CompTIA Network+ Practice Test for Subdomain 4.1 #02

Welcome to today’s CompTIA Network+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.1 (Explain the importance of basic network security concepts) from the CompTIA Network+ N10-009 objectives.

This beginner-level practice test is inspired by the CompTIA Network+ (N10-009) exam and is designed to help you reinforce key networking concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Network+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Network+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Network+ practice tests based on specific domains/subdomains, click that link.

CompTIA Network+ Practice Test for Subdomain 4.1 #02

10 questions • Single best answer

Question 1

A junior security analyst reviewing access logs at a retail organization notices that a cashier workstation authenticated to a shared network resource using credentials that belonged to a manager who was on vacation. The analyst suspects the credentials were stolen. The security team wants to implement an additional authentication control so that even if a password is compromised, an attacker cannot authenticate without a second factor. Which authentication enhancement addresses this requirement?

A. Role-based access control (RBAC), which limits the resources each user can access based on their assigned job role B. Multifactor authentication (MFA), which requires a user to provide two or more verification factors before access is granted C. Single sign-on (SSO), which allows a user to authenticate once and access multiple resources without re-entering credentials D. Geofencing, which restricts authentication attempts to requests originating from within a defined geographic boundary

Question 2

A network security engineer is configuring access policies for a new enterprise application. The security policy requires that each user account should only be granted the permissions necessary to perform their specific job duties, and no additional rights should be assigned. A database administrator should be able to manage the database but should not have access to the HR module. Which security principle is being applied?

A. Multifactor authentication, which verifies identity using multiple credentials before granting access to any system resource B. Geofencing, which restricts user access to systems based on the physical location from which the connection originates C. Least privilege, which limits each user account to only the permissions required for their defined job function D. Single sign-on, which authenticates a user once and provides access to all permitted systems through a single session token

Question 3

A security architect at a healthcare organization is designing the network segmentation strategy. The architect wants to isolate IoT medical devices such as infusion pumps and patient monitoring systems from workstations and servers on the corporate network. The goal is to prevent a compromised medical device from being used as a pivot point to reach the electronic health record (EHR) servers. Which concept directly describes this segmentation objective?

A. Screened subnet, which places publicly accessible servers in a perimeter zone between the external firewall and the internal network B. Network segmentation enforcement for IoT and IIoT devices, which isolates operational technology and connected devices onto separate network segments away from corporate IT systems C. Role-based access control, which assigns network access permissions to user accounts based on their job function within the organization D. PKI certificate management, which requires all IoT devices to present a valid digital certificate before establishing network connections

Question 4

A network security engineer is reviewing the firewall ruleset for a corporate network. The engineer wants to implement a defense mechanism that involves deploying a network of decoy systems designed to attract and monitor attackers. The attacker believes they are interacting with real production systems, but all activity is logged and analyzed by the security team to understand attack techniques and identify threat actors. Which deception technology describes this deployment?

A. Honeypot, which is a single decoy system designed to lure attackers and record their activity without exposing real production resources B. Honeynet, which is a network of multiple decoy systems that simulate a realistic production environment to attract and analyze attacker behavior C. VLAN segmentation, which isolates attack traffic into a dedicated VLAN where it can be monitored without affecting production systems D. Screened subnet, which places decoy servers in a DMZ zone between the internet and the internal network to capture internet-facing attack traffic

Question 5

A security team at a large enterprise is evaluating whether to deploy a PKI (Public Key Infrastructure) to issue digital certificates to internal users and devices for authentication. A team member asks about self-signed certificates versus CA-issued certificates. The team member wants to understand the key operational difference in how each type is trusted by clients. Which statement correctly describes this difference?

