nerdexam
EC-Council

312-50V11 · Question #40

An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for bot

The correct answer is D. The employee should not provide any information without previous management authorization.. Employees must never share network infrastructure, system, or personnel details with any caller without explicit management authorization, because unsolicited requests for sensitive information are a classic social engineering pretext.

Social Engineering

Question

An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?

Options

  • AThe employees cannot provide any information; but, anyway, he/she will provide the name of the
  • BSince the company's policy is all about Customer Service, he/she will provide information.
  • CDisregarding the call, the employee should hang up.
  • DThe employee should not provide any information without previous management authorization.

How the community answered

(22 responses)
  • C
    5% (1)
  • D
    95% (21)

Why each option

Employees must never share network infrastructure, system, or personnel details with any caller without explicit management authorization, because unsolicited requests for sensitive information are a classic social engineering pretext.

AThe employees cannot provide any information; but, anyway, he/she will provide the name of the

Providing even a partial detail such as a team member's name without authorization still constitutes an unauthorized disclosure that can enable further targeted attacks.

BSince the company's policy is all about Customer Service, he/she will provide information.

A customer service culture or policy does not supersede the organization's information security policy, and customer relationships do not justify sharing sensitive infrastructure details without authorization.

CDisregarding the call, the employee should hang up.

Hanging up without explanation ignores proper security procedure, which requires politely declining the request and directing the caller through verified, authorized channels rather than simply disconnecting.

DThe employee should not provide any information without previous management authorization.Correct

Providing sensitive organizational or technical information without management authorization violates the principle of least disclosure, regardless of how legitimate or familiar the caller appears. This scenario is a textbook social engineering scenario where an attacker poses as a trusted customer to gather reconnaissance data. Proper protocol requires verifying the request through official channels and obtaining explicit management sign-off before any sensitive details are shared.

Concept tested: Social engineering awareness and information disclosure policy

Source: https://csrc.nist.gov/publications/detail/sp/800-50/final

Topics

#social engineering#vishing#information disclosure#pretexting

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice