CISSP PRACTICE QUESTIONS – 20201028

Effective CISSP Questions

As a marketing manager, Alice called the IT help desk for the failure of logging into the mail server. Because of the heavy workload, she intends to give her username and password to the IT support staff and ask for returning a phone call if they have fixed the problem. Which of the following attacks is Alice most likely to suffer from if she does so?
A. Phishing 
B. Identity theft
C. Social engineering
D. Security awareness training


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Identity theft.

Social engineering is a means, not the ends. It is applied to deceive Alice for credentials to commit fraud, e.g., identity theft. If Alice has revealed her credentials, the odds are that they are applied in fraud. She is subject to Identity theft. That is, someone may use her credentials without her permission to commit fraud or other crimes.

Security awareness training is one of the administrative security controls; it’s not an attack or threat. If Alice actively reveals her credentials, she does need more security awareness training, but accepting more training is not suffering.

Identity Theft

  • Identity theft is the deliberate use of someone else’s identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person’s name, and perhaps to the other person’s disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences, especially if they are held responsible for the perpetrator’s actions.
  • Identity theft occurs when someone uses another’s personally identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes.
  • The term identity theft was coined in 1964. Since that time, the definition of identity theft has been statutorily defined throughout both the U.K. and the United States as the theft of personally identifiable information, generally including a person’s name, date of birth, social security number, driver’s license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person’s financial resources.

Source: Identity theft

Social Engineering

According to NIST SP 800-63-3, social engineering is “the act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.”

In this case, no act of deceiving Alice is happening, but she actively attempts to share her credential for the sake of convenience. Moreover, the purpose of social engineering such as phishing, pretexting, etc. is to get her credentials for further actions. 

Phishing

Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

Source: Phishing

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為行銷經理,愛麗絲因無法登錄郵件服務器而致電IT服務台。 由於工作量繁重,她打算將帳號和密碼提供給IT支援人員,若他們解決了問題,只要以電話回覆即可。 如果愛麗絲這樣做,最有可能遭受以下哪種攻擊?
A. 網絡釣魚
B. 身份盜用
C. 社交工程
D. 安全意識培訓

 

3 thoughts on “CISSP PRACTICE QUESTIONS – 20201028

  1. Hi Wentz,

    First of, thanks for keeping this website and the information for people to learn 🙂 👍

    I was using one practice exam and I was wondering if the content would reflect the CISSP type of questions…
    The question was stating that bribery is a type of social engineering. While it makes sense to believe that that’s true, I have never seen any mention of such point in the official study guide, neither in any of the books or videos I have read before.
    I am really confused about some of those questions that for me are quite confusing…
    Do you believe that some sources of information could be not fully aligned with the CISSP logic?

    Thanks on advance.
    Mark

    • Broadly speaking, the issue of bribery is covered by the CISSP exam outline. It can be related to the code of ethics, laws and regulations, and compliance. However, the quality of CISSP pratice exams and the knowledge you learned from those practice exams are the most critical factors. If the practice exams provide correct concept and have good quality, and you can learn from them, just use them to prepare for the CISSP exam. BTW, I suggest you get a copy of the ISC2 official practice tests (OPT) as well.

      • Thanks for your reply. Yes, I agree. Just the practice guide won’t get one too far, much reading is necessary.
        I already have read the 9th OSG, which I read already months ago and always use the book for reference. The OPT came with the book as a bundle. I really like the questions style in the OPT.
        I now got the 10th edition of the OSG.

        I decided to ditch all “non-official” practice questions apps and websites.

Leave a Reply