A penetration tester calls an IT employee and pretends to be the financial director of the company. The penetration tester asks the IT employee to reset the financial director's email password. The penetration tester claims to be at an ongoing, off-site meeting with some investors and needs a presentation file quickly downloaded from the director's mailbox. Which of following techniques is the penetration tester trying to utilize? (Choose two.)
In this scenario, the penetration tester is using two key techniques. First, they are pretending to be the financial director, leveraging the authority of that high-ranking position to influence the IT employee's actions. This is a clear example of using the Authority technique. Second, the penetration tester creates a sense of urgency by claiming to need the password reset quickly for an ongoing, off-site meeting with investors. This urgency makes the IT employee more likely to act hastily without proper verification. Therefore, the correct techniques are Authority and Urgency.
The penetration tester is trying to utilize the following two techniques: C. Authority - The penetration tester is pretending to be the financial director of the company, and is using the authority associated with that role to convince the IT employee to reset the email password. E. Urgency - The penetration tester is claiming to be in an ongoing, off-site meeting with investors, and needs the presentation file downloaded quickly. This creates a sense of urgency and pressure on the IT employee to act quickly, without taking the necessary precautions.
Authority and Urgency
C. Authority: By pretending to be the financial director of the company, the penetration tester is attempting to leverage the perceived authority of that position to influence the IT employee's actions. E. Urgency: By claiming to be at an off-site meeting with investors and needing the presentation file quickly, the penetration tester is creating a sense of urgency that can cause the IT employee to act hastily without following proper verification protocols.
Not B. Intimidation: Intimidation involves using threats or force to compel someone to take action. The penetration tester in this scenario does not threaten or intimidate the IT employee; instead, they rely on the guise of authority and urgency.
C. Authority: The penetration tester is pretending to be the financial director, a high-ranking official within the company. By doing so, they are leveraging the perceived authority of that position to influence the IT employee’s actions. E. Urgency: The penetration tester creates a sense of urgency by claiming to need the password reset quickly for an ongoing, off-site meeting with investors. This pressure makes the IT employee more likely to comply without thoroughly verifying the request. Why Not B. B. Intimidation: Intimidation involves using threats or force to compel someone to take action. The penetration tester in this scenario does not threaten or intimidate the IT employee; instead, they rely on the guise of authority and urgency.
Another awful answer. It's Definitely Urgency Then it's a question of wether authority or Familiarity... anyone have any thoughts?
"pretends to be the financial director of the company" on a call, if the IT tech was familiar with the directors voice than the Social engineering attempt could fail. Due to this the best option is authority.