nerdexam
(ISC)2

CISSP-ISSAP · Question #85

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboar

The correct answer is D. Confidentiality. Confidentiality is violated because shoulder surfing allows an unauthorized party to observe private credentials - the password remains intact and the system keeps functioning, but secret information has been exposed to someone who shouldn't have it. Why the distractors are wrong

Identity and Access Management (IAM) Architecture

Question

Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack? (ISC)2 CISSP-ISSAP Exam

Options

  • AIntegrity
  • BAvailability
  • CAuthenticity
  • DConfidentiality

How the community answered

(29 responses)
  • A
    3% (1)
  • C
    3% (1)
  • D
    93% (27)

Explanation

Confidentiality is violated because shoulder surfing allows an unauthorized party to observe private credentials - the password remains intact and the system keeps functioning, but secret information has been exposed to someone who shouldn't have it.

Why the distractors are wrong:

  • A (Integrity) - Nothing is modified or corrupted; the data, system, or password itself is unchanged.
  • B (Availability) - The system remains fully accessible; no denial of service occurs.
  • C (Authenticity) - Authenticity concerns whether an identity or message is genuine; shoulder surfing doesn't forge or impersonate anything directly (though it enables a future authenticity breach).

Memory tip: Map shoulder surfing to the CIA triad by asking "What did the attacker get?" - they got a secret (a password), not a corrupted file or a downed system. Secret = Confidentiality. Any passive observation attack that harvests information without altering it will almost always target confidentiality first.

Topics

#shoulder surfing#social engineering#physical security#authentication

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice