If you’re planning to take the SY0-501 version of the Security+ exam, you should understand social engineering. This includes several techniques attackers use to trick users.
For example, can you answer this question?
Q. While cleaning out his desk, Bart threw several papers containing PII into the recycle bin. Which type of attack can exploit this action?
A. Vishing
B. Dumpster diving
C. Shoulder surfing
D. Tailgating
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Social engineering uses social tactics to trick users into giving up information or performing actions they wouldn’t normally take. Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email.
Impersonation
Some social engineers often attempt to impersonate others. The goal is to convince an authorized user to provide some information, or help the attacker defeat a security control.
As an example, an attacker can impersonate a repair technician to gain access to a server room or telecommunications closet. After gaining access, the attacker can install hardware such as a rogue access point to capture data and send it wirelessly to an outside collection point. Similarly, attackers impersonate legitimate organizations over the phone and try to gain information. Identity verification methods are useful to prevent the success of impersonation attacks.
Shoulder Surfing
Shoulder surfing is simply looking over the shoulder of someone to gain information. The goal is to gain unauthorized information by casual observation, and it’s likely to occur within an office environment. This can be to learn credentials, such as a username and password, or a PIN used for a smart card or debit card. Recently, attackers have been using cameras to monitor locations where users enter PINs, such as at automatic teller machines (ATMs).
A simple way to prevent shoulder surfing is to position monitors and other types of screens so that unauthorized personnel cannot see them. This includes ensuring people can’t view them by looking through a window or from reception areas.
Another method used to reduce shoulder surfing is to use a screen filter placed over the monitor. This restricts the visibility of the screen for anyone who isn’t looking directly at the monitor.
CompTIA Security+ Study Guide
The
CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide
is an update to the top-selling SY0-201, SY0-301, and SY0-401 study guides, which have helped thousands of readers pass the exam the first time they took it. It includes the same elements readers raved about in the previous three versions.
Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.

Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-501 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Kindle edition also available.
Tricking Users with Hoaxes
A hoax is a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist. Users may be encouraged to delete files or change their system configuration.
An older example is the teddy bear virus (jdbgmgr.exe), which was not a virus at all. Victims received an email saying this virus lies in a sleeping state for 14 days and then it will destroy the user’s system. It then told users that they can protect their system by deleting the file (which has an icon of a little bear), and provided instructions on how to do so. Users who deleted the file lost some system capability.
More serious virus hoaxes have the potential to be as damaging as a real virus. If users are convinced to delete important files, they may make their systems unusable. Additionally, they waste help-desk personnel’s time due to needless calls about the hoax or support calls if users damaged their systems in response to the hoax.

Tailgating and Mantraps
Tailgating is the practice of one person following closely behind another without showing credentials. For example, if Homer uses a badge to gain access to a secure building and Francesca follows closely behind Homer without using a badge, Francesca is tailgating.
Employees often do this as a matter of convenience and courtesy. Instead of shutting the door on the person following closely behind, they often hold the door open for the person. However, this bypasses the access control, and if employees tailgate, it’s very easy for a nonemployee to slip in behind someone else. Often, all it takes is a friendly smile from someone like Francesca to encourage Homer to keep the door open for her.
A simple mantrap can be a turnstile like those used in subways or bus stations. Imagine two men trying to go through a turnstile like this together. It’s just not likely. Security guards can check the credentials of each person, and they won’t be fooled by a smile as easily as Homer.
Security+ Practice Test Questions
SY0-501 Practice Test Questions
Over 300 realistic Security+ practice test questions
All questions include explanations so you’ll know why the correct answers are correct,
and why the incorrect answers are incorrect.
Pass the Security+ Exam
the First Time You Take It
Multiple quiz formats to let you use these questions based on the way you learn.
- Learn mode – randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
- Learn mode – not randomized. View each of the questions in the same order. Use this if you want to make sure that you see all of the questions. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
- Test mode – randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
- Test mode – not randomized. View each of the questions in the same order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
- Test mode – 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
Get the full bank of SY0-501 Practice Test Questions Here
SY0-501 Practice Test Questions
INCLUDES QUESTIONS TO HELP YOU PREPARE
FOR THE NEW PERFORMANCE BASED QUESTIONS
Bonus – Performance Based Questions
Three sets of performance-based questions including over 30 questions. These questions show you what you can expect in the live exam. They include drag and drop, matching, sorting, and fill in the blank questions. See a
demo here.Bonus – Extra Practice Test Questions
New multiple-choice questions in the extra test bank. Questions are added occasionally. You can see what has been added recently
here.
Get the full bank of Security+ (SYO-501) Practice Test Questions Here
Get the full bank of Security+ Practice Test Questions
Click here if you’re looking for SY0-501 Full Study Package
Dumpster Diving
Dumpster diving is the practice of searching through trash or recycling containers to gain information from discarded documents. Many organizations either shred or burn paper instead of throwing it away.
For example, old copies of company directories can be valuable to attackers. They may identify the names, phone numbers, and titles of key people within the organization. Attackers may be able to use this information in a whaling attack against executives or social engineering attacks against anyone in the organization. An attacker can exploit any document that contains detailed employee or customer information, and can often find value in seemingly useless printouts and notes.
On a personal basis, preapproved credit applications or blank checks issued by credit card companies can be quite valuable to someone attempting to gain money or steal identities. Documentation with any type of Personally Identifiable Information (PII) or Protected Health Information (PHI) should be shredded or burned.
Watering Hole Attacks
A watering hole attack attempts to discover which web sites a group of people are likely to visit and then infects those web sites with malware that can infect the visitors. The attacker’s goal is to infect a web site that users trust already, making them more likely to download infected files.
As an example, an attack discovered in late 2016 initially targeted Polish banks. The attack was discovered by a single Polish bank that discovered previously unknown malware on internal computers. Symantec reported the source of the attack was servers at the Polish Financial Supervision Authority. This is a well-trusted institution by Polish bank employees, and they are likely to visit the organization’s web sites often.
This isn’t an isolated incident though. Symantec reported over 100 similar attacks located in over 30 countries.
Full Security+ Course
SY0-501 Full Security+ Course
Helping you Pass the First Time
Online access includes all of the content from the
CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide
- Introduction
- About the exam (including information on the number of questions, test duration, passing score, types of questions and more. Also includes a listing of the exam objectives)
- 75 question pre-assessment exam
- Mastering Security Basics (full content from Chapter 1 of the study guide including the exam topic review and 15 practice test questions)
- Understanding Identity and Access Management (full content from Chapter 2 of the study guide including the exam topic review and 15 practice test questions)
- Exploring Network Technologies and Tools (full content from Chapter 3 of the study guide including the exam topic review and 15 practice test questions)
- Securing Your Network (full content from Chapter 4 of the study guide including the exam topic review and 15 practice test questions)
- Securing Hosts and Data (full content from Chapter 5 of the study guide including the exam topic review and 15 practice test questions)
- Comparing Threats, Vulnerabilities, and Common Attacks (full content from Chapter 6 of the study guide including the exam topic review and 15 practice test questions)
- Protecting Against Advanced Attacks (full content from Chapter 7 of the study guide including the exam topic review and 15 practice test questions)
- Using Risk Management Tools (full content from Chapter 8 of the study guide including the exam topic review and 15 practice test questions)
- Implementing Controls to Protect Assets (full content from Chapter 9 of the study guide including the exam topic review and 15 practice test questions)
- Understanding Cryptography and PKI (full content from Chapter 10 of the study guide including the exam topic review and 15 practice test questions)
- Implementing Policies to Mitigate Risks (full content from Chapter 11 of the study guide including the exam topic review and 15 practice test questions)
- 75 question post-assessment exam
- Glossary
Get the SY0-501 Full Security+ Course Here
Test your readiness with these quality materials
Random 75-question tests
Random practice tests from the all of the practice test questions in the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. All questions include explanations so you’ll know why the correct answers are correct, and why the incorrect answers are incorrect.
3 sets Performance-based Questions
Three new sets of performance-based questions with a total of 30 questions. These new questions use a new testing engine that includes realistic drag and drop, matching, sorting, and fill in the blank questions.
Flashcard Set
- 494 Online Security+ Glossary Flashcards
- 222 Online Security+ Acronyms Flashcards
- 223 Online Security+ Remember This Slide from the popular CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
Audio – SY0-501 Security+ Remember This Audio Files
Learn by Listening. Over one hour and 20 minutes of audio (MP3 downloads.)
Audio – SY0-501 Security+ Question and Answer Audio Files
Learn by Listening. Over two hours hour and 53 minutes of audio (MP3 downloads.)Bonus #1
Audio from the end of chapter reviews from each of the chapters in the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide

. Over one hour and 40 minutes of additional audio.
Bonus #2
Access to all of the online content that is available for free to anyone that purchases the
CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
. This includes labs, extra practice test questions, and supplementary materials
Bonus #3
Access the study materials for a total of 60 days because sometimes life happens.Get the SY0-501 Full Security+ Course Here
Q. While cleaning out his desk, Bart threw several papers containing PII into the recycle bin. Which type of attack can exploit this action?
A. Vishing
B. Dumpster diving
C. Shoulder surfing
D. Tailgating
Answer is B. Dumpster divers look through trash or recycling containers for valuable paperwork, such as documents that include Personally Identifiable Information (PII). Instead, paperwork should be shredded or incinerated.
Vishing is a form of phishing that uses the phone.
Shoulder surfers attempt to view monitors or screens, not papers thrown into the trash or recycling containers.
Tailgating is the practice of following closely behind someone else, without using proper credentials.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on social engineering.