CEH™ Certified Ethical Hacker Practice Exams Third Edition

CHAPTER 11 Low Tech: Social Engineering and Physical Security

This chapter includes questions from the following topics:

• Define social engineering

• Describe different types of social engineering techniques and attacks

• Describe identity theft

• List social engineering countermeasures

• Describe physical security measures

I know a lot of people will pick up books like this in an effort to train themselves to be a “hacker,” but I’ve got some news for you: you were already partway there. You’re a born social engineer, and you’ve most likely been doing some of this stuff since you could walk. In fact, I’ll bet serious cash you’ll probably employ at least some manipulation of your fellow human beings today , maybe without even thinking about it.

Don’t believe me? I guarantee if you search your memory banks there was at least once in your childhood where you talked your way into another piece of candy or few minutes playing with a toy, just because you were cute. If you had siblings, I bet all of you conspired—at least once—to cover up something bad or to convince Mom you really need more ice cream. And the technique of employing “Well, Dad said it was okay,” pitting Mom versus Dad? Oldest trick in the book.

We all work the system every day because it’s how we are wired, and there’s not a person reading this book who doesn’t try to influence and manipulate the people around them to gain an advantage or accomplish a goal. You’ve been doing it since you were born, and you will continue to do so until you shuffle off this mortal coil. All we’re doing with pen testing and ethical hacking is bringing those same thoughts and actions to influence our virtual workplace and adding one slight twist: while most of your manipulation of others isn’t consciously purposeful, it has to be in the virtual world. There’s a lot of acting, a lot of intuition, and a lot of lying involved, and to be successful in this area you have to be convincing to pull it off.

The entire subject is fascinating, and there are endless articles, studies, and books devoted to it. A Kaspersky blog dubbed it “Hacking the Human OS,” which is about as apt a description as I could ever come up with myself. Social engineering and physical security measures are those obvious and simple solutions you may accidentally overlook. Why spend all the effort to hack into a system and crack passwords offline when you can just call someone up and ask for them? Why bother with trying to steal sensitive business information from encrypted shares when you can walk into the building and sit in on a sales presentation? Sure, you occasionally almost get arrested shuffling around in a dumpster for good information, and you might even get the pleasure of seeing how powerful a dog handler is, as he keeps the vicious, barking animal held tight on the leash while you cower in the corner (our esteemed technical editor can attest to both of these), but a lot of social engineering is just worth it. It’s easy, simple, and effective, and not an area of your pen testing you can afford to ignore.

Images STUDY TIPS EC-Council lumps social engineering and physical security into the “Security” segment of the exam. Because the exam is 150 questions and the Security segment comprises 25 percent of the overall questions, that means 37.5 questions will be directly related to the Security segment. And how many of those 37 or so questions will be related to social engineering and physical security? I can’t say for sure, but given the breakdown of the rest of the Security segment (including firewalls, cryptography, wireless, and so on), you can probably count on ten or so.

There hasn’t been a lot of change between previous versions to the current one: most questions you’ll see about social engineering and physical security are of the straightforward, definition-based variety, and they cover the same areas and topics you’d think would be part of this discussion. Areas of focus will still include various social engineering attacks (shoulder surfing, dumpster diving, impersonation, and so on), security controls (physical, operational and technical), and biometrics. Anything new in this section will probably be in the mobile realm (using SMS texting and cell phones for social engineering, for example).

One note of caution, though: be careful with the wording in some of these questions. For example, tailgating and piggybacking mean the same thing to us in the real world, but there’s a significant difference when it comes to your exam. It’s true that most of these are fairly easy to decipher, but EC-Council sometimes likes to focus on minutiae.

QUESTIONS

1. While observing a target organization’s building, you note the lone entrance to the building has a guard posted just inside the door. After entering the external door, you note the lobby of the building is separated from the external door by a small glass-paneled room, with a closed door facing the exterior and a closed door to the interior. There appears to be an RFID scanning device and a small keyboard with video display in the room. Which of the following best defines this physical security control?

A. Guard shack

B. Turnstile

C. Man shack

D. Man trap

2. In your social engineering efforts, you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here?

A. Piggybacking

B. Reverse social engineering

C. Technical support

D. Halo effect

3. Which of the following is a true statement regarding biometric systems?

A. The lower the CER, the better the biometric system.

B. The higher the CER, the better the biometric system.

C. The higher the FRR, the better the biometric system.

D. The higher the FAR, the better the biometric system.

4. A pen tester sends an unsolicited e-mail to several users on the target organization. The e-mail is well crafted and appears to be from the company’s help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event a user is adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here?

