ITN 261 CHAPTER 10 QUESTIONS &
ANSWERS (RATED A+)
You get a phone call from someone telling you they are from the IRS and they are
sending the police to your house now to arrest you unless you provide a method of
payment immediately. What tactic is the caller using?
1. Pretexting
2. Biometrics
3. Smishing
4. Rogue access - ANSWER1. Pretexting
Biometrics is the use of a physical attribute to provide authentication. Smishing is using
short message service (SMS/texting) to gather information from people. Rogue access
isn't really anything. Pretexting is coming up with a believable story that you can use
when trying to perform a social engineering attack on someone.
You are working on a red-team engagement. Your team leader has asked you to use
baiting as a way to get in. What are you being asked to do?
1. Make phone calls
2. Clone a website
3. Leave USB sticks around
4. Spoof an RFID ID - ANSWER3. Leave USB sticks around
Baiting is leaving a lure out in order to gather targets. You could use USB sticks or CDs
around as bait if they had software on them that would run and "infect" the target
system in a way that would give you control over them. While all of the other options are
related to social engineering, none of them is called baiting.
Which of the social engineering principles is in use when you see a line of people at a
vendor booth at a security conference waiting to grab free USB sticks and CDs?
1. Reciprocity
2. Social proof
3. Authority
4. Scarcity - ANSWER2. Social proof
Social proof is in use when it appears to be okay to engage in a behavior because you
see others engaging in it. When people see a line of others waiting to grab USB sticks,
, in spite of knowing they shouldn't trust USB sticks, they may be inclined to lower their
defenses. There is no reciprocity or authority here. There may eventually be scarcity,
but that's not what would drive people to stand in line to acquire a potentially dangerous
item.
What is a viable approach to protecting against tailgating?
1. Biometrics
2. Badge access
3. Phone verification
4. Man traps - ANSWER4. Man traps
Biometrics and badge access are forms of physical access control. Phone verification
could possibly be used as a way of verifying identity, but it won't protect against
tailgating. A man trap, however, will protect against tailgating because a man trap
allows only one person in at a time.
Why would you use wireless social engineering?
1. To send phishing messages
2. To gather credentials
3. To get email addresses
4. To make phone calls - ANSWER2. To gather credentials
Especially in enterprises, there is generally some authentication that happens. This
could be in the form of a pre-shared key or a username/password combination. Either
way, when you are using social engineering of wireless networks, you are probably
attempting to gather credentials to gain access to sites. It's unlikely you'd use this vector
for sending phishing messages or getting email addresses, and it wouldn't be used to
make phone calls.
Which social engineering principle may allow a phony call from the help desk to be
effective?
1. Social proof
2. Imitation
3. Scarcity
4. Authority - ANSWER4. Authority
While you might be imitating someone, imitation is not a social engineering principle.
Neither social proof nor scarcity are at play in this situation. However, if you are calling
from the help desk, you may be considered to be in a position of authority.
Why would you use automated tools for social engineering attacks?
1. Better control over outcomes
ANSWERS (RATED A+)
You get a phone call from someone telling you they are from the IRS and they are
sending the police to your house now to arrest you unless you provide a method of
payment immediately. What tactic is the caller using?
1. Pretexting
2. Biometrics
3. Smishing
4. Rogue access - ANSWER1. Pretexting
Biometrics is the use of a physical attribute to provide authentication. Smishing is using
short message service (SMS/texting) to gather information from people. Rogue access
isn't really anything. Pretexting is coming up with a believable story that you can use
when trying to perform a social engineering attack on someone.
You are working on a red-team engagement. Your team leader has asked you to use
baiting as a way to get in. What are you being asked to do?
1. Make phone calls
2. Clone a website
3. Leave USB sticks around
4. Spoof an RFID ID - ANSWER3. Leave USB sticks around
Baiting is leaving a lure out in order to gather targets. You could use USB sticks or CDs
around as bait if they had software on them that would run and "infect" the target
system in a way that would give you control over them. While all of the other options are
related to social engineering, none of them is called baiting.
Which of the social engineering principles is in use when you see a line of people at a
vendor booth at a security conference waiting to grab free USB sticks and CDs?
1. Reciprocity
2. Social proof
3. Authority
4. Scarcity - ANSWER2. Social proof
Social proof is in use when it appears to be okay to engage in a behavior because you
see others engaging in it. When people see a line of others waiting to grab USB sticks,
, in spite of knowing they shouldn't trust USB sticks, they may be inclined to lower their
defenses. There is no reciprocity or authority here. There may eventually be scarcity,
but that's not what would drive people to stand in line to acquire a potentially dangerous
item.
What is a viable approach to protecting against tailgating?
1. Biometrics
2. Badge access
3. Phone verification
4. Man traps - ANSWER4. Man traps
Biometrics and badge access are forms of physical access control. Phone verification
could possibly be used as a way of verifying identity, but it won't protect against
tailgating. A man trap, however, will protect against tailgating because a man trap
allows only one person in at a time.
Why would you use wireless social engineering?
1. To send phishing messages
2. To gather credentials
3. To get email addresses
4. To make phone calls - ANSWER2. To gather credentials
Especially in enterprises, there is generally some authentication that happens. This
could be in the form of a pre-shared key or a username/password combination. Either
way, when you are using social engineering of wireless networks, you are probably
attempting to gather credentials to gain access to sites. It's unlikely you'd use this vector
for sending phishing messages or getting email addresses, and it wouldn't be used to
make phone calls.
Which social engineering principle may allow a phony call from the help desk to be
effective?
1. Social proof
2. Imitation
3. Scarcity
4. Authority - ANSWER4. Authority
While you might be imitating someone, imitation is not a social engineering principle.
Neither social proof nor scarcity are at play in this situation. However, if you are calling
from the help desk, you may be considered to be in a position of authority.
Why would you use automated tools for social engineering attacks?
1. Better control over outcomes
