Low Tech: Social Engineering and Physical Security - CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

image

Low Tech: Social Engineering and Physical Security

This chapter includes questions from the following topics:

• Define social engineering

• Describe the different types of social engineering attacks

• Describe insider attacks, reverse social engineering, dumpster diving, social networking, and URL obfuscation

• Describe phishing attacks and countermeasures

• List social engineering countermeasures

• Describe physical security measures

image

I know a lot of people will pick up books like this in an effort to train themselves to be a “hacker,” but I’ve got some news for you: You were already partway there. You are a born social engineer, and you’ve been doing some of this stuff since you could walk. In fact, I’ll bet serious cash you’ll probably employ at least some manipulation of your fellow human beings today, maybe without even thinking about it.

Don’t believe me? I guarantee if you search your memory banks there was at least once in your childhood where you talked your way into another piece of candy or few minutes playing with a toy, just because you were cute. If you had siblings, I bet all of you conspired—at least once—to cover up something bad or to convince Mom you really need more ice cream. And the old trick of employing the “Well, Dad said it was OK” trick, pitting Mom versus Dad? Oldest one in the book....

We all work the system every day because it’s how we are wired, and there’s not a person reading this book who doesn’t try to influence and manipulate the people around them to gain an advantage or accomplish a goal. You’ve been doing it since you were born, and you will continue to do so until you shed this mortal coil. All we’re doing with pen testing and ethical hacking is bringing those same thoughts and actions to influence our virtual workplace and adding one slight twist: While most of your manipulation of others isn’t consciously purposeful, it has to be in the virtual world. There’s a lot of acting, a lot of intuition, and a lot of lying involved, and to be successful in this area you have to be convincing to pull it off.

The entire subject is fascinating, and there are endless articles, studies, and books devoted to it. A Kapersky blog dubbed it “Hacking the Human OS,” which is about as apt a description as I could ever come up with myself. Social engineering and physical security measures are those obvious and simple solutions you may accidentally overlook. Why spend all the effort to hack into a system and crack passwords offline when you can just call someone up and ask for them? Why bother with trying to steal sensitive business information from encrypted shares when you can walk into the building and sit in on a sales presentation? Sure, you occasionally almost get arrested shuffling around in a dumpster for good information (our esteemed technical editor can attest to this), but most of social engineering is easy, simple, and effective.

image

imageSTUDY TIPS  Social engineering is part of the Security segment of the exam, which comprises 25 percent of the questions (31 out of 125 will be in this area). The Security segment covers all sorts of stuff, and social engineering makes up a large part of that. Thankfully, most questions you’ll see about these topics are of the straightforward, definition-based variety, so you may not find this chapter’s questions as challenging as some from previous offerings.

One note of caution, though: Be careful with the wording in some of these questions. For example, tailgating and piggybacking mean the same thing to us in the real world, but there’s a significant difference when it comes to your exam. It’s true that most of these are fairly easy to decipher, but EC-Council sometimes likes to focus on minutia.

image

1. An organization’s building has a guard posted at the lone entrance. A door leads into a smaller room with a second door heading into the interior of the building. Which physical security measure is in place?

A. Guard shack

B. Turnstile

C. Man shack

D. Man trap

2. In your social engineering efforts, you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here?

A. Piggybacking

B. Reverse social engineering

C. Technical support

D. Halo effect

3. Which of the following is a true statement regarding biometric systems?

A. The lower the CER, the better the biometric system.

B. The higher the CER, the better the biometric system.

C. The higher the FRR, the better the biometric system.

D. The higher the FAR, the better the biometric system.

4. A pen tester sends an unsolicited e-mail to several users on the target organization. The e-mail is well crafted and appears to be from the company’s help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event a user is adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here?

A. Technical support

B. Impersonation

C. Phishing

D. Reverse social engineering

5. A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here?

A. Eavesdropping

B. Tailgating

C. Shoulder surfing

D. Piggybacking

6. A recent incident investigated by the local IR team involved a user receiving an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to?

A. Phishing

B. Internet level

C. Reverse social engineering

D. Impersonation

7. Which type of social engineering attacks uses phishing, pop-ups, and IRC channels?

A. Technical

B. Computer based

C. Human based

D. Physical

8. An e-mail sent from an attacker to a known hacking group contains a reference stating, “Rebecca works for the finance department at business-name and is the administrative assistant to the chief. She can be reached at phone-number.” What is most likely being communicated here?

A. The name of an administrative assistant is being published to simplify later social engineering attacks.

B. The administrative assistant for the chief of the finance department at this business is easily swayed by social engineering efforts.

