Module 2: Pervasive Attack Surfaces and Controls

A comprehensive set of practice flashcards covering social engineering, threat vectors, physical security controls, and data protection concepts from the module notes.

What is social engineering?

The act of tricking a user into taking an action or giving information that benefits the attacker.

What is the social engineering attack surface primarily composed of?

The human element (people) who can be manipulated through deception.

Why are many cyberattacks successful today?

Because they start with highly effective social engineering, which then enables the next steps of the attack.

Name six common social engineering attack types.

Phishing, impersonation, redirection, misinformation/disinformation, watering hole attacks, and data reconnaissance.

Phishing definition.

Sending an email or displaying a web announcement that falsely claims to be from a legitimate source to trick the user into taking an action or revealing information.

What is spear phishing?

Phishing targeted at specific individuals, tailored with their name or details.

What is whaling?

A type of spear phishing aimed at high-value targets like senior executives.

What is vishing?

Voice phishing conducted via telephone calls with a recorded message or live agent.

What is smishing?

Phishing conducted via SMS/text messages.

What is a Business Email Compromise (BEC) attack?

A fraud where attackers exploit business email practices to request funds or sensitive information, often posing as legitimate vendors or executives.

What is impersonation in social engineering?

Masquerading as a real or fictitious person to obtain information or access, often using pretexting.

What is brand impersonation?

Pretending to be a recognizable brand to build trust and induce action.

What is redirection in the context of social engineering?

Directing a user to a fake look-alike site, often through typos or domain confusion (typo squatting).

What is typo squatting?

Registering misspelled domain names to trick users who type URLs incorrectly.

What is bitsquatting?

Registering domains where a single bit differs from the legitimate domain, exploiting RAM bit flips.

What is pharming?

Infecting a user’s system or DNS to redirect legitimate site traffic to a malicious site.

What is misinformation vs disinformation?

Misinformation is false information without malicious intent; disinformation is false information spread with malicious intent.

What is a watering hole attack?

Infecting a website commonly visited by a targeted group to compromise its members.

What is data reconnaissance?

Gaining valuable information about targets through methods like dumpster diving, Google dorking, and shoulder surfing.

What is dumpster diving in cybersecurity?

Digging through trash to find information that can aid an attack.

What is Google dorking?

Using advanced Google search techniques to uncover sensitive data left exposed on the web.

What is shoulder surfing?

Observing someone entering sensitive information, such as a password, to steal data.

What are the four broad categories of security controls?

Managerial, operational, technical, and physical controls.

Why are physical security controls important?

They prevent physical access to assets and are often as important as digital protections.

Name some perimeter defense elements.

Barriers, security guards, sensors, security buffers, and locks.

What are some passive barrier deterrents used on fences?

Anticlimb paint, anticlimb collars, roller barriers, and rotating spikes.

What is the difference between barricades and bollards?

Barricades direct large crowds; bollards block vehicle access to protect a area.

What is the role of security guards in physical security?

Active defense to monitor, deter, and respond to intrusions; may use two-person integrity for higher security.

What is CCTV and how is it used?

Closed-circuit television used to monitor and record activity; can be fixed or dome cameras with pan capabilities.

What is a UAV in security contexts?

A drone used for monitoring and detecting activity in secure areas.

Name the four basic types of sensors used in physical security.

Infrared (IR), microwave, ultrasonic, and pressure sensors.

What is an active IR sensor?

An IR sensor that emits IR light and detects reflections to sense proximity.

What is a passive IR sensor?

An IR sensor that detects IR radiation emitted by objects (no emission).

What is a microwave sensor best used for?

Monitoring large areas by emitting microwave signals and detecting changes in reflections.

What is an ultrasonic sensor used for in security?

Measuring distance to a target by sending ultrasonic waves and measuring return time.

What is the distance measurement formula for ultrasonic sensing?

Distance = (Time × 343 m/s) / 2.

What is a pressure sensor used for in security?

Detecting entry into a space and distinguishing targets (e.g., people vs vehicles) with directional information.

What is a Faraday cage?

A grounded metallic enclosure that blocks electromagnetic fields to prevent eavesdropping and EMI.

What is a Protected Distribution System (PDS)?

A system of cable conduits carrying classified information between secure areas; comes in hardened carrier and alarmed variants.

What is a hardened carrier PDS?

A PDS with cables in a conduit that is welded/sealed and possibly buried; highly tamper-resistant.

What is an alarmed carrier PDS?

A PDS with sensors to detect intrusions, providing continuous monitoring.

What is computer hardware security in this context?

Protection of mobile devices (e.g., laptops) with security slots, cable locks, safes, and locking cabinets.

What is an access control vestibule (mantrap)?

A two-door automated vestibule where only one door can be open at a time to separate nonsecure and secure areas.

What is a reception area in security terms?

A medium-security buffer where credentials are checked by a receptionist before passage.

What is a waiting room in security terms?

A low-security buffer area with two doors and a check-in process before access to secure zones.

What are the main types of locks used to restrict access?

Storeroom, classroom, store entry double cylinder, communicating double cylinder; electronic and smart locks are increasingly common.

What is data classification?

Organizing data into categories (Confidential, Private, Sensitive, Restricted, Critical, Public, Regulated, IP, Trade Secret, Legal, Financial) to determine protection levels.

What is data state?

Data in use (processing), data in transit (moving across networks), and data at rest (stored).

What is geolocation?

Techniques that identify a data's physical location, often via coordinates or GeoIP based on IP address.

What is data sovereignty?

Country-specific legal requirements that govern how data is collected, processed, and stored, often within national borders.

What is data minimization?

Limiting the collection of personal information to what is directly relevant and necessary.

What is data masking?

Replacing sensitive data with obfuscated values to protect privacy; reversible only in controlled contexts.

What is tokenization?

Replacing a sensitive data element with a random token stored in a token vault; original data can be retrieved if needed.

What are the restrictions approach to data access?

Permission restrictions and geographic restrictions limiting access to data to authorized users and locations.

What is data segmentation?

Tagging data with classifications and separating the most sensitive data to create an identified protect surface.

What are the consequences of a data breach?

Reputation damage, IP theft, and financial penalties (e.g., GDPR fines, HIPAA penalties).

What does HIPAA say about breach notifications?

Breach notifications for 500 or more records must be reported to the DHHS within 60 days; smaller breaches can be reported by the end of the calendar year (within 60 days of year-end).

What is the difference between authority and pretexting in social engineering?

Authority is impersonating a supervisor or executive; pretexting is creating a believable story or scenario to obtain information.

Which social engineering attack targets a specific individual or role (e.g., a CEO or executive)?

Spear phishing.

Which social engineering attack aims to quickly pressure a user into action by urgency or scarcity?

Urgency/Scarcity techniques (often used in phishing, vishing, or BEC scenarios).