A. Technical support

B. Impersonation

C. Phishing

D. Reverse social engineering

5. A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here?

A. Eavesdropping

B. Tailgating

C. Shoulder surfing

D. Piggybacking

6. A recent incident investigated by the local IR team involved a user receiving an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to?

A. Phishing

B. Internet level

C. Reverse social engineering

D. Impersonation

7. Which type of social engineering attacks uses phishing, pop-ups, and IRC channels?

A. Technical

B. Computer based

C. Human based

D. Physical

8. An attacker identifies a potential target and spends some time profiling her. After gaining some information, the attacker sends a text to the target’s cell phone. The text appears to be from her bank and advises her to call a provided phone number immediately regarding her account information. She dials the number and provides sensitive information to the attacker, who is posing as a bank employee. Which of the following best defines this attack?

A. Vishing

B. Smishing

C. Phishing

D. Tishing

9. Which of the following constitutes the highest risk to the organization?

A. Black-hat hacker

B. White-hat hacker

C. Gray-hat hacker

D. Disgruntled employee

10. After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here?

A. Offline

B. Physical

C. Piggybacking

D. Dumpster diving

11. An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred?

A. Tailgating

B. Piggybacking

C. Identity theft

D. Impersonation

12. Tim is part of a pen test team and is attempting to gain access to a secured area of the campus. He stands outside a badged entry gate and pretends to be engaged in a contentious cell phone conversation. An organization employee walks past and badges the gate open. Tim asks the employee to hold the gate while flashing a fake ID badge and continuing his phone conversation. He then follows the employee through the gate. Which of the following best defines this effort?

A. Shoulder surfing

B. Piggybacking

C. Tailgating

D. Drafting

13. Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)

A. Security policies

B. Operational guidelines

C. Appropriately configured IDS

D. User education and training

E. Strong firewall configuration

14. Which of the following are indicators of a phishing e-mail? (Choose all that apply.)

A. It does not reference you by name.

B. It contains misspelled words or grammatical errors.

C. It contains spoofed links.

D. It comes from an unverified source.

15. You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measures are being discussed?

A. Physical

B. Technical

C. Operational

D. Practical

16. Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.)

A. Phishkill

B. Netcraft

C. Phishtank

D. IDA Pro

17. An attacker targets a specific group inside the organization. After some time profiling the group, she notes several websites the individual members of the group all visit on a regular basis. She spends time inserting various malware and malicious codes into some of the more susceptible websites. Within a matter of days, one of the group member’s system installs the malware from an infected site, and the attacker uses the infected machine as a pivot point inside the network. Which of the following best defines this attack?

A. Spear phishing

B. Whaling

C. Web-ishing

D. Watering hole attack

18. Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating?

A. Physical

B. Technical

C. Human based

D. Computer based

19. In examining the About Us link in the menu of a target organization’s website, an attacker discovers several different individual contacts within the company. To one of these contacts, she crafts an e-mail asking for information that appears to come from an individual within the company who would be expected to make such a request. The e-mail provides a link to click, which then prompts for the contact’s user ID and password. Which of the following best describes this attack?

A. Trojan e-mailing

B. Spear phishing

C. Social networking

D. Operational engineering

20. A security admin has a control in place that embeds a unique image into e-mails on specific topics, which verifies the message as authentic and trusted. Which anti-phishing method is being used?

A. Steganography

B. Sign-in seal

C. PKI

D. CAPTCHA

21. Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.)

A. Classification of information

B. Strong security policy

C. User education

D. Strong change management process

22. Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a PIN. Which of the following statements is true?

A. Joe and Jill are using single-factor authentication.

B. Joe and Jill are using two-factor authentication.

C. Joe is using two-factor authentication.

D. Jill is using two-factor authentication.

23. A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this?

A. Technical

B. Single factor

C. Computer based

D. Operational

24. Which of the following is the best representation of a technical control?

A. Air conditioning

B. Security tokens

C. Automated humidity control

D. Fire alarms

E. Security policy

QUICK ANSWER KEY

1. D

2. C

3. A

4. D

5. C

6. A

7. B

8. B

9. D

10. D

11. B

12. C

13. A, B, D

14. A, B, C, D

15. C

16. B, C

17. D

18. C

19. B

20. B

21. A, B, C, D

22. D

23. A

24. B

ANSWERS

A. Guard shack

B. Turnstile

C. Man shack

D. Man trap

D. If you took a test on college football history, you know it would contain a question about Alabama. If you took one on trumpet players, there’d be one about Dizzy Gillespie. And if you take a test on physical security measures for Certified Ethical Hacker, you’re going to be asked about the man trap. They love it that much.