C. The finance department has a lax security policy in place.

D. None of the above. There is not enough information to form a conclusion.

9. Which of the following constitutes the highest risk to the organization?

A. Black-hat hacker

B. White-hat hacker

C. Gray-hat hacker

D. Disgruntled employee

10. After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here?

A. Offline

B. Physical

C. Piggybacking

D. Dumpster diving

11. An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred?

A. Tailgating

B. Piggybacking

C. Identity theft

D. Impersonation

12. Which threat presents the highest risk to an organization’s resources?

A. Government-sponsored hackers

B. Social engineering

C. Disgruntled employees

D. Script kiddies

13. Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)

A. Security policies

B. Operational guidelines

C. Appropriately configured IDS

D. User education and training

E. Strong firewall configuration

14. Which of the following are indicators of a phishing e-mail? (Choose all that apply.)

A. It does not reference you by name.

B. It contains misspelled words or grammatical errors.

C. It contains spoofed links.

D. It comes from an unverified source.

15. You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measures are being discussed?

A. Physical

B. Technical

C. Operational

D. Practical

16. Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.)

A. Phishkill

B. Netcraft

C. Phishtank

D. IDA Pro

17. In order, what are the three steps in a reverse social engineering attack?

A. Technical support, marketing, sabotage

B. Sabotage, marketing, technical support

C. Marketing, technical support, sabotage

D. Marketing, sabotage, technical support

18. Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating?

A. Physical

B. Technical

C. Human based

D. Computer based

19. In examining the About Us link in the menu of a target organization’s website, an attacker discovers several different individual contacts within the company. She crafts an e-mail asking for information to one of the contacts that appears to come from an individual within the company who would be expected to make such a request. The e-mail provides a link to click, which then prompts for the contact’s user ID and password. Which of the following best describes this attack?

A. Trojan e-mailing

B. Spear phishing

C. Social networking

D. Operational engineering

20. A security admin has a control in place that embeds a unique image into e-mails on specific topics, which verifies the message as authentic and trusted. Which antiphishing method is being used?

A. Steganography

B. Sign-in seal

C. PKI

D. Captcha

21. Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.)

A. Classification of information

B. Strong security policy

C. User education

D. Strong change management process

22. Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a PIN. Which of the following statements is true?

A. Joe and Jill are using single-factor authentication.

B. Joe and Jill are using two-factor authentication.

C. Joe is using two-factor authentication.

D. Jill is using two-factor authentication.

23. A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this?

A. Technical

B. Single factor

C. Computer based

D. Operational

24. Which of the following is the best representation of a technical control?

A. Air conditioning

B. Security tokens

C. Automated humidity control

D. Fire alarms

E. Security policy

25. A security admin at an organization boasts that her security measures are top notch and cannot be breached. In discussing their biometric authentication mechanisms, which of the following presents a reason biometric systems may still fall under successful attack?

A. The digital representation of the biometric entry may not be unique, even if the physical characteristic is.

B. Biometric compares a copy to a copy instead of the original to a copy.

C. The stored hash in biometric systems is no longer “something you are” and instead becomes “something you have.”

D. A stored biometric can be stolen and used by an attacker to impersonate the individual.

image

1. D

2. C

3. A

4. D

5. C

6. A

7. B

8. B

9. D

10. D

11. B

12. C

13. A, B, D

14. A, B, C, D

15. C

16. B, C

17. D

18. C

19. B

20. B

21. A, B, C, D

22. D

23. A

24. B

25. D

image

1. An organization’s building has a guard posted at the lone entrance. A door leads into a smaller room with a second door heading into the interior of the building. Which physical security measure is in place?

A. Guard shack

B. Turnstile

C. Man shack

D. Man trap

imageD. If you took a test on college football history, you know it would contain a question about Alabama. If you took one on trumpet players, there’d be one about Dizzy Gillespie. And if you take a test on physical security measures for Certified Ethical Hacker, you’re going to be asked about the man trap. They love it that much.

A man trap is nothing more than a locked space you can hold someone in while verifying their right to proceed into the secured area. It’s usually a glass (or clear plastic) walled room that locks the exterior door as soon as you enter. Then there is some sort of authentication mechanism, such as a smartcard with a PIN or a biometric system. Assuming the authentication is successful, the second door leading to the interior of the building will unlock, and the person is allowed to proceed. If it’s not successful, the doors will remain locked until the guard can check things out. As an aside, in addition to authentication, some man traps add all sorts of extra fun, such as checking your weight to see if you’ve mysteriously gained or lost 20 pounds since Friday.

