You are the instructor conducting the security awareness training of your company. You are giving examples of social engineering attacks, which of the following is the best example of a user’s behavior that might lead to a threat scenario that the threat source has the lowest costs to collect information about system configurations?
A. Post job positions on online job portals
B. Share photos on social media
C. Explore an unknown USB dongle on computers
D. Share emails with colleagues
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Post job positions on online job portals.
Baiting and Phishing
Both creating phishing emails and leaving an infected USB dongle as a baiter take much effort and costs. Attackers typically have to create phishing emails and bogus servers for phishing and buy and prepare a USB dongle with malicious software and control and command servers.
Job Positions
Source: indeed.com
Sharing Photos
Sharing photos, e.g., family, office, or school photos, disclose your privacy, biological characteristics, kids, office settings, surroundings, posters, and so forth. However, it may not disclose system configurations directly.
It may hinder physical security because of the disclosure of the office layout and surroundings. Your photo can be used to train AI models for facial recognition. In an Agile workspace, as the following photo shows, the situation is getting worse if photos are shared publicly.
Source: AgileForAll
Reference
- A Diverse DNS Security Threat Landscape
- What are DNS Attacks?
- Top 10 DNS attacks likely to infiltrate your network
- Social Media Case Study Series: IBM
- Most Common Social Engineering Attacks
- IBM social engineer easily hacked two journalists’ information
- Are your social media photos being used for facial recognition research?
- How posting photos online can compromise privacy
- Facial recognition’s ‘dirty little secret’: Millions of online photos scraped without consent
- Your social media photos could be training facial recognition AI without your consent
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.