A man trap is nothing more than a locked space you can hold someone in while verifying their right to proceed into the secured area. It’s usually a glass (or clear plastic) walled room that locks the exterior door as soon as you enter. Then there is some sort of authentication mechanism, such as a smartcard with a PIN or a biometric system. Assuming the authentication is successful, the second door leading to the interior of the building will unlock, and the person is allowed to proceed. If it’s not successful, the doors will remain locked until the guard can check things out. As an aside, in addition to authentication, some man traps add all sorts of extra fun, such as checking your weight to see if you’ve mysteriously gained or lost 20 pounds since Friday.

A few other notes here may be of use to you: First, I’ve seen a man trap defined as either manual or automatic, where manual has a guard locking and unlocking the doors, and automatic has the locks tied to the authentication system, as described previously. Second, a man trap is also referred to in some definitions as an air lock . Should you see that term on the exam, know that it is referring to the man trap. Lastly, man traps in the real world can sometimes come in the form of a rotating door or turnstile, locking partway around if you don’t authenticate properly. And, on some of the really fancy ones, sensors will lock it if you’re trying to smuggle two people through.

A is incorrect because this question is not describing a small location at a gate where guards are stationed. Traditionally, these are positioned at gates to the exterior wall or the gate of the facility, where guards can verify identity and so on before allowing people through to the parking lot.

B is incorrect because a turnstile is not being described here and, frankly, does absolutely nothing for physical security. Anyone who has spent any time in subway systems knows this is true: watching people jump the turnstiles is a great spectator sport.

C is incorrect because, so far as I know, man shack is not a physical security term within CEH. It’s maybe the title of a 1970s disco hit, but not a physical security term you’ll need to know for the exam.

A. Piggybacking

B. Reverse social engineering

C. Technical support

D. Halo effect

C. Although it may seem silly to label social engineering attacks (because many of them contain the same steps and bleed over into one another), you’ll need to memorize them for your exam. A technical support attack is one in which the attacker calls the support desk in an effort to gain a password reset or other useful information. This is a valuable method because if you get the right help desk person (that is, someone susceptible to a smooth-talking social engineer), you can get the keys to the kingdom.

A is incorrect because piggybacking refers to a method to gain entrance to a facility—not to gain passwords or other information. Piggybacking is a tactic whereby the attacker follows authorized users through an open door without any visible authorization badge at all.

B is incorrect because reverse social engineering refers to a method where an attacker convinces a target to call him with information. The method involves marketing services (providing the target with your phone number or e-mail address in the event of a problem), sabotaging the device, and then awaiting for a phone call from the user.

D is incorrect because halo effect refers to a psychological principle that states a person’s overall impression (appearance or pleasantness) can impact another person’s judgment of them. For example, a good-looking, pleasant person will be judged as more competent and knowledgeable simply because of their appearance. The lesson here is to look good and act nice while you’re trying to steal all the target’s information.

3. Which of the following is a true statement regarding biometric systems?

A. The lower the CER, the better the biometric system.

B. The higher the CER, the better the biometric system.

C. The higher the FRR, the better the biometric system.

D. The higher the FAR, the better the biometric system.

A. The crossover error rate (CER) is the point on a chart where the false acceptance rate (FAR) and false rejection rate (FRR) meet, and the lower the number, the better the system. It’s a means by which biometric systems are calibrated—getting the FAR and FRR the same. All that said, though, keep in mind that in certain circumstances a client may be more interested in a lower FAR than FRR, or vice versa, and therefore the CER isn’t as much a concern. For example, a bank may be far more interested in preventing false acceptance than it is in preventing false rejection. In other words, so what if a user is upset they can’t log on, so long as their money is safe from a false acceptance?

B is incorrect because this is exactly the opposite of what you want. A high CER indicates a system that more commonly allows unauthorized users through and rejects truly authorized people from access.

C is incorrect because the false rejection rate needs to be as low as possible. The FRR represents the amount of time a true, legitimate user is denied access by the biometric system.

D is incorrect because the false acceptance rate needs to be as low as possible. The FAR represents the amount of time an unauthorized user is allowed access to the system.