A few other notes here may be of use to you: First, I’ve seen a man trap defined as either manual or automatic, where manual has a guard locking and unlocking the doors, and automatic has the locks tied to the authentication system, as described previously. Second, a man trap is also referred to in some definitions as an air lock. Should you see that term on the exam, know that it is referring to the man trap. Lastly, man traps in the real world can sometimes come in the form of a rotating door or turnstyle, locking partway around if you don’t authenticate properly. And, on some of the really fancy ones, sensors will lock it if you’re trying to smuggle two people through.

imageA is incorrect because this question is not describing a small location at a gate where guards are stationed. Traditionally, these are positioned at gates to the exterior wall or the gate of the facility, where guards can verify identity and so on before allowing people through to the parking lot.

imageB is incorrect because a turnstile is not described here and, frankly, does absolutely nothing for physical security. Anyone who has spent any time in subway systems knows this is true: Watching people jump the turnstiles is a great spectator sport.

imageC is incorrect because, so far as I know, this term man shack is not a physical security term within CEH. It’s maybe the title of a 1970s disco hit but not a physical security term you’ll need to know for the exam.

2. In your social engineering efforts you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here?

A. Piggybacking

B. Reverse social engineering

C. Technical support

D. Halo effect

imageC. Although it may seem silly to label social engineering attacks (because many of them contain the same steps and bleed over into one another), you’ll need to memorize them for your exam. A technical support attack is one in which the attacker calls the support desk in an effort to gain a password reset or other useful information. This is a valuable method because if you get the right help desk person (that is, someone susceptible to a smooth-talking social engineer), you can get the keys to the kingdom.

imageA is incorrect because piggybacking refers to a method to gain entrance to a facility—not to gain passwords or other information. Piggybacking is a tactic whereby the attacker follows authorized users through an open door without any visible authorization badge at all.

imageB is incorrect because reverse social engineering refers to a method where an attacker convinces a target to call him with information. The method involves marketing services (providing the target with your phone number or e-mail address in the event of a problem), sabotaging the device, and then awaiting for a phone call from the user.

imageD is incorrect because halo effect refers to a psychological principle that states a person’s overall impression (appearance or pleasantness) can impact another person’s judgment of them. For example, a good-looking, pleasant person will be judged as more competent and knowledgeable simply because of their appearance. The lesson here is to look good and act nice while you’re trying to steal all the target’s information.

3. Which of the following is a true statement regarding biometric systems?

A. The lower the CER, the better the biometric system.

B. The higher the CER, the better the biometric system.

C. The higher the FRR, the better the biometric system.

D. The higher the FAR, the better the biometric system.

imageA. The crossover error rate (CER) is the point on a chart where the false acceptance rate (FAR) and false rejection rate (FRR) meet, and the lower the number, the better the system. It’s a means by which biometric systems are calibrated—getting the FAR and FRR the same. All that said, though, keep in mind that in certain circumstances a client may be more interested in a lower FAR than FRR, or vice versa, and therefore the CER isn’t as much a concern. For example, a bank may be far more interested in preventing false acceptance than it is in preventing false rejection. In other words, so what if a user is upset they can’t log on, so long as their money is safe from a false acceptance?

imageB is incorrect because this is exactly the opposite of what you want. A high CER indicates a system that more commonly allows unauthorized users through and rejects truly authorized people from access.

imageC is incorrect because the false rejection rate needs to be as low as possible. The FRR represents the amount of time a true, legitimate user is denied access by the biometric system.

imageD is incorrect because false acceptance rate needs to be as low as possible. The FAR represents the amount of time an unauthorized user is allowed access to the system.

4. A pen tester sends an unsolicited e-mail to several users on the target organization. The e-mail is well crafted and appears to be from the company’s help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event a user is adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here?

A. Technical support

B. Impersonation

C. Phishing

D. Reverse social engineering

imageD. This may turn out to be a somewhat confusing question for some folks, but it’s actually pretty easy. Reverse social engineering involves three steps. First, in the marketing phase, an attacker advertises himself as a technical point of contact for problems that may be occurring soon. As an aside, be sure to market to the appropriate audience: Attempting this against IT staff probably won’t work as well as the “average” user and may get you caught. Second, in the sabotage phase, the attacker performs a denial of service or other attack on the user. Third, in the tech support phase, the user calls the attacker and freely hands over information, thinking they are being assisted by company’s technical support team.

imageA is incorrect because a technical support attack involves the attacker calling a technical support help desk, not having the user calling back with information.

imageB is incorrect because this is not just impersonation—the attack described in the question revolves around the user contacting the attacker, not the other way around. Impersonation can cover anybody, from a “normal” user to a company executive. And impersonating a technical support person can result in excellent results; just remember if you’re going through steps to have the user call you back, you’ve moved into reverse social engineering.

imageC is incorrect because a phishing attack is an e-mail crafted to appear legitimate but in fact contains links to fake websites or to download malicious content. In this example, there is no link to click—just a phone number to call in case of trouble. Oddly enough, in my experience people will question a link in an e-mail far more than just a phone number.