A. Self-signed certificates provide stronger encryption than CA-issued certificates because they use a longer key generated by the issuing device itself B. CA-issued certificates are trusted automatically by clients that have the issuing CA's root certificate in their trusted certificate store, while self-signed certificates must be manually distributed and trusted on each client C. Self-signed certificates are only valid for IPv6 endpoints, while CA-issued certificates support both IPv4 and IPv6 infrastructure D. CA-issued certificates expire after 90 days by default, while self-signed certificates can be configured with unlimited validity to avoid renewal overhead

Question 6

A network architect at a government agency is designing physical security controls for a new network operations center. The architect must prevent unauthorized individuals from entering the server room by requiring both a valid badge scan and a PIN entry before the door unlocks. Which security concept does this describe?

A. Geofencing, which restricts network access to connections originating from within the physical perimeter of the building B. Multifactor authentication applied to physical access control, requiring both something the person has (badge) and something they know (PIN) C. Role-based access control enforced by the building management system, which assigns door access rights based on employee job functions D. Single sign-on applied to physical access, where a single badge credential grants access to all secured areas within the facility

Question 7

A network security engineer is reviewing the data protection requirements for a company that stores customer payment card data. The engineer identifies two distinct data protection requirements: traffic between the payment terminals and the processing server must be protected while in motion, and the database storing card numbers must be encrypted at rest. Which pair of encryption concepts applies to each requirement respectively?

A. Data at rest for payment terminal traffic and data in transit for the database storage encryption B. Data in transit for payment terminal traffic encryption and data at rest for database encryption C. PKI for payment terminal traffic and community strings for database encryption D. Geofencing for payment terminal traffic protection and MFA for database encryption

Question 8

A security manager at a financial institution is implementing compliance controls required by PCI DSS for their cardholder data environment. The manager needs to ensure that card processing systems are isolated from the rest of the corporate network, that access to cardholder data systems is logged and audited, and that network access controls restrict which systems can communicate with the card processing zone. Which compliance framework and associated control principle is the manager applying?

A. GDPR, which regulates the processing and storage of personal data for residents of the European Union and requires data portability B. PCI DSS, which mandates network segmentation of the cardholder data environment, access logging, and enforced access controls for systems handling payment card data C. HIPAA, which requires administrative, physical, and technical safeguards for protected health information stored or transmitted by healthcare entities D. SOX, which requires financial reporting controls and audit trails for publicly traded companies to prevent fraudulent financial disclosures

Question 9

A network engineer is configuring RADIUS for a new wireless network deployment at a corporate headquarters. Employees must authenticate using their Active Directory credentials before gaining wireless access, and the RADIUS server must verify those credentials against the directory service. Which IEEE standard and associated protocol pair is commonly used for this type of enterprise wireless authentication?

A. WPA2-Personal with a pre-shared key, where all users authenticate using the same shared passphrase configured on the access points B. 802.1X with RADIUS, where clients authenticate using credentials verified by the RADIUS server acting as the authentication server in the EAP framework C. LDAP over port 389 with community strings, where the access point queries the directory service directly using SNMP credentials D. TACACS+ with MAC address filtering, where the RADIUS server checks the device hardware address against an approved list before granting access

Question 10

A security analyst at a technology company is reviewing the organization's security risk register in preparation for an annual compliance audit. The analyst needs to distinguish between the organization's current vulnerabilities, the active exploits observed targeting those weaknesses, and the overall threats the organization faces. Which set of definitions correctly maps these three security concepts?

A. A vulnerability is an active attack against the network; a threat is a software flaw awaiting a patch; an exploit is the organization's overall risk exposure score B. A vulnerability is a weakness in a system or configuration; an exploit is a technique that takes advantage of a vulnerability; a threat is any potential danger that could cause harm if a vulnerability is exploited C. A vulnerability is a completed security incident; a threat is a zero-day attack in progress; an exploit is the remediation action taken to close a security gap D. A vulnerability is the likelihood of an attack; a threat is the technical method used to breach a system; an exploit is the CIA triad assessment score for a given asset

CompTIA Network+ Practice Test for Subdomain 4.1 #02

Related Posts

Leave a Comment Cancel Reply