Ann an employee is visiting Joe, an employee in the Human Resources Department. While talking to Joe, Ann notices a spreadsheet open on Joe’s computer that
lists the salaries of all employees in her department. Which of the following forms of social engineering would BEST describe this situation?
A.
Impersonation
B.
Dumpster diving
C.
Tailgating
D.
Shoulder surfing
Explanation:
Ann was able to see the Spreadsheet on Joe’s computer. This direct observation is known as shoulder surfing.
Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is an effective way to get
information in crowded places because it’s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or
use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To preventshoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
Incorrect Answers:
A: Impersonation is where a person, computer, software application or service pretends to be someone it’s not. Impersonation is commonly non-maliciously used in
client/server applications. However, it can also be used as a security threat. This is not what is described in this question.
Therefore, this answer is incorrect.
B: Dumpster diving is looking for treasure in someone else’s trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving
is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching through the
trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or
organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. This is not what is described in this
question.
Therefore, this answer is incorrect.
C: Tailgating in IT security would be an unauthorized person following and authorized person into a building or room such as a datacenter. If a building has a card
reader where an authorized person can hold up a card to the reader to unlock the door, someone tailgating could follow the authorized person into the building by
walking through the door before it closes and locks. This is not what is described in this question. Therefore, this answer is incorrect.http://searchsecurity.techtarget.com/definition/shoulder-surfing http://searchsecurity.techtarget.com/definition/dumpster-diving