CIW Web Security Associate Exam, Exams of Technology

A mid-level certification focused on foundational web and network security knowledge. Covers firewalls, authentication, encryption, VPNs, security protocols, hacker tactics, web attacks (XSS, SQL injection), and basic security policy implementation. Ideal for IT professionals, help desk technicians, and web administrators entering the cybersecurity field.

Typology: Exams

2024/2025

Available from 07/23/2025

BookVenture
BookVenture 🇮🇳

3.2

(20)

26K documents

1 / 75

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIW Web Security Associate Exam
Question 1. Which principle is primarily focused on ensuring that only authorized users can access
specific data or resources?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: A
Explanation: Confidentiality ensures that data is accessible only to authorized users, preventing
unauthorized access and disclosure.
Question 2. Which component of the CIA triad involves maintaining data accuracy and preventing
unauthorized data modification?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: B
Explanation: Integrity involves safeguarding data accuracy and consistency, ensuring that data is not
altered improperly.
Question 3. Which concept verifies the identity of a user or system before granting access?
A) Authorization
B) Authentication
C) Accounting
D) Non-repudiation
Answer: B
Explanation: Authentication is the process of confirming the identity of a user or system attempting to
access resources.
Question 4. What does non-repudiation primarily ensure in a security context?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b

Partial preview of the text

Download CIW Web Security Associate Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which principle is primarily focused on ensuring that only authorized users can access specific data or resources? A) Confidentiality B) Integrity C) Availability D) Authentication Answer: A Explanation: Confidentiality ensures that data is accessible only to authorized users, preventing unauthorized access and disclosure. Question 2. Which component of the CIA triad involves maintaining data accuracy and preventing unauthorized data modification? A) Confidentiality B) Integrity C) Availability D) Authentication Answer: B Explanation: Integrity involves safeguarding data accuracy and consistency, ensuring that data is not altered improperly. Question 3. Which concept verifies the identity of a user or system before granting access? A) Authorization B) Authentication C) Accounting D) Non-repudiation Answer: B Explanation: Authentication is the process of confirming the identity of a user or system attempting to access resources. Question 4. What does non-repudiation primarily ensure in a security context?

A) That data remains confidential B) That a user cannot deny performing an action C) That data is available when needed D) That data is encrypted during transmission Answer: B Explanation: Non-repudiation provides proof that a specific action was performed by a particular user, preventing denial of involvement. Question 5. Which of the following is a common security threat where an attacker exploits vulnerabilities to cause harm? A) Risk B) Exploit C) Policy D) Baseline Answer: B Explanation: An exploit leverages vulnerabilities to carry out malicious activities or attacks. Question 6. Which type of security control is exemplified by the use of firewalls and encryption? A) Physical controls B) Administrative controls C) Technical controls D) Deterrent controls Answer: C Explanation: Technical controls involve technology-based measures such as firewalls and encryption to protect systems. Question 7. Which security control category includes policies, training, and background checks? A) Technical controls B) Administrative controls C) Physical controls

Question 11. Which device is primarily responsible for routing traffic between different networks? A) Switch B) Router C) Hub D) Bridge Answer: B Explanation: Routers direct data packets between different networks, managing traffic flow. Question 12. Which type of firewall inspects traffic at the application layer? A) Packet-filtering firewall B) Stateful inspection firewall C) Application-layer firewall D) Network address translation (NAT) firewall Answer: C Explanation: Application-layer firewalls analyze traffic at the application layer for more granular control. Question 13. What is the primary purpose of an IDS? A) To prevent intrusions B) To detect suspicious activities C) To encrypt network traffic D) To authenticate users Answer: B Explanation: Intrusion Detection Systems (IDS) monitor network traffic to identify and alert on potential threats. Question 14. Which detection method uses predefined signatures to identify threats? A) Anomaly-based detection B) Signature-based detection

C) Heuristic detection D) Behavioral detection Answer: B Explanation: Signature-based detection relies on known threat signatures to identify malicious activity. Question 15. Which protocol is primarily used to securely browse websites? A) HTTP B) HTTPS C) FTP D) SMTP Answer: B Explanation: HTTPS encrypts data between the browser and server, ensuring secure communication. Question 16. Which port number is commonly associated with HTTPS? A) 80 B) 21 C) 443 D) 25 Answer: C Explanation: Port 443 is the default port for HTTPS traffic, providing secure web communication. Question 17. Which attack involves overwhelming a network or service with excessive traffic? A) Man-in-the-Middle B) DDoS C) ARP poisoning D) Port scanning Answer: B Explanation: Distributed Denial of Service (DDoS) attacks flood targets with traffic, causing service disruption.

