CIW Web Security Professional Exam, Exams of Technology

Advanced certification focused on web and network security concepts. Topics include security principles, firewalls, VPNs, encryption, authentication, common web threats (XSS, CSRF, SQL injection), secure coding, and incident response. Designed for IT security analysts, web administrators, and developers concerned with application and data protection.

Typology: Exams

2024/2025

Available from 07/23/2025

BookVenture
BookVenture 🇮🇳

3.2

(20)

26K documents

1 / 75

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIW Web Security Professional Exam
Question 1. Which principle of information security is primarily concerned with protecting data from
unauthorized access and disclosure?
A) Integrity
B) Confidentiality
C) Availability
D) Accountability
Answer: B) Confidentiality
Explanation: Confidentiality ensures that sensitive information is accessed only by authorized
individuals, preventing unauthorized disclosure.
Question 2. In the CIA triad, which component ensures that data remains complete, unaltered, and
trustworthy?
A) Confidentiality
B) Integrity
C) Availability
D) Accountability
Answer: B) Integrity
Explanation: Integrity guarantees that data is accurate and has not been tampered with, maintaining
trustworthiness.
Question 3. Which security concept involves verifying the identity of a user or system?
A) Authentication
B) Authorization
C) Accountability
D) Non-repudiation
Answer: A) Authentication
Explanation: Authentication is the process of confirming the identity of a user or system attempting to
access resources.
Question 4. Which term describes the process of granting access rights to users based on their identity
and roles?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b

Partial preview of the text

Download CIW Web Security Professional Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which principle of information security is primarily concerned with protecting data from unauthorized access and disclosure? A) Integrity B) Confidentiality C) Availability D) Accountability Answer: B) Confidentiality Explanation: Confidentiality ensures that sensitive information is accessed only by authorized individuals, preventing unauthorized disclosure. Question 2. In the CIA triad, which component ensures that data remains complete, unaltered, and trustworthy? A) Confidentiality B) Integrity C) Availability D) Accountability Answer: B) Integrity Explanation: Integrity guarantees that data is accurate and has not been tampered with, maintaining trustworthiness. Question 3. Which security concept involves verifying the identity of a user or system? A) Authentication B) Authorization C) Accountability D) Non-repudiation Answer: A) Authentication Explanation: Authentication is the process of confirming the identity of a user or system attempting to access resources. Question 4. Which term describes the process of granting access rights to users based on their identity and roles?

A) Authentication B) Authorization C) Accountability D) Non-repudiation Answer: B) Authorization Explanation: Authorization determines what actions or resources an authenticated user is permitted to access. Question 5. What is the main goal of accountability in information security? A) To prevent data breaches B) To track user actions and ensure traceability C) To encrypt sensitive data D) To authenticate users Answer: B) To track user actions and ensure traceability Explanation: Accountability involves recording user activities to hold individuals responsible for their actions. Question 6. Which of the following best defines a threat in cybersecurity? A) A vulnerability that can be exploited B) A potential cause of a security breach or incident C) A security policy D) An authorized user Answer: B) A potential cause of a security breach or incident Explanation: A threat is any circumstance or event with the potential to exploit vulnerabilities and cause harm. Question 7. Which term refers to a weakness in a system that can be exploited by a threat? A) Threat B) Vulnerability C) Risk

Explanation: DoS/DDoS attacks flood systems with traffic, impairing their ability to serve legitimate users. Question 11. Which web-specific attack exploits vulnerabilities in website input validation to execute malicious scripts? A) SQL injection B) Cross-site scripting (XSS) C) CSRF D) Session hijacking Answer: B) Cross-site scripting (XSS) Explanation: XSS involves injecting malicious scripts into web pages to execute in a victim's browser. Question 12. Which of the following is a prevention technique for SQL injection attacks? A) Disabling JavaScript B) Using prepared statements with parameterized queries C) Increasing server bandwidth D) Using cookies with HttpOnly flag Answer: B) Using prepared statements with parameterized queries Explanation: Prepared statements prevent SQL injection by separating code from data, ensuring user inputs are treated as data. Question 13. What is the primary difference between symmetric and asymmetric encryption? A) Symmetric uses one key, asymmetric uses two keys B) Symmetric is faster, asymmetric is more secure for bulk data C) Asymmetric is only used for digital signatures D) Symmetric encryption requires a certificate authority Answer: A) Symmetric uses one key, asymmetric uses two keys Explanation: Symmetric encryption employs a single key for encryption and decryption, while asymmetric uses a public-private key pair.

