Effective CISSP Questions

As a marketing manager, Alice called the IT help desk for the failure of logging into the mail server. Because of the heavy workload, she intends to give her username and password to the IT support staff and ask for returning a phone call if they have fixed the problem. Which of the following attacks is Alice most likely to suffer from if she does so?
A. Phishing 
B. Identity theft
C. Social engineering
D. Security awareness training

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Identity theft.

Social engineering is a means, not the ends. It is applied to deceive Alice for credentials to commit fraud, e.g., identity theft. If Alice has revealed her credentials, the odds are that they are applied in fraud. She is subject to Identity theft. That is, someone may use her credentials without her permission to commit fraud or other crimes.

Security awareness training is one of the administrative security controls; it’s not an attack or threat. If Alice actively reveals her credentials, she does need more security awareness training, but accepting more training is not suffering.

Identity Theft

  • Identity theft is the deliberate use of someone else’s identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person’s name, and perhaps to the other person’s disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences, especially if they are held responsible for the perpetrator’s actions.
  • Identity theft occurs when someone uses another’s personally identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes.
  • The term identity theft was coined in 1964. Since that time, the definition of identity theft has been statutorily defined throughout both the U.K. and the United States as the theft of personally identifiable information, generally including a person’s name, date of birth, social security number, driver’s license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person’s financial resources.

Source: Identity theft

Social Engineering

According to NIST SP 800-63-3, social engineering is “the act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.”

In this case, no act of deceiving Alice is happening, but she actively attempts to share her credential for the sake of convenience. Moreover, the purpose of social engineering such as phishing, pretexting, etc. is to get her credentials for further actions. 


Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

Source: Phishing



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為行銷經理,愛麗絲因無法登錄郵件服務器而致電IT服務台。 由於工作量繁重,她打算將帳號和密碼提供給IT支援人員,若他們解決了問題,只要以電話回覆即可。 如果愛麗絲這樣做,最有可能遭受以下哪種攻擊?
A. 網絡釣魚
B. 身份盜用
C. 社交工程
D. 安全意識培訓


Leave a Reply