A. Technical support

B. Impersonation

C. Phishing

D. Reverse social engineering

D. This may turn out to be a somewhat confusing question for some folks, but it’s actually pretty easy. Reverse social engineering involves three steps. First, in the marketing phase, an attacker advertises himself as a technical point of contact for problems that may be occurring soon. Second, in the sabotage phase, the attacker performs a denial of service or other attack on the user. Third, in the tech support phase, the user calls the attacker and freely hands over information, thinking they are being assisted by company’s technical support team.

As an aside, there are two things to remember about employing this in the real world. First, be sure to market to the appropriate audience: attempting this against IT staff probably won’t work as well as the “average” user and may get you caught. Second, and perhaps more important, you’ll need to remember that the more lies you tell, the more things you have to make true. Complexity is risky, and reverse social engineering involves a lot of complexity. It’s best used in special cases, and then only if you can’t find something else to do.

A is incorrect because a technical support attack involves the attacker calling a technical support help desk, not having the user calling back with information.

B is incorrect because this is not just impersonation—the attack described in the question revolves around the user contacting the attacker, not the other way around. Impersonation can cover anybody, from a “normal” user to a company executive. And impersonating a technical support person can result in excellent results; just remember if you’re going through steps to have the user call you back, you’ve moved into reverse social engineering.

C is incorrect because a phishing attack is an e-mail crafted to appear legitimate but in fact contains links to fake websites or to download malicious content. In this example, there is no link to click—just a phone number to call in case of trouble. Oddly enough, in my experience, people will question a link in an e-mail far more than just a phone number.

A. Eavesdropping

B. Tailgating

C. Shoulder surfing

D. Piggybacking

C. This one is so easy I hope you maintain your composure and stifle the urge to whoop and yell in the test room. Shoulder surfing doesn’t necessarily require you to actually be on the victim’s shoulder—you just have to be able to watch their onscreen activity. I once shoulder surfed in front of someone (a mirror behind her showed her screen clear as day). You don’t even really need to be close to the victim—there are plenty of optics that can zoom in a field of vision from a very long distance away. As an aside, in the real world, if you are close enough to see someone’s screen, you’re probably close enough to listen to them as well. EC-Council puts the emphasis of shoulder surfing on the visual aspect—eavesdropping would be auditory.

A is incorrect because eavesdropping is a social engineering method where the attacker simply remains close enough to targets to overhear conversations. Although it’s doubtful users will stand around shouting passwords at each other, you’d be surprised how much useful information can be gleaned by just listening in on conversations.

B is incorrect because tailgating is a method for gaining entrance to a facility by flashing a fake badge and following an authorized user through an open door.

D is incorrect because piggybacking is another method to gain entrance to a facility. In this effort, though, you don’t have a badge at all; you just follow people through the door.

A. Phishing

B. Internet level

C. Reverse social engineering

D. Impersonation

A. Phishing is one of the most pervasive and effective social engineering attacks on the planet. It’s successful because crafting a legitimate-looking e-mail that links a user to an illegitimate site or malware package is easy to do, is easy to spread, and preys on our human nature to trust. If the source of the e-mail looks legitimate or the layout looks legitimate, most people will click away without even thinking about it. Phishing e-mails can often include pictures lifted directly off the legitimate website and use creative means of spelling that aren’t easy to spot: www.regions.com is a legitimate bank website that could be spelled in a phishing e-mail as www.regi0ns.com .

When it comes to real-world use of phishing by ethical hackers and pen testers, there are a couple of notes our beloved tech editor begged me to include. First is that phishing has an extreme liability aspect to it when spoofing a legitimate business. If you’re pen testing an organization and phish using a variant of a real business name, you could be opening yourself up to some serious costs: the first time someone calls the real Regions bank to complain is the moment that the attacker just became liable for the costs associated with the attack. Second is the risk involved with people simply forwarding your phishing attempt to recipients you never intended, allowing it to take on a life of its own. In short, the pen tester will certainly limit the bait (malware or website link embedded in the phishing attempt), but they will have no control over what a user decides to do with the e-mail. Suppose the pen tester doesn’t know the exact IP range, or makes a simple mistake in configuration of the malware, and a user sends it home. Or to a banking friend. Or to the FBI. Or to a friend who works on a DoD system. Now you’ve not only hooked the wrong fish, but maybe infected something in the government. That’s nothing to joke about, and may be a lot worse than a simple mistake. The bottom line is, in the real world, phishing is dangerous if not planned and implemented almost perfectly, and pen test teams need to use extreme caution in implementing it.