Question 14. Which cryptographic hash function is considered outdated and vulnerable to collision attacks? A) SHA- 256 B) MD C) SHA- 3 D) bcrypt Answer: B) MD Explanation: MD5 is vulnerable to collision attacks, making it unsuitable for security-sensitive purposes. Question 15. Which role does a Digital Signature serve in cybersecurity? A) Encrypts data during transmission B) Ensures data confidentiality C) Verifies the authenticity and integrity of a message D) Prevents replay attacks Answer: C) Verifies the authenticity and integrity of a message Explanation: Digital signatures authenticate the sender and ensure that the message has not been altered. Question 16. Which component is NOT typically part of a Public Key Infrastructure (PKI)? A) Certificate Authority (CA) B) Digital Certificates C) Symmetric keys D) Registration Authority (RA) Answer: C) Symmetric keys Explanation: PKI primarily involves asymmetric keys, digital certificates, and CAs; symmetric keys are not a core component. Question 17. Which network topology is most vulnerable to a single point of failure but offers centralized control? A) Mesh topology

C) PPTP

D) L2TP

Answer: B) IPsec Explanation: IPsec provides secure, encrypted communications at the IP layer, suitable for site-to-site VPNs. Question 21. Which type of intrusion detection system (IDS) uses known attack signatures to identify malicious activity? A) Anomaly-based IDS B) Signature-based IDS C) Heuristic-based IDS D) Behavior-based IDS Answer: B) Signature-based IDS Explanation: Signature-based IDS detects threats by comparing network activity to a database of known attack signatures. Question 22. Which port scanning tool is most commonly used for network reconnaissance? A) Nessus B) Nmap C) Wireshark D) Metasploit Answer: B) Nmap Explanation: Nmap is a popular open-source tool used for port scanning and network discovery. Question 23. Which wireless security protocol is considered the most secure for Wi-Fi networks? A) WEP B) WPA C) WPA D) WPA Answer: D) WPA

Explanation: WPA3 provides the latest and strongest security features, including improved encryption and protection against dictionary attacks. Question 24. Which authentication method relies on a physical device, such as a smart card or token? A) Biometric authentication B) Token-based authentication C) Password-based authentication D) Certificate-based authentication Answer: B) Token-based authentication Explanation: Token-based authentication involves physical devices like smart cards or hardware tokens to verify identity. Question 25. Which access control model assigns permissions based on a user's role within an organization? A) Discretionary Access Control (DAC) B) Role-Based Access Control (RBAC) C) Mandatory Access Control (MAC) D) Attribute-Based Access Control (ABAC) Answer: B) Role-Based Access Control (RBAC) Explanation: RBAC assigns permissions according to user roles, simplifying management and enforcing policies. Question 26. Which protocol is commonly used for implementing Single Sign-On (SSO) between different systems? A) LDAP B) SAML C) FTP D) SNMP Answer: B) SAML Explanation: SAML enables secure exchange of authentication and authorization data for SSO across multiple domains.

Question 30. Which social engineering tactic involves an attacker posing as a trusted individual to manipulate victims? A) Phishing B) Pretexting C) Baiting D) Tailgating Answer: B) Pretexting Explanation: Pretexting involves creating a fabricated scenario to manipulate someone into revealing confidential information. Question 31. Which law regulates the collection and processing of personal data within the European Union? A) HIPAA B) GDPR C) CCPA D) Sarbanes-Oxley Act Answer: B) GDPR Explanation: GDPR sets strict rules for data protection and privacy for individuals within the EU. Question 32. Which type of attack involves redirecting users to malicious websites by exploiting unvalidated redirects? A) Cross-site scripting B) Man-in-the-middle C) Open redirect attack D) Session fixation Answer: C) Open redirect attack Explanation: Open redirects occur when a web application redirects users without validating URLs, potentially leading to phishing sites. Question 33. What is a primary purpose of a Web Application Firewall (WAF)?

A) To filter network traffic based on IP addresses B) To protect web applications by filtering and monitoring HTTP traffic C) To encrypt web traffic end-to-end D) To block all inbound traffic to web servers Answer: B) To protect web applications by filtering and monitoring HTTP traffic Explanation: WAFs analyze HTTP requests to block malicious traffic targeting web apps. Question 34. Which security practice involves validating user input to prevent injection attacks? A) Output encoding B) Input validation C) Data encryption D) Session management Answer: B) Input validation Explanation: Validating user input ensures only acceptable data is processed, preventing injection vulnerabilities. Question 35. Which security measure helps prevent session fixation attacks? A) Using HTTPS for all sessions B) Generating new session IDs upon user login C) Storing session data on the client side D) Using weak session tokens for ease of use Answer: B) Generating new session IDs upon user login Explanation: Regenerating session IDs after login prevents attackers from fixing sessions before authentication. Question 36. Which type of vulnerability allows an attacker to manipulate server-side requests to internal resources? A) Cross-site scripting B) Server-Side Request Forgery (SSRF) C) SQL injection

Explanation: An evil twin is a malicious access point designed to trick users into connecting, enabling eavesdropping. Question 40. Which of the following is a common biometric authentication method? A) Password B) Fingerprint scan C) Token code D) Digital certificate Answer: B) Fingerprint scan Explanation: Biometric authentication uses unique physical traits, such as fingerprints, for identity verification. Question 41. Which access control model is characterized by strict enforcement of security policies that cannot be bypassed? A) Discretionary Access Control (DAC) B) Role-Based Access Control (RBAC) C) Mandatory Access Control (MAC) D) Attribute-Based Access Control (ABAC) Answer: C) Mandatory Access Control (MAC) Explanation: MAC enforces policy-defined permissions that users cannot alter, often used in high- security environments. Question 42. Which directory service protocol is commonly used to access and manage user information in a network? A) LDAP B) SNMP C) RDP D) FTP Answer: A) LDAP Explanation: LDAP is used for accessing and managing directory information services.

