Section 29 - Social Engineering

Question 1

What is “Social Engineering”?

Answer 1

Any act that manipulates users into revealing confidential information or performing other actions that are detrimental to that user or the security of our systems

Question 2

What is “pretexting”?

Answer 2

When an attacker gives some amount information that seems true so that you’ll give us more information to fill in the gaps

Question 3

What is an “insider threat”?

Answer 3

Somebody who works for your organization but they ulterior motives and they want to do something negative to your organization

Question 4

What is “phishing”?

Answer 4

A victim is contacted by email, telephone, text message, or some other method posing as a legitimate organization.

*** When you see phishing on the exam, always equate it to mean “email” because telephone and text messages are called something else.

Question 5

What is “vishing”?

Answer 5

Phishing to telephones

Question 6

What is “smishing”?

Answer 6

Phishing to text messages

Question 7

The best practice to prevent phishing is…?

Answer 7

Don’t click on any links in emails

Question 8

What is “spear phishing”?

Answer 8

Phishing that’s focused on a specific person

Question 9

What is “whaling”?

Answer 9

Phishing that’s focused specifically on a high-level executive

Question 10

What is pharming?

Answer 10

Tricking someone to go to a different website

*** often used in conjunction with vishing or smishing to get you directed to that fraudulent link

Question 11

What motivates the users to fall for social engineering?

Answer 11

1. Authority - people make these mistakes when they believe someone of authority is demanding it of them
2. Financial institutions - when people believe they own money, have lost money or could gain money
3. Urgency - people naturally want to help others so when someone asks you for a favor people tend to comply especially if the situation at hand is urgent
4. Social proof - people are likely to click on things that are popular. Those that have lots of likes, shares and when they see their friends doing it.
5. Scarcity - when there’s a good deal but supplies are limited. This tricks many people into falling for a scam
6. Likeability - When the person scamming you is so incredibly likeable that you fall for their proposed scam (ex. a very attractive woman)
7. Fear - being threatened to not act will result in some kind of penalty to you (like being arrested)

Question 12

What is “diversion theft”?

Answer 12

This occurs when a thief tries to divert a shipment and take responsibility for it and sends it to a different location

Question 13

What is a “hoax”?

Answer 13

This is an attempt at deceiving people into believing something is false even if it’s true or making them believe something is true even if it’s false.

Question 14

What is “shoulder surfing”?

Answer 14

Literally what it sounds like. Someone obtains information from you by looking at your screen from behind where you are.

Question 15

What is “eavesdropping”?

Answer 15

Overhearing information that an attacker wants to get

Question 16

What is “dumpster diving”?

Answer 16

Scavenging for personal or confidential information in garbage or recycling containers

Question 17

What is “baiting”?

Answer 17

When a malicious individual leaves behind a malware-infected device someplace where someone curious enough will pick it up and connect it to one of their devices

Question 18

What is “piggybacking”?

Answer 18

When an unauthorized person tags along with an authorized person to gain access into a restricted area

Question 19

What is a “watering hole” attack?

Answer 19

When an attacker figures out where your users like to go, like a common website, they then attack that website, embed malware so the next time when they go to that website they download that malware.

Question 20

What is “fraud”?

Answer 20

The wrongful or criminal deception intended to result in financial or personal gain

*** This isn’t like stealing because you’re being tricked into doing it yourself

Question 21

What is “identity fraud”?

Answer 21

The use by one person of another person’s personal information without their authorization to commit a crime or to deceive or defraud that other person or some other third party

*** like stealing your credit card info and making charges as if they are you

Question 22

What is the difference between identity fraud and identity theft?

Answer 22

When somebody commits identity theft, they’re actually stealing another person’s identity and using it at their own. They become you.

Question 23

What is a “scam”?

Answer 23

A scam is a fraudulent or deceptive act or operation

*** Essentially, someone trying to deceive you into doing something

Question 24

What is an “invoice scam”?

Answer 24

This is a scam in which a person is tricked into paying for a fake invoice for a product or service that they did not actually order

Question 25

What is “prepending”?

Answer 25

This is a very technical method that’s used in social engineering to trick users into entering their usernames and passwords and other sensitive information by adding what’s considered essentially an invisible string before the web link when they go to click on something in an email.

Question 26

What is an “influence operation”?

Answer 26

This is a collection of tactical information about an adversary, as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent

*** When you take information and use it against someone. This is a military term but CompTIA use the term “influence campaign.” An influence campaign is one small part of a larger influence operation but the two terms are used interchangeably.

Question 27

What is “hybrid warfare”?

Answer 27

This is a military strategy that employs the full spectrum of warfare. It uses political warfare, conventional warfare, regular warfare and cyber warfare.