B is incorrect because Internet level is not a recognized form of social engineering attack by this exam. It’s included here as a distractor.

C is incorrect because reverse social engineering is an attack where the attacker cons the target into calling back with useful information.

D is incorrect because this particular description does not cover impersonation. Impersonation is an attack where a social engineer pretends to be an employee, a valid user, or even an executive (or other VIP). Generally speaking, when it comes to the exam, any impersonation question will revolve around an in-person visit or a telephone call.

7. Which type of social engineering attack uses phishing, pop-ups, and IRC?

A. Technical

B. Computer based

C. Human based

D. Physical

B. All social engineering attacks fall into one of two categories: human based or computer based. Computer-based attacks are those carried out with the use of a computer or other data-processing device. Examples include, but are not limited to, fake pop-up windows, SMS texts, e-mails, and chat rooms or services. Social media sites (such as Facebook and LinkedIn) are consistent examples as well, and spoofing entire websites isn’t out of the realm here either.

A is incorrect because technical is not a social engineering attack type and is included here as a distractor.

C is incorrect because human-based social engineering involves the art of human interaction for information gathering. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.

D is incorrect because physical is not a social engineering attack type and is included here as a distractor.

A. Vishing

B. Smishing

C. Phishing

D. Tishing

B. Aren’t you excited to have another memorization term added to your CEH vocabulary? In smishing (for SMS text-based phishing), the attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response.

A is incorrect because vishing is an attack using a phone call or voice message. In vishing, the attacker calls the target or leaves them a voicemail with instructions to follow.

C is incorrect because phishing makes use of specially crafted e-mails to elicit responses and actions.

D is incorrect because this term does not exist.

9. Which of the following constitutes the highest risk to the organization?

A. Black-hat hacker

B. White-hat hacker

C. Gray-hat hacker

D. Disgruntled employee

D. When considering security measures, most of the attention is usually aimed outside, because that’s where all the bad guys are, right? Unfortunately this line of thinking leads to all sorts of exposure, for a whole lot of reasons, and is more common than you might think. A disgruntled employee is still an employee, after all, which leads to the main reason they’re so dangerous: location. They are already inside the network. Inside attacks are generally easier to launch, are more successful, and are harder to prevent. When you add the human element of having an axe to grind, this can boil over quickly—whether the employee has the technical knowledge to pull it off or not. The idea that someone wanting to do harm to our organization’s network not only already has the access to do so but has it because we gave it to them and we’re not watching them should be frightening to us all.

A is incorrect because black-hat hackers aren’t necessarily already inside the network. They have a lot of work to do in getting access and a lot of security levels to wade through to do it.

B is incorrect because a white-hat hacker is one of the good guys—an ethical hacker, hired for a specific purpose.

C is incorrect because a gray-hat (or grey-hat) hacker falls somewhere between white and black. They may be hacking without express consent, but doing so with good intentions (not that good intentions will keep one out of jail). Supposedly they’re not hacking for personal gain; they just don’t bother to get permission and occasionally dance on the dark side of legality.

A. Offline

B. Physical

C. Piggybacking

D. Dumpster diving

D. Dumpster diving doesn’t necessarily mean you’re actually taking a header into a dumpster outside. It could be any waste canister, in any location, and you don’t even have to place any more of your body in the canister than you need to extract the old paperwork with. And you’d be amazed what people just throw away without thinking about it: password lists, network diagrams, employee name and number listings, and financial documents are all examples. Lastly, don’t forget that EC-Council defines this as a passive activity. Sure, in the real world, you run a real risk of discovery and questioning by any number of the organization’s staff, but on your exam it’s considered passive.

A is incorrect because offline is not a social engineering attack and is used here as a distractor.

B is incorrect because physical is not a social engineering attack type.

C is incorrect because piggybacking is a social engineering attack that allows entry into a facility and has nothing to do with digging through trash for information.

A. Tailgating

B. Piggybacking

C. Identity theft

D. Impersonation

B. This is one of those questions that just drives everyone batty—especially people who actually perform pen tests for a living. Does knowing that gaining entry without flashing a fake ID badge of any kind is called piggybacking make it any easier or harder to pull off? I submit having two terms for what is essentially the same attack, separated by one small detail, is a bit unfair, but there’s not a whole lot we can do about it. If it makes it easier to memorize, just keep in mind that pigs wouldn’t wear a badge—they don’t have any clothes to attach it to.

