Social Engineering Methods for Physical Assessments | CompTIA CASP+ Exam

Plausible Method of Social Engineering for Physical Assessments

Question

A penetration tester has been contracted to conduct a physical assessment of a site.

Which of the following is the MOST plausible method of social engineering to be conducted during this engagement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

The term "social engineering" refers to the act of manipulating people into revealing confidential or sensitive information that can be used to gain unauthorized access to systems or facilities. In a physical assessment of a site, a penetration tester may attempt to exploit human vulnerabilities to gain access to secure areas or data.

Option A, randomly calling customer employees and posing as a help desk technician requiring user password to resolve issues, is an example of a phishing attack. This type of attack relies on the victim divulging their login credentials, which can be used to gain unauthorized access to systems. However, it is not a plausible method of social engineering during a physical assessment of a site as it does not involve any physical interaction with the target.

Option B, posing as a copier service technician and indicating the equipment had phoned home to alert the technician for a service call, is a plausible method of social engineering during a physical assessment of a site. This technique involves gaining physical access to the site by posing as a trusted third-party service technician. Once inside the site, the attacker can gain access to sensitive areas and data.

Option C, simulating an illness while at a client location for a sales call and then recovering once listening devices are installed, is a highly unethical and illegal method of social engineering. This technique involves gaining the trust of the target and then installing listening devices to eavesdrop on private conversations. This method is not a plausible method of social engineering during a physical assessment of a site as it is highly illegal and unethical.

Option D, obtaining fake government credentials and impersonating law enforcement to gain access to a company facility, is a highly illegal and unethical method of social engineering. This technique involves gaining access to the site by posing as a trusted government official. This method is not a plausible method of social engineering during a physical assessment of a site as it is highly illegal and unethical.

In conclusion, the most plausible method of social engineering to be conducted during a physical assessment of a site is option B, posing as a copier service technician and indicating the equipment had phoned home to alert the technician for a service call. However, it is important to note that any form of social engineering is illegal and unethical without the proper consent and authorization of the target organization.