Social Engineering

Question 1

Pretexting

Answer 1

Pretexting is a method of inventing a scenario to convince victims to divulge information they should not divulge.

Question 2

Insider Threat

Answer 2

A person who works with your organisation but has ulterior motives. -E.g.: Employees who steal information are insider threats.

Question 3

Phishing

Answer 3

An attempt to fraudulently obtain information from a user (usually by email).

Question 4

Spear Phishing

Answer 4

An attempt to fraudulently obtain information from a user (usually by email). Spear Phishing targets a specific individual.

Question 5

Whaling

Answer 5

A form of spear phishing that directly targets the CEO, CFO, CIO, CSO or other high-value target in an organisation.

Question 6

Smishing

Answer 6

Phising conducted over SMS.

Question 7

Vishing

Answer 7

Phising that occurs over voice calls.

Question 8

Pharming

Answer 8

Phising attempt to trick a user to access a different website.

Question 9

What are the 6 Motivation Factors in Social Engineering

Answer 9

• Authority
• Urgency
• Social Proof
• Scarcity
• Likeability
• Fear

Question 10

Diversion Theft

Answer 10

When a thief trys to divert a shipment to another location.

Question 11

Hoax

Answer 11

Deceiving people into believing something is false when it’s true (or vice versa)

Question 12

Shoulder Surfacing

Answer 12

Someone watches your activities in person to obtain authentication information.

Question 13

Eavesdropping

Answer 13

When a person uses direct observation to “listen” in to a conversation

Question 14

Dumpster Diving

Answer 14

When a person scavenges for information in garbage containers.

Question 15

Baiting

Answer 15

When a malicious individual leaves malware-infected removable media such as a USB drive or optical disk in plain view for a victim.

Question 16

Piggybacking

Answer 16

When an unauthorised person tags along with an authorized person to gain entry to a restricted area.

Question 17

Watering Hole Attack

Answer 17

When an attacker figures out where users like to go, and places malware to gain access to your organisation.

Question 18

Fraud

Answer 18

A wrongful or criminal deception indented to result in financial or personal gain.

Most common within cybersecurity is Identity Theft.
There is a difference between Identity theft and Identity fraud.

Question 19

Scam

Answer 19

A fraudulent or deceptive act or operation.

Question 20

Invoice Scam

Answer 20

Where an individual or organisation is tricked into paying a fake invoice for a service or product they didn’t order

Question 21

Prepending

Answer 21

Adding an invisible string before a weblink that a victim would click.

Question 22

Influence Campaign (Influence Operations)

Answer 22

The collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent.

(Take information and use it again someone). CompTIA uses the term Influence Campaign)

Question 23

Hybrid Warfare

Answer 23

A military strategy which employs political warfare, conventional warfare, irregular warfare and cyberware.

Companies like facebook and twitter have been victims of attempts by foreign threat actors to influence the political and social landscape.

Question 24

What can you train users to do to prevent a security incident?

Answer 24

• Never give out their authentication information
• Screen emails & calls carefully, train them to make logs of “unusual events”
• Train users how to use encryption
• Train users never to pick up and make use of removal media
• Shred sensitive information
• Comply with data handling and disposal policy
• Teach them good web security
• Implement a clean desk policy

Question 25

Clean Desk Policy

Answer 25

A policy where all employees must put away everything (files & folders) from their desk at the end of the day into locked drawers and cabinets