Chapter 47 Quiz: Physical Security & Social Engineering¶

B — Tailgating (piggybacking) — it exploits the lack of anti-tailgating controls such as mantraps, turnstiles, or enforced badge-in/badge-out policies

Tailgating exploits human courtesy and insufficient physical access controls. Employees frequently hold doors for people behind them, especially when the follower appears to be a coworker carrying equipment. Effective mitigations include mantraps (interlocking doors that enforce single-person entry), full-height turnstiles, security guard verification, and organizational culture that normalizes challenging unrecognized individuals.

B — Legacy 125 kHz proximity cards transmit a static, unencrypted card ID that can be read and replicated without any cryptographic authentication

HID ProxCard II and similar 125 kHz cards store a static facility code and card number that is transmitted in the clear when the card enters a reader's electromagnetic field. A Proxmark3 or similar device can read this data from a distance (up to several feet with a high-gain antenna) and write it to a blank card. Modern countermeasures include 13.56 MHz smart cards (iCLASS SE, DESFire) with mutual authentication and encryption.

B — Phishing targets a broad audience with generic lures; spear phishing targets specific individuals or groups with personalized content; whaling specifically targets senior executives or high-value individuals

The three techniques exist on a targeting spectrum. Phishing casts a wide net with generic messages (fake invoices, account alerts). Spear phishing uses OSINT to craft personalized messages for specific individuals or roles (referencing real projects, colleagues, or events). Whaling targets C-suite executives with highly tailored pretexts (board communications, M&A documents, legal matters) that leverage the target's authority and access levels.

B — The vishing campaign must be explicitly authorized in the Rules of Engagement, with defined scope, permitted pretexts, call recording consent requirements, and escalation procedures

Social engineering attacks including vishing must be explicitly scoped in the RoE. The document should specify which employees or departments can be targeted, approved pretexts, whether calls can be recorded (subject to local wiretapping laws), boundaries for information that can be requested, and procedures for employees who become distressed. Many jurisdictions require all-party consent for call recording.

B — Photograph evidence with care to protect PII (redacting personal information in the report), document each finding's location and risk impact, and chain all evidence per the RoE data handling requirements

Physical assessment evidence must be documented thoroughly for the report while respecting privacy obligations. Photographs prove findings but should have PII redacted in reports (employee names, screen content containing personal data). Evidence should be timestamped, location-tagged, and handled per the RoE data handling procedures. The tester should never remove, modify, or destroy organizational property.

B — Pretexting is creating a fabricated scenario (role, identity, or situation) that establishes trust and provides a plausible reason for the target to comply with the attacker's request

Pretexting leverages psychological principles of authority, social proof, and reciprocity. An attacker posing as an IT support technician (authority), a fellow employee from another office (social proof), or a vendor who helped the employee previously (reciprocity) creates a believable context that lowers the target's defenses. Effective pretexts are supported by OSINT — using real names, projects, and organizational details to enhance credibility.

B — The program relies on annual compliance-style training without regular simulated phishing exercises, role-specific content, positive reinforcement, or measurable behavior change metrics

Effective security awareness programs require continuous reinforcement through regular phishing simulations with increasing sophistication, immediate feedback when users click simulated phishes, role-specific training (finance teams targeted with BEC scenarios, executives with whaling simulations), positive recognition for correct behavior (reporting phishes), and metrics tracking behavioral change over time rather than just completion rates.

B — Authority — impersonating a regulatory or safety official to leverage assumed authority and compliance obligations

The authority principle is one of Robert Cialdini's six principles of influence. People tend to comply with requests from perceived authority figures, especially those associated with regulatory compliance or safety. Impersonating inspectors, auditors, or law enforcement creates psychological pressure to comply without questioning. Countermeasures include verification procedures — calling the purported agency directly using independently sourced contact information.

B — An attack that compromises a website frequently visited by the target group, serving malware to visitors — unlike phishing, the attacker does not send messages to targets but instead waits for them to visit the compromised site

Watering hole attacks identify websites commonly visited by the target demographic (industry forums, professional associations, niche news sites), compromise those sites, and embed exploit code or malicious downloads. This approach bypasses email security controls entirely and is highly effective because victims visit the site through normal browsing behavior. The name derives from predators waiting at watering holes for prey.

B — USB baiting — it tests whether employees will insert unknown USB devices into corporate systems, bypassing physical and endpoint security controls

USB baiting exploits human curiosity by labeling drives with enticing content descriptions. When inserted, the drives can execute malicious payloads (HID attacks using Rubber Ducky devices, autorun malware, or simply callback beacons). This technique tests the organization's security awareness training effectiveness, endpoint USB device control policies, and incident reporting culture. Labels are designed to trigger curiosity or urgency.

B — Impersonating law enforcement or government officials is a criminal offense in most jurisdictions regardless of RoE authorization; these pretexts must be explicitly avoided unless specific legal counsel has confirmed permissibility

Social engineering RoE must respect legal boundaries that cannot be waived by the client. Impersonating police officers, federal agents, health inspectors, or other government officials is a criminal offense (e.g., 18 U.S.C. Section 912 in the US). Professional red teams maintain a list of prohibited pretexts and consult legal counsel when engagements require boundary-testing social engineering scenarios.

B — A drop box is a small covert network implant (e.g., Raspberry Pi with remote access) physically installed on the target network; a rogue access point is a wireless AP deployed to capture credentials or provide remote wireless access to the network

Drop boxes are small computing devices (Raspberry Pi, LAN Turtle, Shark Jack) that a physical penetration tester installs on the internal network to provide persistent remote access. Rogue access points (Evil Twin APs) impersonate legitimate wireless networks to capture WPA handshakes or create captive portals harvesting credentials. Both require physical access to deploy and must be removed during the engagement cleanup phase.

B — Immediately acknowledge and thank the employee for reporting, provide positive feedback, and use the report as a teaching moment to reinforce the organization's phishing reporting culture

Positive reinforcement for correct reporting behavior is the most effective way to build a strong security culture. Employees who report phishing attempts should receive immediate acknowledgment, thanks, and possibly recognition through gamification programs. Punitive responses (shaming, negative consequences for clicking) discourage reporting and create a culture of fear rather than security engagement.

B — SMS-based phishing that exploits the higher trust users place in text messages, the limited URL preview capability of SMS clients, and the tendency to read and respond to texts more quickly than emails

Smishing (SMS phishing) leverages several advantages over email phishing: users generally trust SMS more than email, SMS clients provide minimal URL previews and metadata, phone screens show limited content encouraging hasty clicks, SMS bypasses email security controls entirely, and people tend to respond to texts more quickly and with less scrutiny. Smishing is increasingly used in MFA bypass attacks and credential harvesting.

B — The rate at which employees challenge unrecognized individuals, report tailgating attempts, and refuse to hold doors for unbadged visitors — measured through repeat physical testing

Technology alone (cameras, badge readers) does not measure security effectiveness. The true measure is human behavior — do employees actively challenge strangers, enforce badge policies, report suspicious activity, and follow physical security procedures? Repeat testing with metrics comparison (challenge rate, report rate, successful entry rate) across assessments provides empirical evidence of security culture improvement.