in hopes of stealing something from them. The method in which it’s done involves updating hosts files and manipulating DNS to point them to a malicious site.…