Physical documents must be incinerated after a set retention period is reached. Which of the following
attacks does this action remediate?

A.
Shoulder Surfing

B.
Dumpster Diving

C.
Phishing

D.
Impersonation

Explanation:
Incinerating documents (or shredding documents) instead of throwing them into a bin will prevent people
being able to read the documents to view sensitive information.
Dumpster diving is looking for treasure in someone else’s trash. (A dumpster is a large trash container.) In
the world of information technology, dumpster diving is a technique used to retrieve information that
could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching
through the trash for obvious treasures like access codes or passwords written down on sticky notes.
Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist
an attacker using social engineering techniques to gain access to the network. To prevent dumpster
divers from learning anything valuable from your trash, experts recommend that your company establish
a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being
recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.
Incorrect Answers:
A: Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to
get information. Shoulder surfing is an effective way to get information in crowded places because it’s
relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM
machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with
the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend
that you shield paperwork or your keypad from view by using your body or cupping your hand.
Incinerating documents will not prevent shoulder surfing.
C: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate
enterprise in an attempt to scam the user into surrendering private information that will be used for
identity theft.
Phishing email will direct the user to visit a website where they are asked to update personal information,
such as a password, credit card, social security, or bank account numbers, that the legitimate organization
already has. The website, however, is bogus and set up only to steal the information the user enters on
the page.
Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of
people, the “phisher” counts on the email being read by a percentage of people who actually have an
account with the legitimate company being spoofed in the email and corresponding webpage.Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait
is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.
Incinerating documents will not prevent phishing.
D: Impersonation is where a person, computer, software application or service pretends to be someone
it’s not. Impersonation is commonly non-maliciously used in client/server applications. However, it can
also be used as a security threat. While the information gained by viewing documents could be used by
an impersonator, incinerating documents alone will not prevent impersonation.

http://searchsecurity.techtarget.com/definition/dumpster-diving
http://searchsecurity.techtarget.com/definition/shoulder-surfing
http://www.webopedia.com/TERM/P/phishing.html