5. A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here?

A. Eavesdropping

B. Tailgating

C. Shoulder surfing

D. Piggybacking

imageC. This one is so easy I hope you maintain your composure and stifle the urge to whoop and yell in the test room. Shoulder surfing doesn’t necessarily require you to actually be on the victim’s shoulder—you just have to be able to watch their onscreen activity. I once shoulder surfed in front of someone (a mirror behind her showed her screen clear as day). As an aside, in the real world if you’re close enough to see someone’s screen, you’re probably close enough to listen to them as well. EC-Council puts the emphasis of shoulder surfing on the visual aspect—eavesdropping would be auditory.

imageA is incorrect because eavesdropping is a social engineering method where the attacker simply remains close enough to targets to overhear conversations. Although it’s doubtful users will stand around shouting passwords at each other, you’d be surprised how much useful information can be gleaned by just listening in on conversations.

imageB is incorrect because tailgating is a method for gaining entrance to a facility by flashing a fake badge and following an authorized user through an open door.

imageD is incorrect because piggybacking is another method to gain entrance to a facility. In this effort, though, you don’t have a badge at all; you just follow people through the door.

6. A recent incident investigated by the local IR team involved a user receiving an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to?

A. Phishing

B. Internet level

C. Reverse social engineering

D. Impersonation

imageA. Phishing is one of the most pervasive and effective social engineering attacks on the planet. It’s successful because crafting a legitimate-looking e-mail that links a user to an illegitimate site or malware package is easy to do, is easy to spread, and preys on our human nature to trust. If the source of the e-mail looks legitimate or the layout looks legitimate, most people will click away without even thinking about it. Phishing e-mails can often include pictures lifted directly off the legitimate website and use creative means of spelling that aren’t easy to spot: www.regions.com is a legitimate bank website that could be spelled in a phishing e-mail as www.regi0ns.

One last note here that our beloved tech editor begged me to include: Phishing has an extreme liability aspect to it when spoofing a legitimate business. If you’re pen testing an organization and phish using a variant of a real business name, you could be opening yourself up to some serious costs: The first time someone calls the real Regions bank to complain is the moment that the attacker just became liable for the costs associated with the attack.

imageB is incorrect because Internet level is not a recognized form of social engineering attack by this exam. It’s included here as a distractor.

imageC is incorrect because reverse social engineering is an attack where the attacker cons the target into calling back with useful information.

imageD is incorrect because this particular description does not cover impersonation. Impersonation is an attack where a social engineer pretends to be an employee, a valid user, or even an executive (or other V.I.P.). Generally speaking, when it comes to the exam, any impersonation question will revolve around an in-person visit or a telephone call.

7. Which type of social engineering attacks uses phishing, pop-ups, and IRC?

A. Technical

B. Computer based

C. Human based

D. Physical

imageB. All social engineering attacks fall into one of two categories: human based or computer based. Computer-based attacks are those carried out with the use of a computer or other data-processing device. Examples include, but are not limited to, fake pop-up windows, SMS texts, e-mails, and chat rooms or services. Social media sites (such as Facebook or LinkedIn) are consistent examples as well, and spoofing entire websites isn’t out of the realm here either.

imageA is incorrect because technical is not a social engineering attack type and is included here as a distractor.

imageC is incorrect because human-based social engineering involves the art of human interaction for information gathering. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.

imageD is incorrect because physical is not a social engineering attack type and is included here as a distractor.

8. An e-mail sent from an attacker to a known hacking group contains a reference stating, “Rebecca works for the finance department at business-name and is the administrative assistant to the chief. She can be reached at phone-number.” What is most likely being communicated here?

A. The name of an administrative assistant is being published to simplify later social engineering attacks.

B. The administrative assistant for the chief of the finance department at this business is easily swayed by social engineering efforts.

C. The finance department has lax security policy in place.

D. None of the above. There is not enough information to form a conclusion.

imageB. Within the confines of this exam, you need to remember the names Rebecca and Jessica as potential targets of social engineering. According to CEH documentation, these names are used to refer to individuals who are easy targets for social engineering efforts. The reality of your day-to-day work in the field might be that you’ll never hear this mentioned this way (I had never heard these names used this way before studying for this exam); however, you need to memorize it for your exam. Jessica and Rebecca are easily swayed by social engineering and are targets for your efforts.

imageA is incorrect because, frankly, there’s a better answer here (B) as far as EC-Council and your exam are concerned. Is it possible the person sending this e-mail knows the assistant’s first name is Rebecca? Sure, it is; however, it’s unlikely to be shared in this manner, and, more importantly here, this just is not the “most likely” answer. On your exam, when you see Rebecca or Jessica, note it as a notification of an easy target and just move on to the next question.

imageC is incorrect because the name Rebecca is not associated with security policy in any way. The company may well have a lax policy, but there’s just nothing here to indicate that. As an aside (that is, it really has nothing to do with the question itself), whether the policy is weak or strong, an individual susceptible to social engineering almost makes the policy moot. Security policy is one of those things that has to be supported and enforced from the top down and made part of the culture of the organization. If you have those things, it’s a great countermeasure to a whole assortment of security issues. If you don’t, it’s a big waste of time.

imageD is incorrect because there is a correct answer to the question. This answer is included as a distractor.

