Information Security Social Engineering Quiz

Questions and Answers

What is the primary objective of a spoofing attack in information security?

• To disrupt network connections
• To improve system performance
• To gain unauthorized access or information (correct)
• To enhance user engagement

Which social engineering technique involves pretending to be an attractive person online to gain confidential information?

• Honey trap (correct)
• Baiting
• Diversion theft
• Phishing

What is baiting in the context of social engineering?

• Offering fake incentives to trick users
• Leaving malicious physical devices to gather information (correct)
• Creating deceptive websites to harvest data
• Disguising malware as legitimate software

Which of the following best describes 'piggybacking' in the realm of social engineering?

Physically following someone into a secure area without permission (D)

In a honey trap, who is usually the target of the attack?

An insider with access to sensitive information (B)

Which scenario is an example of baiting?

A user finds a USB drive labeled 'Company Holiday Party' and opens it (B)

What advantage does using both symmetric and asymmetric cryptography in SSL/TLS provide?

It supports less-powerful devices with symmetric encryption. (B)

How is the Single Loss Expectancy (SLE) calculated in the hard drive recovery example?

By adding the asset value to the total recovery cost. (A)

What psychological factors do attackers exploit in baiting?

Curiosity and greed (A)

How does the honey trap differ from traditional phishing attacks?

It focuses on exploiting emotional attractions rather than impersonation (B)

What is the Annual Loss Expectancy (ALE) calculated from the example provided?

$145.2 (D)

What is the primary type of attack described as using plaintext to compromise the DES encryption?

Meet-in-the-middle attack (A)

What assumption is made regarding the exposure factor (EF) in the calculations for hard drive recovery?

It is set to 100%. (A)

How often is the hard drive failure expected to occur according to the information provided?

Once every three years. (D)

What is the estimated total recovery time from a hard drive failure in hours?

14 hours (C)

Which regulation is primarily concerned with the protection of personal medical records?

HIPAA/PHI (A)

What does the Annual Rate of Occurrence (ARO) equate to in the recovery example?

1/3 (A)

What does PHI stand for in the context of healthcare regulations?

Protected Health Information (D)

Which of the following is NOT considered PHI under HIPAA regulations?

Marketing solicitations (B)

What type of entities are covered under HIPAA regulations?

Healthcare providers (B)

If patient names are linked with health information, they are considered:

Protected health information (D)

Which of the following best describes the HIPAA Privacy Rule?

It provides federal protections for private health info. (A)

Under HIPAA definitions, demographic info includes which of the following?

Patient's insurance details (D)

Which of the following scenarios would most likely lead to a HIPAA violation?

Sharing medical records without patient consent (A)

Which of the following is NOT considered a health information identifier?

Social media accounts (C)

What do HIPAA Privacy Rule restrictions apply to?

Uses and disclosures of health information (D)

What is the purpose of technical, physical, and administrative safeguards in HIPAA?

To ensure the confidentiality, integrity, and availability of PHI (B)

Which of the following describes a bug bounty program?

A system for identifying and rewarding security exploits (A)

In what context are bug bounty programs usually operated?

Through curated independent third-party platforms (B)

Which of the following professionals typically participates in bug bounty programs?

Independent security researchers (B)

What does PHI stand for in the context of HIPAA?

Protected Health Information (A)

Which of the following is an example of a biometric identifier?

Fingerprint (D)

What is the main purpose of a dictionary attack in password cracking?

To attempt each word from a dictionary as a password. (A)

Which tools are commonly used for password cracking?

John the Ripper and L0phtCrack (A)

What type of attack did Richard perform when he injected captured commands into the IoT network?

Replay attack (D)

Which characteristic best describes a replay attack?

It captures and reuses legitimate data communication. (C)

What is a common method employed in a dictionary attack to increase effectiveness?

Combining dictionary words with character substitutions. (B)

What is one main reason corporations implement bug bounty programs?

To attract a larger pool of hackers for testing (B)

Which benefit do researchers and hackers gain from participating in bug bounty programs?

Financial rewards and professional recognition (B)

What is a significant challenge faced by independent researchers in bug bounty programs?

Only one report per bug is rewarded (D)

What percentage of participants in major bug bounty platforms have never successfully sold a bug, according to the information?

97% (D)

How do bug bounty programs serve as a publicity strategy for firms?

They can demonstrate a mature security initiative (B)

Why might a hacker consider bug bounty hunting to be enjoyable?

It involves clear legal operations (D)

What is a potential downside of participating in bug bounty programs for hackers?

They may spend significant time without financial returns (B)

What trend is indicated regarding bug bounty programs in the corporate landscape?

They are seen as an emerging industry standard (A)

Flashcards

Honey Trap

A social engineering technique where an attacker pretends to be an attractive person online to build a fake relationship and extract confidential information from the target.

Fake Profile

An attacker creates a fake profile on a social media platform to trick someone into sharing company information.

Social Engineering

A malicious technique where attackers use deceptive tactics to entice users into giving up sensitive information or accessing malicious files.

Spoofing Attack

An attack where an attacker disguises their identity to gain unauthorized access to a system or network.

