When conducting a risk assessment, which one of the following is NOT an acceptable social
engineering practice?
A.
Shoulder surfing
B.
Misrepresentation
C.
Subversion
D.
Dumpster diving
Explanation:
Shoulder Surfing: Attackers can thwart confidentiality mechanisms by network monitoring,
shoulder surfing, stealing password files, and social engineering. These topics will be address
more in-depth in later chapters, but shoulder surfing is when a person looks over another person’s
shoulder and watches keystrokes or data as it appears on the screen. Social engineering is
tricking another person into sharing confidential information by posing as an authorized individual
to that information. Shon Harris: CISSP Certification pg. 63. Shoulder surfing is not social
engineering.