9. Which of the following constitutes the highest risk to the organization?

A. Black-hat hacker

B. White-hat hacker

C. Gray-hat hacker

D. Disgruntled employee

imageD. When considering security measures, most of the attention is usually aimed outside, where all the bad guys are, right? Unfortunately this line of thinking leads to all sorts of exposure, for a whole lot of reasons, and is more common than you might think. A disgruntled employee is, well, an employee. He’s already inside and already has credentials to at least some of the organizational resources. The idea that someone wanting to do harm to an organization’s network not only already has the access to do so but has it because we gave it to him and we’re not watching him should be frightening to all.

imageA is incorrect because black-hat hackers aren’t necessarily already inside the network. They have a lot of work to do in getting access and a lot of security levels to wade through to do it.

imageB is incorrect because a white-hat hacker is one of the good guys—an ethical hacker, hired for a specific purpose.

imageC is incorrect because a gray-hat (or grey-hat) hacker falls somewhere between white and black. They may be hacking without express consent, but doing so with good intentions (not that good intentions will keep you out of jail). Supposedly they’re not hacking for personal gain; they just don’t bother to get permission and occasionally dance on the dark side of legality.

10. After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here?

A. Offline

B. Physical

C. Piggybacking

D. Dumpster diving

imageD. Dumpster diving doesn’t necessarily mean you’re actually taking a header into a dumpster outside. It could be any waste canister, in any location, and you don’t even have to place any more of your body in the canister than you need to extract the old paperwork with. And you’d be amazed what people just throw away without thinking about it: password lists, network diagrams, employee name and number listings, and financial documents are all examples. Lastly, don’t forget that EC-Council defines this as a passive activity. Sure, in the real world, you run a real risk of discovery and questioning by any number of the organization’s staff, but on your exam it’s considered passive.

imageA is incorrect because offline is not a social engineering attack and is used here as a distractor.

imageB is incorrect because physical is not a social engineering attack type.

imageC is incorrect because piggybacking is a social engineering attack that allows entry into a facility and has nothing to do with digging through trash for information.

11. An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred?

A. Tailgating

B. Piggybacking

C. Identity theft

D. Impersonation

imageB. This is one of those questions that just drives everyone batty—especially people who actually perform pen tests for a living. Does knowing that gaining entry without flashing a fake ID badge of any kind is called piggybacking make it any easier or harder to pull off? I submit having two terms for what is essentially the same attack, separated by one small detail, is unfair, in the least, but there’s not a whole lot we can do about it. If it makes it easier to memorize, just keep in mind that pigs wouldn’t wear a badge—they don’t have any clothes to attach it to.

imageA is incorrect because a tailgating attack requires the attacker to be holding a fake badge of some sort. I know it’s silly, but that’s the only differentiation between these two items: tailgaters have badges, piggybackers do not. If it makes it any easier, just keep in mind a lot of tailgaters at football games should have a badge on them—to prove they are of legal drinking age.

imageC is incorrect because this attack has nothing to do with identity theft. Identity theft occurs when an attacker uses personal information gained on an individual to assume that person’s identity. Although this is normally thought of in the criminal world (stealing credit cards, money, and so on), it has its uses elsewhere.

imageD is incorrect because impersonation is not in play here. The attacker isn’t pretending to be anyone else at all—he’s just following someone through an open door.

12. Which threat presents the highest risk to an organization’s resources?

A. Government-sponsored hackers

B. Social engineering

C. Disgruntled employees

D. Script kiddies

imageC. I can almost guarantee you’ll see this on your exam. EC-Council made a big point of stressing this in the CEH version 7 documentation, so I in turn will stress it to you. Disgruntled employees can cause all sorts of havoc for a security team. The main reason is location: They’re already inside the network. Inside attacks are generally easier to launch, are more successful, and are harder to prevent. When you add a human element of having an axe to grind, this can boil over quickly—whether the employee has the technical knowledge to pull it off or not.

imageA is incorrect because most organizations won’t have government-sponsored hackers knocking at their virtual front door, and, even if they do, the attacks still generate from outside. Now I’m not saying a sponsored hacker group wouldn’t seek out a disgruntled employee inside a government organization, but that proves the answer in itself.

imageB is incorrect because social engineering as a whole is not the greatest threat. It is a major concern, though, because most people are susceptible to it, and, frankly, users can’t be trusted.

imageD is incorrect because script kiddies by definition are relatively easy to find and squash. A script kiddy is someone who goes out and steals hack codes and techniques right off the Web, flinging them around wildly in an attempt to succeed. They don’t really understand what the attack vector is, how the code works, or (usually) what to do if they actually find success, which makes them easy to spot.

13. Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)

A. Security policies

B. Operational guidelines

C. Appropriately configured IDS

D. User education and training

E. Strong firewall configuration

imageA, B, and D. The problem with countermeasures against social engineering is they’re almost totally out of your control. Sure you can draft strong policy requiring users to comply with security measures, implement guidelines on everything imaginable to reduce risks and streamline efficiency, and hold educational briefings and training sessions for each and every user in your organization, but when it comes down to it, it’s the user who has to do the right thing. All countermeasures for social engineering have something to do with the users themselves because they are the weak link here.

imageC and E are both incorrect for the same reason: A social engineering attack doesn’t target the network or its defenses; it targets the users. Many a strongly defended network has been compromised because a user inside was charmed by a successful social engineer.

14. Which of the following are indicators of a phishing e-mail? (Choose all that apply.)

A. It does not reference you by name.

B. It contains misspelled words or grammatical errors.

C. It contains spoofed links.

D. It comes from an unverified source.

imageA, B, C, and D. One of the objectives of CEH version 7 is, and I quote, to “understand phishing attacks.” Part of the official curriculum to study for the exam covers detecting phishing e-mail in depth, and all of these answers are indicators an e-mail may not be legitimate. First, most companies now sending e-mail to customers will reference you by name and sometimes by account number. An e-mail starting with “Dear Customer” or something to that effect may be an indicator something is amiss. Misspellings and grammatical errors from a business are usually dead giveaways because companies do their best to proofread things before they are released. There are, occasionally, some slip-ups (Internet search some of these; they’re truly funny), but those are definitely the exception and not the rule. Spoofed links can be found by hovering a mouse over them (or by looking at their properties). The link text may read www.yourbank.com, but the hyperlink properties will be sending you to some IP address you don’t want to go to.

Finally, while these are all great answers to a question on an exam, don’t let them dictate your day-to-day Internet life outside of your exam. A perfectly written, grammatically correct e-mail containing real links and originating from someone you trust could still be part of a spear-phishing campaign.

15. You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measure is being discussed?

A. Physical

B. Technical

C. Operational

D. Practical

imageC. Physical security has three major facets: physical measures, technical measures, and operational measures. Operational measures (sometimes referred to as procedural controls) are the policies and procedures you put into place to assist with security. Background checks on employees and any kind of written policy for operational behaviors are prime examples.

imageA is incorrect because physical measures can be seen or touched. Examples include guards (although you probably would want to be careful touching one of them), fences, and locked doors.

imageB is incorrect because technical measures include things such as authentication systems (biometrics anyone?) and specific permissions you assign to resources.

imageD is incorrect because, although these may seem like practical measures to put into place, there is simply no category named such. It’s included here as a distractor, nothing more.

16. Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.)

A. Phishkill

B. Netcraft

C. Phishtank

D. IDA Pro

imageB and C. For obvious reasons, there are not a lot of questions from these objectives concerning tools—mainly because social engineering is all about the human side of things, not necessarily using technology or tools. However, you can put into place more than a few protective applications to help stem the tide. There are innumerable e-mail filtering applications and appliances you can put on an e-mail network boundary to cut down on the vast amount of traffic (spam or otherwise) headed to your network. Additionally, Netcraft’s phishing toolbar and Phishtank are two client-side, host-based options you can use (there are others, but these are pointed out specifically in EC-Council’s official courseware).

Netcraft’s (http://toolbar.netcraft.com/) and Phishtank’s (www.phishtank.com/) toolbars are like neighborhood watches on virtual steroids, where eagle-eyed neighbors can see naughty traffic and alert everyone else. From the Netcraft site: “Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL.”

These tools, although useful, are not designed to completely protect against phishing. Much like antivirus software, they will act on attempts that match a signature file. This, sometimes, makes it even easier on the attacker—because they know which phishing will not work right off the bat.

imageA is incorrect because phishkill is not an antiphishing application.

imageD is incorrect because IDA Pro is a debugger tool you can use to analyze malware (viruses).

