Social engineering attacks focus on coercing people to divulge passwords and other valuable information. Phishing attack involves tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing is a digital form of social engineering that uses authentic-lookingbut boguse-mails to request information from users or direct them to a fake website that requests valuable personal information. Shoulder surfing attack is similar to social engineering where the attacker uses direct observation techniques such as looking over someone’s shoulder to obtain passwords, PINs, and other valuable codes.
225. A cryptographic key may pass through several states between its generation and its distribution. A cryptographic key may
a. Pre-activation state
b. Destroyed state
c. Active state
d. Deactivated state
The other three choices are not risky. In the pre-activation state, the key has been generated but is not yet authorized for use. In this state the key may be used only to perform proof-of-possession or key confirmation. In the active state, a key may be used to cryptographically protect information or to cryptographically process previously protected information (for example, decrypt ciphertext or verify a digital signature) or both. When a key is active, it may be designated to protect only, process only, or both protect and process. In the deactivated state, a key’s crypto-period has expired, but it is still needed to perform cryptographic processing until it is destroyed.
Scenario-Based Questions, Answers, and Explanations
Use the following information to answer questions 1 through 7.
The ARK Company just discovered that its mail server was used for phishing by an outside attacker. To protect its reputation and reduce future impersonation attacks, the company wants to implement reasonable, cost-effective, public key infrastructure (PKI) tools.
1. Which of the following is required to accept digital certificates from multiple vendor certification authorities?
a. The application must be PKI-enabled.
b. The application must be PKI-aware.
c. The application must use X.509 Version 3.
d. The application must use PKI-vendor plug-ins.
1.c. Using the X.509 Version 3 standard helps application programs in accepting digital certificates from multiple vendor CAs, assuming that the certificates conform to a consistent Certificate Profiles. Application programs either have to be PKI-enabled, PKI-aware, or use PKI vendor plug-ins prior to the use of X.509 Version 3 standard. Version 3 is more interoperable so that an application program can accept digital certificates from multiple vendor certification authorities. Version 3 standard for digital certificates provides specific bits that can be set in a certificate to ensure that the certificate is used only for specific services such as digital signature, authentication, and encryption.
2. Which of the following provides a unique user ID for a digital certificate?
a. Username
b. User organization
c. User e-mail
d. User message digest