A is incorrect because a tailgating attack requires the attacker to be holding a fake badge of some sort. I know it’s silly, but that’s the only differentiation between these two items: tailgaters have badges, piggybackers do not. If it makes it any easier, just keep in mind a lot of tailgaters at football games should have a badge on them—to prove they are of legal drinking age.

C is incorrect because this attack has nothing to do with identity theft. Identity theft occurs when an attacker uses personal information gained on an individual to assume that person’s identity. Although this is normally thought of in the context of the criminal world (stealing credit cards, money, and so on), it has its uses elsewhere.

D is incorrect because impersonation is not in play here. The attacker isn’t pretending to be anyone else at all—he’s just following someone through an open door.

A. Shoulder surfing

B. Piggybacking

C. Tailgating

D. Drafting

C. This type of question is so annoying I added it twice, back to back, in this chapter: almost as if I was nearly certain you’ll see it on your exam. Tailgating involves following someone through an open door or gate just like piggybacking does; however, in tailgating, a fake identification badge of some sort is used. As an aside, if your exam question does not include both terms—tailgating and piggybacking—but the effort is the same (an attacker following a badged employee through a gate or door), you won’t have to choose between them. Usually, in this case, tailgating will be used more frequently than piggybacking.

A is incorrect because shoulder surfing isn’t about following someone anywhere; instead, it’s about positioning yourself in such a way as to be able to observe the keystrokes and activities of someone at their system.

B is incorrect because piggybacking does not involve the use of a badge or identification of any sort.

D is incorrect because drafting is a cool term used in NASCAR, but has nothing to do with physical pen testing.

13. Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)

A. Security policies

B. Operational guidelines

C. Appropriately configured IDS

D. User education and training

E. Strong firewall configuration

A, B, D. The problem with countermeasures against social engineering is they’re almost totally out of your control. Sure you can draft strong policy requiring users to comply with security measures, implement guidelines on everything imaginable to reduce risks and streamline efficiency, and hold educational briefings and training sessions for each and every user in your organization, but when it comes down to it, it’s the user who has to do the right thing. All countermeasures for social engineering have something to do with the users themselves because they are the weak link here.

C and E are both incorrect for the same reason: a social engineering attack doesn’t target the network or its defenses; it targets the users. Many a strongly defended network has been compromised because a user inside was charmed by a successful social engineer.

14. Which of the following are indicators of a phishing e-mail? (Choose all that apply.)

A. It does not reference you by name.

B. It contains misspelled words or grammatical errors.

C. It contains spoofed links.

D. It comes from an unverified source.

A, B, C, D. One of the objectives of CEH version 7 is, and I quote, to “understand phishing attacks.” Part of the official curriculum to study for the exam covers detecting phishing e-mail in depth, and all of these answers are indicators an e-mail might not be legitimate. First, most companies now sending e-mail to customers will reference you by name and sometimes by account number. An e-mail starting with “Dear Customer” or something to that effect may be an indicator something is amiss. Misspellings and grammatical errors from a business are usually dead giveaways because companies do their best to proofread things before they are released. There are, occasionally, some slip-ups (Internet search some of these; they’re truly funny), but those are definitely the exception and not the rule. Spoofed links can be found by hovering a mouse over them (or by looking at their properties). The link text may read www.yourbank.com , but the hyperlink properties will be sending you to some IP address you don’t want to go to.

As an aside, while these are all great answers to a question on an exam, don’t let them dictate your day-to-day Internet life outside of your exam. A perfectly written, grammatically correct e-mail containing real links and originating from someone you trust could still be part of a phishing campaign. Never click a link in an e-mail without knowing exactly what it is and where it’s taking you—no matter who you think the message is from or how well written it is. Finally, if you get a phishing e-mail that is accurate, references you by name, has real links, and truly appears to be accurate, you probably have a real problem on your hands. Everyone gets the annoying “spam” e-mails with “Click here for free stuff.” However, if you get one that is delivered to you, with your name and identifying details in it, you have someone who spent the time to target you specifically, not randomly.

A. Physical

B. Technical

C. Operational

D. Practical

C. Physical security has three major facets: physical measures, technical measures, and operational measures. Operational measures (sometimes referred to as procedural controls) are the policies and procedures you put into place to assist with security. Background checks on employees and any kind of written policy for operational behaviors are prime examples.

A is incorrect because physical measures can be seen or touched. Examples include guards (although you probably would want to be careful touching one of them), fences, and locked doors.

B is incorrect because technical measures include things such as authentication systems (biometrics anyone?) and specific permissions you assign to resources.