17. In order, what are the three steps in a reverse social engineering attack?

A. Technical support, marketing, sabotage

B. Sabotage, marketing, technical support

C. Marketing, technical support, sabotage

D. Marketing, sabotage, technical support

imageD. Reverse engineering occurs when the attacker creates a circumstance or situation that makes users call him with information. This is carried out in three steps. First, the attacker will market his skills, position, and impending problem (for example, the attacker may send e-mails promoting himself as help desk personnel to call in the event of problems next Wednesday when the server is rebooted). Second, the attacker performs sabotage against the user or network segment (a denial-of-service attack to take users off network confirms with the user that the original e-mail must have been correct). Lastly, the attacker provides “technical support” to the users calling in for assistance (by stealing all their account information, which is gladly being handed over the phone by panicked users).

imageA, B, and C are incorrect because the order presented is not correct.

18. Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating?

A. Physical

B. Technical

C. Human based

D. Computer based

imageC. Once again, we’re back to the two major forms of social engineering: human based and computer based. Human-based attacks include all the attacks mentioned here and a few more. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information. This can be as blatant as simply asking someone for their password or pretending to be a known entity (authorized user, tech support, or company executive) in order to gain information.

imageA is incorrect because social engineering attacks do not fall into a physical category.

imageB is incorrect because social engineering attacks do not fall into a technical category.

imageD is incorrect because computer-based social engineering attacks are carried out with the use of a computer or other data-processing device. These attacks can include everything from specially crafted pop-up windows, tricking the user into clicking through to a fake website, to SMS texts, which provide false technical support messages and dial-in information to a user.

19. In examining the About Us link in the menu of a target organization’s website, an attacker discovers several different individual contacts within the company. She crafts an e-mail asking for information to one of the contacts that appears to come from an individual within the company who would be expected to make such a request. The e-mail provides a link to click, which then prompts for the contact’s user ID and password. Which of the following best describes this attack?

A. Trojan e-mailing

B. Spear phishing

C. Social networking

D. Operational engineering

imageB. Yes, sometimes you’ll get an easy one, and this question is no exception. Phishing is using e-mail to accomplish the social engineering task. Spear phishing is actually targeting those e-mails to specific individuals or groups within an organization. This usually has a much higher success rate than just a blind-fire phishing effort.

imageA, C, and D are incorrect because they are all added as distractors and do not match the circumstances listed. Trojan e-mailing and operational engineering aren’t valid terms in regard to social engineering attacks. A social networking attack, per EC-Council, is one that involves using Facebook, LinkedIn, Twitter, or some other social media to elicit information or credentials from a target.

20. A security admin has a control in place that embeds a unique image into e-mails on specific topics, which verifies the message as authentic and trusted. Which antiphishing method is being used?

A. Steganography

B. Sign-in seal

C. PKI

D. Captcha

imageB. Sign-in seal is an e-mail protection method in use at a variety of business locations. The practice is to use a secret message or image that can be referenced on any official communication with the site. If you receive an e-mail purportedly from the business but it does not include the image or message, you’re aware it’s probably a phishing attempt. This sign-in seal is kept locally on your computer, so the theory is that no one can copy or spoof it.

imageA is incorrect because steganography is not used for this purpose. As we know, steganography is a method of hiding information inside another file—usually an image file.

imageC is incorrect because PKI refers to an encryption system using public and private keys for security of information between members of an organization.

imageD is incorrect because a captcha is an authentication test of sorts, which I am sure you’ve seen hundreds of times already. Captcha (actually an acronym meaning Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response-type method where an image is shown, and the client is required to type the word from the image into a challenge box. An example is on a contest entry form—you type in your information at the top and then see an image with a word (or two) in a crazy font at the bottom. If you type the correct word in, it’s somewhat reasonable for the page to assume you’re a human (as opposed to a script), and the request is sent forward.

21. Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.)

A. Classification of information

B. Strong security policy

C. User education

D. Strong change management process

imageA, B, C, and D. All of the answers are correct, but let’s get this out of the way up front: You’ll never be able to put anything whatsoever into place that will effectively render all social engineering attacks moot. You can do some things to limit them, and those on this list can definitely help in that regard, but a security organization that responds to social engineering concerns with “We have a strong policy and great user education” is probably one that’ll see a high turnover rate.

Classification of information is seen as a strong countermeasure because the information—and access to it—is stored and processed according to strict definitions of sensitivity. In the government/DoD world, you’d see labels such as Confidential, Secret, and Top Secret. In the commercial world, you might see Public, Sensitive, and Confidential. I could write an entire chapter on the difference between DoD and commercial labels and have all sorts of fun arguing the finer points of various access control methods, but we’ll stick just to this chapter and what you need here. As a side note, classification of information won’t do you a bit of good if the enforcement of access to that information, and the protection of it in storage or transit, is lax.

Strong security policy has been covered earlier in the chapter, so I won’t waste much print space here on it. You must have a good one in place to help prevent all sorts of security failures; however, you can’t rely on it as a countermeasure on its own.