Baiting

A social engineering technique where attackers offer something tempting (like a USB drive with enticing information) to trick users into revealing data or downloading malware.

Honey Trap Technique

A method of obtaining confidential information by targeting an insider who has access to critical data.

Baiting Example

A fake USB drive, often labeled with company information to trick people into accessing malicious content.

Piggybacking Attack

A type of spoofing attack to gain unauthorized access to a network or system.

Symmetric Cryptography

A type of cryptography where the same key is used for both encryption and decryption.

Asymmetric Cryptography

A type of cryptography where two separate keys are used: one for encryption and another for decryption.

SSL/TLS

A protocol used for secure communication over the internet, combining both symmetric and asymmetric cryptography to establish secure connections between a client and a server.

Attack

An attack that exploits the vulnerabilities in a system's security to gain unauthorized access or manipulate data.

Single Loss Expectancy (SLE)

The expected financial loss from a single security incident.

Annual Rate of Occurrence (ARO)

The likelihood of a security incident occurring within a specific timeframe.

Annual Loss Expectancy (ALE)

The expected financial loss from a security incident over a year.

Man-in-the-middle attack

A type of attack where the attacker intercepts the communication between two parties and replaces the legitimate messages with their own.

Dictionary Attack

A type of attack where an attacker tries every word in a dictionary as a password to gain access to a system.

Replay Attack

An attack where an attacker captures data transmitted between devices and then replays it later to gain unauthorized access.

Side-channel Attack

A type of attack where an attacker intercepts and analyzes data transmitted between devices to understand how they communicate and potentially exploit vulnerabilities.

Reconnaissance Attack

A type of attack where an attacker gathers information about a target system or network before launching a full-fledged attack.

Cryptanalysis Attack

A technique used to crack encrypted messages or passwords by analyzing the patterns and algorithms used in the encryption process.

Protected Health Information (PHI)

Information that can be used to identify an individual, including names, dates (excluding year), phone numbers, addresses, Social Security numbers, email addresses, etc.

Bug Bounty Program

A program where companies allow independent security researchers to report vulnerabilities and receive rewards for their findings.

HIPAA Privacy Rule

The HIPAA Privacy Rule applies to PHI, limiting its use and disclosure. It requires companies to protect this data and make sure it's kept confidential.

HIPAA Security Rule

The HIPAA Security Rule requires companies to implement technical, physical and administrative safeguards to protect PHI.

Distinctive Identifying Variety or Code

A specific variety of code or feature that uniquely differentiates a healthcare provider or organization, can also be considered PHI.

Biometric Identifiers

Includes retinal scans, fingerprints, and other unique biometric information.

Bug Bounty

A specific type of vulnerability disclosure program where companies incentivize ethical hackers to identify security weaknesses in their systems by offering financial rewards.

HackerOne and Bugcrowd

Platforms like HackerOne and Bugcrowd facilitate bug bounty programs. They provide a platform for researchers to report vulnerabilities.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that protects sensitive patient health information (PHI). It sets standards for securing, using, and disclosing PHI.

PHI

Protected Health Information (PHI) is any individually identifiable health information that is used, maintained, stored, or transmitted by a healthcare provider, health plan, or healthcare clearinghouse.

HIPAA-covered entity

A HIPAA-covered entity is any healthcare provider, health plan, or healthcare clearinghouse that handles PHI.

HIPAA Business Associate

A business associate of a HIPAA-covered entity is any organization that provides services to a covered entity that involve the use or disclosure of PHI.

HIPAA Breach

A breach of HIPAA is any unauthorized use or disclosure of PHI. This can involve data theft, hacking, or other security vulnerabilities.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule specifies how HIPAA violations are investigated and penalized. It outlines different penalties based on the severity of the violation.

Why do corporations use bug bounty programs?

Corporations use bug bounty programs to leverage a diverse pool of ethical hackers to find and report security vulnerabilities in their software and systems.

Why do researchers and hackers participate in bug bounty programs?

Bug bounty programs offer ethical hackers financial rewards, recognition, and opportunities to showcase their skills, making it a motivating and valuable platform for security research.

Disadvantages of bug bounty programs for hackers?

Bug bounty programs are often flooded with participants, which can lead to fierce competition and the risk of finding a bug that has already been reported, leaving you with no reward.

How does a bug bounty program impact a company's image?

A bug bounty program acts as a public signal to stakeholders that a company is serious about its cybersecurity posture, fostering trust and confidence.

What benefit do bug bounty programs offer companies beyond just finding bugs?

Bug bounty programs allow companies to access a wider range of security expertise than they could with their in-house team.

How are bug bounty programs becoming a standard practice?

The increasing popularity and adoption of bug bounty programs have led to them being seen as a standard practice within the security industry.

What is the biggest drawback for hackers in a bug bounty program?

Bug bounty programs often require hackers to be the first to report a bug to receive rewards. Finding a bug that is already reported by someone else can be a frustrating experience for participants.

Is it realistic for hackers to make a full-time income through bug bounty programs?

While some hackers make a full-time income through bug bounty programs, the majority of participants do not earn significant amounts, with only a small percentage actually receiving rewards.

Study Notes

• No information provided to generate study notes. Please provide the text or questions.