Question 21. Which attack tricks a user into executing unwanted actions on a web application by exploiting trust? A) CSRF B) SSRF C) Directory Traversal D) Brute-force Answer: A Explanation: Cross-Site Request Forgery (CSRF) tricks authenticated users into executing unintended requests. Question 22. Which practice enhances security by limiting user permissions to only what is necessary? A) Full privilege assignment B) Principle of Least Privilege C) Role-based access control D) Both B and C Answer: D Explanation: Both the Principle of Least Privilege and Role-Based Access Control limit user permissions to enhance security. Question 23. Which secure coding practice involves validating user input to prevent malicious data from affecting systems? A) Output encoding B) Input validation and sanitization C) Error handling D) Session management Answer: B Explanation: Input validation ensures that user inputs conform to expected formats, preventing injection and other attacks. Question 24. Which type of web application firewall deployment involves placing the WAF directly in front of the web server?

A) Cloud-based deployment B) Network-based deployment C) Host-based deployment D) Hybrid deployment Answer: C Explanation: Host-based WAFs are installed directly on the web server, offering customized rule sets and integration. Question 25. Which cryptographic method uses the same key for encryption and decryption? A) Asymmetric encryption B) Symmetric encryption C) Hashing D) Digital signatures Answer: B Explanation: Symmetric encryption employs a single secret key for both encrypting and decrypting data. Question 26. Which algorithm is an example of asymmetric encryption? A) AES B) RSA C) DES D) MD Answer: B Explanation: RSA is an asymmetric encryption algorithm that uses a public/private key pair. Question 27. Which cryptographic hash function produces a fixed-size output of 256 bits? A) MD B) SHA- 1 C) SHA- 256 D) SHA- 3

Question 31. Which VPN mode encapsulates the entire IP packet and encrypts it? A) Transport mode B) Tunnel mode C) Session mode D) Packet mode Answer: B Explanation: Tunnel mode encapsulates the whole IP packet, used in site-to-site VPNs. Question 32. Which operating system security measure involves disabling unnecessary services to reduce attack surface? A) Patch management B) OS hardening C) User account control D) Antivirus installation Answer: B Explanation: OS hardening includes disabling unused services to minimize vulnerabilities. Question 33. Which is a key best practice in securing web servers like Apache or Nginx? A) Enabling directory listing B) Disabling directory listing and limiting access C) Allowing anonymous access by default D) Using default configurations Answer: B Explanation: Disabling directory listing and controlling access reduces information leakage and attack vectors. Question 34. Which database security measure involves using prepared statements to prevent injection attacks? A) Data encryption

B) User authentication C) Parameterized queries D) Data masking Answer: C Explanation: Prepared statements with parameterized queries prevent attackers from injecting malicious SQL code. Question 35. Which security control type is primarily demonstrated by CCTV cameras and locks? A) Technical controls B) Administrative controls C) Physical controls D) Detective controls Answer: C Explanation: Physical controls include physical barriers like locks and surveillance systems. Question 36. Which security framework emphasizes the importance of protecting personal data of EU citizens? A) HIPAA B) PCI DSS C) GDPR D) NIST Answer: C Explanation: GDPR (General Data Protection Regulation) focuses on data protection and privacy for EU citizens. Question 37. Which is an example of a detective security control? A) Firewall B) Security policy C) Log review D) Encryption

Question 41. Which device functions as a network device that filters incoming and outgoing traffic based on rules? A) Router B) Switch C) Firewall D) Hub Answer: C Explanation: Firewalls enforce security rules by filtering network traffic. Question 42. What is a primary benefit of using a stateful inspection firewall? A) Inspects only packet headers B) Tracks the state of active connections for more precise filtering C) Operates only at the application layer D) Blocks all inbound traffic by default Answer: B Explanation: Stateful inspection monitors active connections, allowing more intelligent filtering. Question 43. Which type of attack involves inserting malicious code into a website’s input fields, often leading to data theft or corruption? A) Injection B) Cross-Site Scripting C) Directory Traversal D) Brute-force Answer: A Explanation: Injection attacks exploit unsanitized inputs to execute malicious code. Question 44. Which common web vulnerability allows attackers to manipulate access controls by altering URLs or parameters? A) Insecure Deserialization B) Broken Access Control

