CISSP-ISSAP · Question #85
Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboar
The correct answer is D. Confidentiality. Confidentiality is violated because shoulder surfing allows an unauthorized party to observe private credentials - the password remains intact and the system keeps functioning, but secret information has been exposed to someone who shouldn't have it. Why the distractors are wrong
Question
Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Which of the following is violated in a shoulder surfing attack? (ISC)2 CISSP-ISSAP Exam
Options
- AIntegrity
- BAvailability
- CAuthenticity
- DConfidentiality
How the community answered
(29 responses)- A3% (1)
- C3% (1)
- D93% (27)
Explanation
Confidentiality is violated because shoulder surfing allows an unauthorized party to observe private credentials - the password remains intact and the system keeps functioning, but secret information has been exposed to someone who shouldn't have it.
Why the distractors are wrong:
- A (Integrity) - Nothing is modified or corrupted; the data, system, or password itself is unchanged.
- B (Availability) - The system remains fully accessible; no denial of service occurs.
- C (Authenticity) - Authenticity concerns whether an identity or message is genuine; shoulder surfing doesn't forge or impersonate anything directly (though it enables a future authenticity breach).
Memory tip: Map shoulder surfing to the CIA triad by asking "What did the attacker get?" - they got a secret (a password), not a corrupted file or a downed system. Secret = Confidentiality. Any passive observation attack that harvests information without altering it will almost always target confidentiality first.
Topics
Community Discussion
No community discussion yet for this question.