nerdexam
EC-Council

312-50V10 · Question #40

An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for bot

The correct answer is D. The employee should not provide any information without previous management authorization.. Sensitive company information about infrastructure, systems, and personnel must never be disclosed without explicit management authorization, as unsolicited callers may be conducting social engineering attacks.

Social Engineering

Question

An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?

Options

  • AThe employees cannot provide any information; but, anyway, he/she will provide the name of the
  • BSince the company's policy is all about Customer Service, he/she will provide information.
  • CDisregarding the call, the employee should hang up.
  • DThe employee should not provide any information without previous management authorization.

How the community answered

(32 responses)
  • A
    6% (2)
  • C
    3% (1)
  • D
    91% (29)

Why each option

Sensitive company information about infrastructure, systems, and personnel must never be disclosed without explicit management authorization, as unsolicited callers may be conducting social engineering attacks.

AThe employees cannot provide any information; but, anyway, he/she will provide the name of the

Providing even one employee name without authorization can aid an attacker in targeting personnel through spear phishing or pretexting, making this response still a security risk.

BSince the company's policy is all about Customer Service, he/she will provide information.

A customer service policy cannot override information security policy; disclosing sensitive infrastructure and team details to any caller without verification and authorization creates serious risk.

CDisregarding the call, the employee should hang up.

Hanging up without explanation is unprofessional and unnecessary; the correct approach is to politely decline and seek management guidance rather than abruptly ending the call.

DThe employee should not provide any information without previous management authorization.Correct

Even a trusted customer relationship does not grant automatic access to internal network infrastructure details or staff information. Providing such data without management authorization violates security policy and could facilitate a social engineering attack or unauthorized access, so the employee must escalate for approval first.

Concept tested: Social engineering defense and information disclosure policy

Source: https://csrc.nist.gov/publications/detail/sp/800-50/final

Topics

#social engineering#information disclosure#vishing#security policy

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice