CompTIA Security+ Question I-95

Using proximity card readers instead of the traditional key punch doors would help to mitigate:

A. Impersonation
B. Tailgating
C. Dumpster diving
D. Shoulder surfing

Answer: D

Explanation:
Using a traditional key punch door, a person enters a code into a keypad to unlock the door. Someone could be watching the code being entered. They would then be able to open the door by entering the code. The process of watching the key code being entered is known as shoulder surfing.

Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it’s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

CompTIA Security+ Question I-83

Ann, an employee, is cleaning out her desk and disposes of paperwork containing confidential customer information in a recycle bin without shredding it first. This is MOST likely to increase the risk of loss from which of the following attacks?

A. Shoulder surfing
B. Dumpster diving
C. Tailgating
D. Spoofing

Answer: B

Explanation:
Dumpster diving is looking for treasure in someone else’s trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.

CompTIA Security+ Question I-46

Use of a smart card to authenticate remote servers remains MOST susceptible to which of the following attacks?

A. Malicious code on the local system
B. Shoulder surfing
C. Brute force certificate cracking
D. Distributed dictionary attacks

Answer: A

Explanation:
Once a user authenticates to a remote server, malicious code on the user’s workstation could then infect the server.

CompTIA Security+ Question H-97

Ann an employee is visiting Peter, an employee in the Human Resources Department. While talking to Peter, Ann notices a spreadsheet open on Peter’s computer that lists the salaries of all employees in her department. Which of the following forms of social engineering would BEST describe this situation?

A. Impersonation
B. Dumpster diving
C. Tailgating
D. Shoulder surfing

Answer: D

Explanation:
Ann was able to see the Spreadsheet on Peter’s computer. This direct observation is known as shoulder surfing.

Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it’s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

CompTIA Security+ Question G-89

At the outside break area, an employee, Ann, asked another employee to let her into the building because her badge is missing. Which of the following does this describe?

A. Shoulder surfing
B. Tailgating
C. Whaling
D. Impersonation

Answer: B

Explanation:
Although Ann is an employee and therefore authorized to enter the building, she does not have her badge and therefore strictly she should not be allowed to enter the building. Just as a driver can tailgate another driver’s car by following too closely, in the security sense, tailgating means to compromise physical security by following somebody through a door meant to keep out intruders. Tailgating is actually a form of social engineering, whereby someone who is not authorized to enter a particular area does so by following closely behind someone who is authorized.

CompTIA Security+ Question G-52

An investigator recently discovered that an attacker placed a remotely accessible CCTV camera in a public area overlooking several Automatic Teller Machines (ATMs). It is also believed that user accounts belonging to ATM operators may have been compromised. Which of the following attacks has MOST likely taken place?

A. Shoulder surfing
B. Dumpster diving
C. Whaling attack
D. Vishing attack

Answer: A

Explanation:
The CCTV camera has recorded people entering their PINs in the ATMs. This is known as shoulder surfing.

Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it’s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

CompTIA Security+ Question F-98

Physical documents must be incinerated after a set retention period is reached. Which of the following attacks does this action remediate?

A. Shoulder Surfing
B. Dumpster Diving
C. Phishing
D. Impersonation

Answer: B

Explanation:
Incinerating documents (or shredding documents) instead of throwing them into a bin will prevent people being able to read the documents to view sensitive information. Dumpster diving is looking for treasure in someone else’s trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.

CompTIA Security+ Question F-21

Which of the following can only be mitigated through the use of technical controls rather that user security training?

A. Shoulder surfing
B. Zero-day
C. Vishing
D. Trojans

Answer: B

Explanation:
A zero day vulnerability is an unknown vulnerability in a software application. This cannot be prevented by user security training. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

CompTIA Security+ Question D-18

Emily, an attacker, is recording a person typing in their ID number into a keypad to gain access to the building. Emily then calls the helpdesk and informs them that their PIN no longer works and would like to change it. Which of the following attacks occurred LAST?

A. Phishing
B. Shoulder surfing
C. Impersonation
D. Tailgating

Answer: C

Explanation:
Two attacks took place in this question. The first attack was shoulder surfing. This was the act of Emily recording a person typing in their ID number into a keypad to gain access to the building. The second attack was impersonation. Emily called the helpdesk and used the PIN to impersonate the person she recorded.

CompTIA Security+ Question C-3

All executive officers have changed their monitor location so it cannot be easily viewed when passing by their offices. Which of the following attacks does this action remediate?

A. Dumpster Diving
B. Impersonation
C. Shoulder Surfing
D. Whaling

Answer: C

Explanation:
Viewing confidential information on someone’s monitor is known as shoulder surfing. By moving their monitors so they cannot be seen, the executives are preventing users passing by ‘shoulder surfing’.

Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it’s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.