D is incorrect because, although these may seem like practical measures to put into place, there is simply no category named as such. It’s included here as a distractor, nothing more.

16. Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.)

A. Phishkill

B. Netcraft

C. Phishtank

D. IDA Pro

B, C. For obvious reasons, there are not a lot of questions from these objectives concerning tools—mainly because social engineering is all about the human side of things, not necessarily using technology or tools. However, you can put into place more than a few protective applications to help stem the tide. There are innumerable e-mail filtering applications and appliances you can put on an e-mail network boundary to cut down on the vast amount of traffic (spam or otherwise) headed to your network. Additionally, Netcraft’s phishing toolbar and Phishtank are two client-side, host-based options you can use (there are others, but these are pointed out specifically in EC-Council’s official courseware).

Netcraft’s (http://toolbar.netcraft.com/ ) and Phishtank’s (http://www.phishtank.com/ ) toolbars are like neighborhood watches on virtual steroids, where eagle-eyed neighbors can see naughty traffic and alert everyone else. From the Netcraft site: “Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL.”

These tools, although useful, are not designed to completely protect against phishing. Much like antivirus software, they will act on attempts that match a signature file. This, sometimes, makes it even easier on the attacker—because they know which phishing will not work right off the bat.

A is incorrect because phishkill is not an anti-phishing application.

D is incorrect because IDA Pro is a debugger tool you can use to analyze malware (viruses).

A. Spear phishing

B. Whaling

C. Web-ishing

D. Watering hole attack

D. Have you ever watched nature documentaries on the Discovery Channel? It seems predators frequently hang out in places the prey tends to show up at. For example, a pride of lions might just hang out near a watering hole—knowing full well their prey will eventually just come to them. This attack uses the same principle, except we’re talking about the virtual world. And none of us are lions (at least not outside our imaginations, anyway).

In a watering hole attack, the bad guy spends a lot of time profiling the group that is being targeted (note the key wording in this is a group is targeted, not an individual). The attacker can observe or even guess websites that the group would visit, and then infect those sites with some sort of malware or malicious code. Eventually someone from the group will visit the virtual watering hole and—voilà —success.

A is incorrect because spear phishing involves phishing (sending specially crafted e-mails that include links to malicious code) being targeted at a specific group of people. In this question, there was no phishing involved.

B is incorrect because whaling is a special type of spear phishing targeting high-level employees.

C is incorrect because this term doesn’t exist.

18. Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating?

A. Physical

B. Technical

C. Human based

D. Computer based

C. Once again, we’re back to the two major forms of social engineering: human based and computer based. Human-based attacks include all the attacks mentioned here and a few more. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information. This can be as blatant as simply asking someone for their password or pretending to be a known entity (authorized user, tech support, or company executive) in order to gain information.

A is incorrect because social engineering attacks do not fall into a physical category.

B is incorrect because social engineering attacks do not fall into a technical category.

D is incorrect because computer-based social engineering attacks are carried out with the use of a computer or other data-processing device. These attacks can include everything from specially crafted pop-up windows for tricking the user into clicking through to a fake website, to SMS texts that provide false technical support messages and dial-in information to a user.

A. Trojan e-mailing

B. Spear phishing

C. Social networking

D. Operational engineering

B. Yes, sometimes you’ll get an easy one. Phishing is using e-mail to accomplish the social engineering task. Spear phishing is actually targeting those e-mails to specific individuals or groups within an organization. This usually has a much higher success rate than just a blind-fire phishing effort.

A, C, and D are incorrect because they are all added as distractors and do not match the circumstances listed. Trojan e-mailing and operational engineering aren’t valid terms in regard to social engineering attacks. A social networking attack, per EC-Council, is one that involves using Facebook, LinkedIn, Twitter, or some other social media to elicit information or credentials from a target.

A. Steganography

B. Sign-in seal

C. PKI

D. CAPTCHA

B. Sign-in seal is an e-mail protection method in use at a variety of business locations. The practice is to use a secret message or image that can be referenced on any official communication with the site. If you receive an e-mail purportedly from the business but it does not include the image or message, you’re aware it’s probably a phishing attempt. This sign-in seal is kept locally on your computer, so the theory is that no one can copy or spoof it.

A is incorrect because steganography is not used for this purpose. As you know, steganography is a method of hiding information inside another file—usually an image file.

C is incorrect because PKI refers to an encryption system using public and private keys for security of information between members of an organization.