C) XXE

D) XSS

Answer: B Explanation: Broken Access Control allows attackers to bypass permissions and access restricted resources. Question 45. Which cryptographic process ensures data integrity and authenticity through the use of digital signatures? A) Hashing B) Encryption C) Digital signatures D) Key exchange Answer: C Explanation: Digital signatures verify data authenticity and integrity using asymmetric cryptography. Question 46. Which component of PKI is responsible for revoking compromised or expired certificates? A) CA B) CRL (Certificate Revocation List) C) RA D) Certificate store Answer: B Explanation: CRLs list revoked certificates to prevent their continued use. Question 47. Which protocol is used to establish a secure session in TLS? A) Handshake protocol B) Record protocol C) Alert protocol D) Application protocol Answer: A

A) Brute-force attack B) Dictionary attack C) Phishing D) Man-in-the-Middle Answer: A Explanation: Brute-force attacks systematically try all possible password combinations. Question 52. Which security principle recommends minimizing the attack surface by disabling unnecessary services? A) Defense in depth B) Principle of least privilege C) OS hardening D) Segmentation Answer: C Explanation: OS hardening involves disabling unused services to reduce vulnerabilities. Question 53. Which type of network device connects multiple LAN segments at the data link layer? A) Switch B) Router C) Bridge D) Hub Answer: C Explanation: Bridges operate at the data link layer to connect LAN segments. Question 54. Which security control type involves the implementation of surveillance cameras and access cards? A) Technical controls B) Administrative controls C) Physical controls

D) Detective controls Answer: C Explanation: Physical controls include tangible measures like locks and surveillance. Question 55. Which regulatory framework focuses on protecting health information in the United States? A) GDPR B) PCI DSS C) HIPAA D) NIST Answer: C Explanation: HIPAA (Health Insurance Portability and Accountability Act) governs health data privacy and security. Question 56. Which security control category includes employee background checks? A) Technical controls B) Administrative controls C) Physical controls D) Detective controls Answer: B Explanation: Background checks are administrative controls to ensure personnel security. Question 57. Which intrusion detection method analyzes network traffic for deviations from normal behavior? A) Signature-based detection B) Anomaly-based detection C) Heuristic detection D) Signature matching Answer: B Explanation: Anomaly-based detection identifies deviations from established normal network patterns.

C) IMAP without encryption D) FTP Answer: B Explanation: POP3 over SSL/TLS encrypts email retrieval, providing security. Question 62. Which operating system security feature involves scanning for malware and suspicious activity? A) Patch management B) Antivirus and anti-malware solutions C) User permissions D) Data encryption Answer: B Explanation: Antivirus and anti-malware solutions detect and remove malicious software. Question 63. Which security control involves training employees to recognize phishing attempts? A) Technical controls B) Administrative controls C) Physical controls D) Detective controls Answer: B Explanation: Security awareness training is an administrative control to promote secure behavior. Question 64. Which type of attack involves tricking a user into revealing sensitive information via fake websites or emails? A) Phishing B) Man-in-the-Middle C) Cross-Site Scripting D) Directory Traversal Answer: A

Explanation: Phishing involves deceptive communications to steal sensitive data. Question 65. Which cryptographic process involves converting plaintext into ciphertext? A) Encryption B) Decryption C) Hashing D) Signing Answer: A Explanation: Encryption converts readable data into an unreadable format to protect confidentiality. Question 66. Which network device can segment traffic and reduce collision domains within a LAN? A) Hub B) Switch C) Router D) Bridge Answer: B Explanation: Switches segment LANs into separate collision domains, improving network performance. Question 67. Which type of attack involves listening secretly to network communications without altering data? A) Sniffing B) Spoofing C) Injection D) Brute-force Answer: A Explanation: Sniffing involves capturing network traffic to gather sensitive information. Question 68. Which security principle involves implementing layered defenses to protect assets? A) Single point of failure