User education is not only a viable social engineering countermeasure, but according to EC-Council it’s the best measure you can take. Anyone reading this book who has spent any time at all trying to educate users on a production, enterprise-level network is probably yelling right now because results can sometimes be spotty. However, the weak point in the chain is the user, so we must do our best to educate users on what to look for and what to do as they see it. There simply is no better defense than a well-educated user (and by well-educated I mean a user who absolutely refuses to participate in a social engineering attempt). There’s just not that many of them out there.

A change management process helps to organize change to a system or organization by providing a standardized, reviewable process to any major change. In other words, if you allow changes to your financial system, IT services, HR processes, or fill-in-the-blank without any review or control process, you’re basically opening Pandora’s box. Change can be made on a whim (sometimes at the behest of a social engineer, maybe?), and there’s no control or tracking of it.

22. Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a PIN. Which of the following are true?

A. Joe and Jill are using single-factor authentication.

B. Joe and Jill are using two-factor authentication.

C. Joe is using two-factor authentication.

D. Jill is using two-factor authentication.

imageD. When it comes to authentication systems, you can use three factors to prove your identity to a system: something you know, something you have, and something you are. Items you know are, basically, a password or PIN. Something you have is a physical token of some sort—usually a smartcard—that is presented as part of the authentication process. Something you are relates to biometrics—a fingerprint or retinal scan, for instance. Generally speaking, the more factors you have in place, the better (more secure) the authentication system. In this example, Joe is using only something he knows, whereas Jill is using something she has (PIV card) andsomething she knows (PIN).

imageA is incorrect because Jill is using two-factor authentication.

imageB is incorrect because Joe is using single-factor authentication.

imageC is incorrect because Joe is using single-factor authentication.

23. A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this?

A. Technical

B. Single factor

C. Computer based

D. Operational

imageA. Physical security measures are characterized as physical (door locks, guards), operational (policies, procedures), and technical (authentications systems, permissions). This example falls into the technical security measure category. Sure, the door itself is physical, but the question centers on the biometric system itself—clearly technical in origin.

imageB is incorrect because single factor refers to the method the authentication system uses, not the physical security measure itself. In this case, the authentication is using something you are—a biometric retina scan.

imageC is incorrect because computer based refers to a social engineering attack type, not a physical security measure.

imageD is incorrect because an operational physical security measure deals with policy and procedure.

24. Which of the following is the best representation of a technical control?

A. Air conditioning

B. Security tokens

C. Automated humidity control

D. Fire alarms

E. Security policy

imageB. All security controls are put into place to minimize, or to avoid altogether, the probability of a successful exploitation of a risk or vulnerability.

Logical (logical is the other name used for technical) controls do this through technical, system-driven means. Examples include security tokens, authentication mechanisms, and antivirus software.

imageA, C, D, and E are incorrect because they are not logical (technical) controls. Air conditioning and humidity fall under the physical controls. A policy would fall under procedural controls.

25. A security admin at an organization boasts that her security measures are top notch and cannot be breached. In discussing their biometric authentication mechanisms, which of the following presents a reason biometric systems may still fall under successful attack?

A. The digital representation of the biometric entry may not be unique, even if the physical characteristic is.

B. Biometric compares a copy to a copy instead of the original to a copy.

C. The stored hash in biometric systems is no longer “something you are” and instead becomes “something you have.”

D. A stored biometric can be stolen and used by an attacker to impersonate the individual.

imageD. I think I’m safe in thinking most of you will agree with this statement: Passwords stink. We all hate them, and they’re notoriously easy to crack or attain. But when you consider that passwords at least change over time, they may not seem so horrible after all. See, the hash that matches your fingerprint will never change, which puts the odds considerably in the bad guy’s corner. Tell a hacker your passwords are at least 16 characters long and change every 30 days and she’s liable to get too frustrated to even start. Hand her a hash and tell her she has eternity to crack it? No worries.

On a side note here, Windows authentication doesn’t really care if you’re using biometrics, passwords, or smartcards—you’re a hash to the system in all of them. Whether your hash was the result of a password, a thumbprint, a smartcard, or a token, when it comes to how Windows passes you around, you’re a hash. Some things change your hash more often—a 30-day password change is different than, say, a thumbprint that never changes.

imageA is incorrect because the digital representation is built off the physical, which ensures it’s unique. If it weren’t, what’s the point?

imageB is incorrect because the original is your biometric. When you use a fingerprint, or iris scanner, or fill-in-the-biometric-blank-here, you are providing an original to compare against the stored hash.

imageC. “Something you have” generally refers to a physical item you carry with you, like a token or a card. The hash is stored somewhere in the system as a means of comparison with your biometric authentication, and is therefore not ‘something you have.’