D is incorrect because a CAPTCHA is an authentication test of sorts, which I am sure you’ve seen hundreds of times already. CAPTCHA (actually an acronym meaning Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response-type method where an image is shown, and the client is required to type the word from the image into a challenge box. An example is on a contest entry form—you type in your information at the top and then see an image with a word (or two) in a crazy font at the bottom. If you type the correct word in, it’s somewhat reasonable for the page to assume you’re a human (as opposed to a script), and the request is sent forward.

21. Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.)

A. Classification of information

B. Strong security policy

C. User education

D. Strong change management process

A, B, C, D. All of the answers are correct, but let’s get this out of the way up front: you’ll never be able to put anything whatsoever into place that will effectively render all social engineering attacks moot. You can do some things to limit them, and those on this list can definitely help in that regard, but a security organization that responds to social engineering concerns with “We have a strong policy and great user education” is probably one that’ll see a high turnover rate.

Classification of information is seen as a strong countermeasure because the information—and access to it—is stored and processed according to strict definitions of sensitivity. In the government/DoD world, you’d see labels such as Confidential, Secret, and Top Secret. In the commercial world, you might see Public, Sensitive, and Confidential. I could write an entire chapter on the difference between DoD and commercial labels and have all sorts of fun arguing the finer points of various access control methods, but we’ll stick just to this chapter and what you need here. As a side note, classification of information won’t do you a bit of good if the enforcement of access to that information, and the protection of it in storage or transit, is lax.

Strong security policy has been covered earlier in the chapter, so I won’t waste much print space here on it. You must have a good one in place to help prevent all sorts of security failures; however, you can’t rely on it as a countermeasure on its own.

According to EC-Council, user education is not only a viable social engineering countermeasure but it’s the best measure you can take. Anyone reading this book who has spent any time at all trying to educate users on a production, enterprise-level network is probably yelling right now because results can sometimes be…spotty at best. However, the weak point in the chain is the user, so we must do our best to educate users on what to look for and what to do as they see it. There simply is no better defense than a well-educated user (and by “well-educated” I mean a user who absolutely refuses to participate in a social engineering attempt). There’s just not that many of them out there.

A change management process helps to organize change to a system or organization by providing a standardized, reviewable process to any major change. In other words, if you allow changes to your financial system, IT services, HR processes, or fill-in-the-blank without any review or control process, you’re basically opening Pandora’s box. Change can be made on a whim (sometimes at the behest of a social engineer, maybe?), and there’s no control or tracking of it.

22. Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a PIN. Which of the following are true?

A. Joe and Jill are using single-factor authentication.

B. Joe and Jill are using two-factor authentication.

C. Joe is using two-factor authentication.

D. Jill is using two-factor authentication.

D. When it comes to authentication systems, you can use three factors to prove your identity to a system: something you know , something you have , and something you are . An item you know is, basically, a password or PIN. Something you have is a physical token of some sort—usually a smartcard—that is presented as part of the authentication process. Something you are relates to biometrics—a fingerprint or retinal scan, for instance. Generally speaking, the more factors you have in place, the better (more secure) the authentication system. In this example, Joe is using only something he knows, whereas Jill is using something she has (PIV card) and something she knows (PIN).

A is incorrect because Jill is using two-factor authentication.

B is incorrect because Joe is using single-factor authentication.

C is incorrect because Joe is using single-factor authentication.

23. A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this?

A. Technical

B. Single factor

C. Computer based

D. Operational

A. Physical security measures are characterized as physical (door locks, guards), operational (policies, procedures), and technical (authentications systems, permissions). This example falls into the technical security measure category. Sure, the door itself is physical, but the question centers on the biometric system, which is clearly technical in origin.

B is incorrect because single factor refers to the method the authentication system uses, not the physical security measure itself. In this case, the authentication is using something you are—a biometric retina scan.

C is incorrect because computer based refers to a social engineering attack type, not a physical security measure.

D is incorrect because an operational physical security measure deals with policy and procedure.

24. Which of the following is the best representation of a technical control?

A. Air conditioning

B. Security tokens

C. Automated humidity control

D. Fire alarms

E. Security policy

B. All security controls are put into place to minimize, or to avoid altogether, the probability of a successful exploitation of a risk or vulnerability. Logical controls (logical is the other term used for technical ) do this through technical, system-driven means. Examples include security tokens, authentication mechanisms, and antivirus software.

A, C, D, and E are incorrect because they are not logical (technical) controls. Air conditioning, fire alarms, and a humidity control fall under physical controls. A policy would fall under procedural controls.