Question 43. Which technology allows users to authenticate once and access multiple systems without re-authenticating? A) Multi-factor authentication B) Single Sign-On (SSO) C) Role-Based Access Control D) Network segmentation Answer: B) Single Sign-On (SSO) Explanation: SSO enables a user to authenticate once and gain access to multiple integrated systems seamlessly. Question 44. Which of the following best describes a SIEM system's primary function? A) Encrypting data B) Correlating and analyzing logs for security events C) Blocking malicious traffic D) Managing user credentials Answer: B) Correlating and analyzing logs for security events Explanation: SIEM systems aggregate logs from various sources, analyze, and correlate events to detect security incidents. Question 45. Which incident response phase involves analyzing the attack to understand its nature and impact? A) Identification B) Containment C) Analysis D) Eradication Answer: C) Analysis Explanation: During analysis, security teams examine evidence to understand attack vectors, scope, and impact.

A) Replay attack B) Man-in-the-middle attack C) Phishing attack D) SQL injection Answer: B) Man-in-the-middle attack Explanation: MIM attacks intercept and can modify communication, often to steal data or inject malicious content. Question 50. Which security measure involves encrypting data in transit using protocols such as TLS? A) Data at rest encryption B) Network encryption C) Endpoint security D) Data masking Answer: B) Network encryption Explanation: Encrypting data in transit ensures confidentiality and integrity over networks using protocols like TLS. Question 51. Which type of vulnerability allows users to access objects or resources beyond their authorized permissions? A) Cross-site scripting B) Insecure direct object references (IDOR) C) Buffer overflow D) SQL injection Answer: B) Insecure direct object references (IDOR) Explanation: IDOR occurs when applications expose internal object references without proper access controls. Question 52. Which of the following best describes the concept of least privilege? A) Users have access only to the resources necessary for their role B) Users can access all resources in the network

C) Users are granted all permissions by default D) Users can modify system configurations Answer: A) Users have access only to the resources necessary for their role Explanation: Least privilege limits user permissions to minimize security risks. Question 53. What is a key benefit of implementing multi-factor authentication (MFA)? A) Simplifies login process B) Reduces the risk of unauthorized access even if one factor is compromised C) Eliminates the need for passwords D) Is only effective for physical security Answer: B) Reduces the risk of unauthorized access even if one factor is compromised Explanation: MFA combines multiple authentication factors, increasing security beyond single-factor methods. Question 54. Which network device is primarily responsible for segregating network segments and implementing VLANs? A) Router B) Switch C) Firewall D) Access point Answer: B) Switch Explanation: Managed switches can create VLANs to segment network traffic for security and performance. Question 55. Which security feature is used to prevent unauthorized access via remote connections? A) VPN B) IDS C) Firewall D) WAF Answer: A) VPN

Question 59. Which biometric factor is most commonly used in authentication systems? A) Passwords B) Fingerprints C) Smart cards D) PINs Answer: B) Fingerprints Explanation: Fingerprints are a widely used biometric trait for user authentication due to uniqueness and ease of use. Question 60. Which access control model is based on security labels assigned to both subjects and objects? A) DAC B) MAC C) RBAC D) ABAC Answer: B) MAC Explanation: Mandatory Access Control assigns labels and enforces policies that restrict access based on security classifications. Question 61. Which protocol is commonly used in LDAP for secure communication? A) LDAP over SSL (LDAPS) B) RDP C) FTP D) SNMP Answer: A) LDAP over SSL (LDAPS) Explanation: LDAPS encrypts LDAP traffic to protect sensitive directory data during transmission. Question 62. Which protocol is used in OAuth to grant third-party applications limited access to resources?

A) SAML

B) OAuth C) OpenID Connect D) LDAP Answer: B) OAuth Explanation: OAuth allows users to grant limited access to their resources without sharing credentials. Question 63. Which component of a SIEM system is responsible for analyzing logs for security events? A) Log collector B) Event correlation engine C) Data storage D) User interface Answer: B) Event correlation engine Explanation: The correlation engine analyzes logs and events to identify potential security incidents. Question 64. Which phase of incident response involves restoring systems and services to normal operation after containment and eradication? A) Identification B) Containment C) Recovery D) Post-incident review Answer: C) Recovery Explanation: Recovery focuses on restoring systems, data, and services to resume normal operations. Question 65. Which backup method involves copying all data, regardless of changes? A) Full backup B) Differential backup C) Incremental backup D) Snapshot backup