Ann, an employee, is cleaning out her desk and disposes of paperwork containing confidential customer
information in a recycle bin without shredding it first. This is MOST likely to increase the risk of loss from
which of the following attacks?

A.
Shoulder surfing

B.
Dumpster diving

C.
Tailgating

D.
Spoofing

Explanation:
Dumpster diving is looking for treasure in someone else’s trash. (A dumpster is a large trash container.) In
the world of information technology, dumpster diving is a technique used to retrieve information that
could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching
through the trash for obvious treasures like access codes or passwords written down on sticky notes.Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist
an attacker using social engineering techniques to gain access to the network. To prevent dumpster
divers from learning anything valuable from your trash, experts recommend that your company establish
a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being
recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.
Incorrect Answers:
A: Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to
get information. Shoulder surfing is an effective way to get information in crowded places because it’s
relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM
machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with
the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend
that you shield paperwork or your keypad from view by using your body or cupping your hand. This is not
what is described in this question.
C: Tailgating in IT security would be an unauthorized person following and authorized person into a
building or room such as a datacenter. If a building has a card reader where an authorized person can
hold up a card to the reader to unlock the door, someone tailgating could follow the authorized person
into the building by walking through the door before it closes and locks. This is not what is described in
this question.
D: There are several kinds of spoofing including email, caller ID, MAC address, and uniform resource
locator (URL) spoof attacks. All types of spoofing are designed to imitate something or someone.
Email spoofing (or phishing), used by dishonest advertisers and outright thieves, occurs when email is
sent with falsified “From:” entry to try and trick victims that the message is from a friend, their bank, or
some other legitimate source. Any email that claims it requires your password or any personal
information could be a trick.
In a caller ID attack, the spoofer will falsify the phone number he/she is calling from. This is not what is
described in this question.

http://searchsecurity.techtarget.com/definition/dumpster-diving
http://searchsecurity.techtarget.com/definition/shoulder-surfing