A Chief Information Officer (CIO) publicly announces the implementation of a new financial system.
As part of a security assessment that includes a social engineering task, which of the following tasks should be conducted to demonstrate the BEST means to gain information to use for a report on social vulnerability details about the financial system?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
As part of a security assessment that includes a social engineering task, the goal is to determine the level of social vulnerability within an organization, and to identify potential avenues of attack. The question asks which of the following tasks should be conducted to demonstrate the BEST means to gain information to use for a report on social vulnerability details about the financial system.
Option A, which involves posing as a job seeker interested in an open position and requesting an interview with the CIO, is a common social engineering tactic known as pretexting. This tactic can be effective in gaining information from a target, but it may also be easily detected by the target or by other employees in the organization. Furthermore, it may not be the most effective means of gaining information about the financial system, as the CIO may not have access to all of the relevant information.
Option B, which involves compromising the email server to obtain a list of attendees who responded to the invitation who is on the IT staff, is a highly unethical and illegal activity, and should never be considered as an option.
Option C, which involves notifying the CIO that malicious actors can identify individuals to befriend through observation at events, is a form of social engineering known as elicitation. This tactic can be effective in gaining information from a target without raising suspicion, but it may not provide detailed information about the financial system.
Option D, which involves understanding the CIO is a social drinker, and finding the means to befriend the CIO at establishments the CIO frequents, is a form of social engineering known as pretexting. This tactic can be effective in gaining information from a target, as it allows the attacker to establish a rapport with the target and gain their trust. However, it may also be time-consuming and may not provide detailed information about the financial system.
Based on the above analysis, option C is the BEST means to gain information to use for a report on social vulnerability details about the financial system, as it is a form of social engineering that can be effective in gaining information from a target without raising suspicion. However, it should be noted that social engineering tactics should only be used in a controlled environment, and with the explicit permission of the organization being assessed.