CISA Certified Information Systems Auditor – Question1444

An information security policy stating that 'the display of passwords must be masked or suppressed' addresses which of the following attack methods?

A.
Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation

Correct Answer: C

Explanation:

Explanation:
If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to ‘the display of passwords.’ If the policy referred to ‘the display and printing of passwords’ then it would address shoulder surfing and dumpster diving (looking through an organization’s trash for valuable information), impersonation refers to someone acting as an employee in an attempt to retrieve desired information.