Certified Network Security Professional Practice Exam, Exams of Technology

This certification exam is for professionals who focus on securing computer networks. It includes topics such as firewalls, encryption, VPNs, intrusion detection systems, network protocols, and threat prevention strategies. Candidates will also learn how to implement and maintain network security measures.

Typology: Exams

2025/2026

Available from 12/24/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 75

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Network Security Professional
Practice Exam
**Question 1.** Which of the following best represents the confidentiality component of the
CIA triad?
A) Ensuring data is available when needed
B) Preventing unauthorized modification of data
C) Protecting data from unauthorized disclosure
D) Verifying the identity of users
Answer: C
Explanation: Confidentiality focuses on preventing unauthorized parties from accessing or
viewing sensitive information.
**Question 2.** In the BellLaPadula model, which rule enforces that a subject cannot read
data at a higher security level?
A) *Simple security property*
B) *Star (*) property*
C) *Strong star property*
D) *Invocation property*
Answer: A
Explanation: The Simple Security Property (no read up) prevents a subject from reading
information at a higher classification.
**Question 3.** Which riskmanagement step involves selecting countermeasures to reduce
identified threats?
A) Identification
B) Analysis
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b

Partial preview of the text

Download Certified Network Security Professional Practice Exam and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. Which of the following best represents the confidentiality component of the CIA triad? A) Ensuring data is available when needed B) Preventing unauthorized modification of data C) Protecting data from unauthorized disclosure D) Verifying the identity of users Answer: C Explanation: Confidentiality focuses on preventing unauthorized parties from accessing or viewing sensitive information. Question 2. In the Bell‑LaPadula model, which rule enforces that a subject cannot read data at a higher security level? A) Simple security property B) Star () property* C) Strong star property D) Invocation property Answer: A Explanation: The Simple Security Property (no read up) prevents a subject from reading information at a higher classification. Question 3. Which risk‑management step involves selecting countermeasures to reduce identified threats? A) Identification B) Analysis

Practice Exam

C) Mitigation D) Monitoring Answer: C Explanation: Mitigation (or treatment) is the process of choosing and implementing controls to lower risk. Question 4. In a defense‑in‑depth strategy, which layer typically provides protection against ARP spoofing? A) Physical layer B) Data link layer C) Network layer D) Application layer Answer: B Explanation: ARP operates at the Data Link layer; defenses like dynamic ARP inspection are applied there. Question 5. Which OSI layer is most directly affected by a TCP SYN flood attack? A) Physical B) Data link C) Network D) Transport Answer: D

Practice Exam

B) Encrypts victim data and demands payment C) Alters DNS records to redirect traffic D) Exploits buffer overflow in web servers Answer: B Explanation: Ransomware encrypts files and demands a ransom for the decryption key. Question 9. In the context of social engineering, “pretexting” refers to: A) Using malware to gain access B) Creating a false scenario to obtain information C) Sending phishing emails with malicious links D) Exploiting trust relationships in a network Answer: B Explanation: Pretexting involves fabricating a believable story to trick a target into revealing data. Question 10. Which Nmap scan type sends TCP SYN packets and never completes the three‑way handshake? A) ACK scan B) FIN scan C) SYN (half‑open) scan D) UDP scan Answer: C

Practice Exam

Explanation: A SYN scan, also called a half‑open scan, sends SYN packets and analyzes responses without completing the handshake. Question 11. An Advanced Persistent Threat (APT) is best described as: A) A single, short‑lived attack that exploits a vulnerability B) A long‑term, targeted intrusion that remains undetected C) A distributed denial‑of‑service attack using botnets D) A malware that propagates automatically across networks Answer: B Explanation: APTs are sophisticated, persistent, and often stealthy attacks aimed at specific organizations. Question 12. Which firewall technology examines packet payloads to enforce policies based on application commands? A) Packet‑filtering firewall B) Stateful inspection firewall C) Proxy (application‑layer) firewall D) Circuit‑level gateway Answer: C Explanation: Proxy firewalls operate at the application layer and can inspect payload content for specific commands. Question 13. In a routed firewall deployment, the firewall typically operates at which OSI layer?

Practice Exam

Answer: B Explanation: An IPS can automatically drop or reject malicious packets, whereas an IDS merely generates alerts. Question 16. Which detection method is most effective against zero‑day exploits? A) Signature‑based detection B) Anomaly‑based detection C) Heuristic detection D) Stateful inspection Answer: B Explanation: Anomaly‑based systems detect deviations from normal behavior, making them useful for unknown (zero‑day) attacks. Question 17. Where is the optimal placement for a network‑based IDS to monitor inbound and outbound traffic for a data center? A) Inside each server’s NIC B) At the edge of the ISP connection C) Between the core switch and the firewall D) On the management VLAN Answer: C Explanation: Placing the IDS between the core switch and the firewall allows visibility of both inbound and outbound traffic after routing decisions.

Practice Exam

Question 18. A high false‑positive rate in an IDS can lead to: A) Increased network throughput B) Reduced security posture due to alert fatigue C) Lowered risk of data loss D) Faster incident response Answer: B Explanation: Excessive false positives cause analysts to ignore alerts, potentially missing real threats. Question 19. Which 802.1X component authenticates a supplicant (client) before network access is granted? A) Supplicant B) Authenticator C) Authentication Server (RADIUS) D) VLAN tag Answer: C Explanation: The RADIUS server (authentication server) validates credentials and informs the authenticator whether to allow access. Question 20. In a pre‑admission NAC scenario, which of the following checks is typically performed before granting network access? A) Real‑time malware scanning of the endpoint B) Logging user activity after login C) Encrypting all traffic with IPsec

Practice Exam

Question 23. Which router hardening practice reduces the risk of unauthorized configuration changes? A) Enabling Telnet for remote management B) Using default “admin” credentials C) Implementing role‑based access control (RBAC) D) Allowing unrestricted SNMP v1 access Answer: C Explanation: RBAC limits what each administrative account can do, preventing unauthorized changes. Question 24. Which protocol provides secure, encrypted remote management of network devices? A) Telnet B) FTP C) SSH D) HTTP Answer: C Explanation: SSH encrypts command‑line sessions, protecting credentials and configuration data. Question 25. Management Plane Protection (MPP) on a switch primarily defends against: A) Data plane flooding attacks B) Unauthorized access to the control plane (CLI, APIs)

Practice Exam

C) MAC address table overflow D) Physical port tampering Answer: B Explanation: MPP restricts which sources can access the management interfaces of a device. Question 26. Which Linux command is commonly used to audit file permissions for the principle of least privilege? A) chmod B) ls - l C) ps aux D) iptables - L Answer: B Explanation: ls - l lists file permissions, allowing administrators to verify that only necessary users have access. Question 27. In a virtualized environment, which security concern is unique compared to physical servers? A) Patch management B) Hypervisor escape attacks C) Strong passwords D) Physical theft Answer: B

Practice Exam

B) Detecting anomalous traffic patterns C) Performing deep packet inspection D) Managing VLAN assignments Answer: B Explanation: NetFlow provides flow‑level metadata that can be analyzed for abnormal traffic behavior. Question 31. Which DLP technique blocks sensitive data from leaving the network via email? A) Content discovery scanning B) Data classification tagging C) Policy‑based content inspection and quarantine D) Endpoint encryption Answer: C Explanation: Policy‑based DLP inspects outbound email content and blocks or quarantines messages that violate rules. Question 32. A password policy that requires passwords to be changed every 90 days primarily addresses which security goal? A) Confidentiality B) Integrity C) Availability D) Non‑repudiation

Practice Exam

Answer: A Explanation: Regular password changes reduce the window of opportunity for credential compromise, protecting confidentiality. Question 33. Which regulation specifically mandates protection of electronic protected health information (ePHI)? A) GDPR B) PCI DSS C) HIPAA D) SOX Answer: C Explanation: HIPAA (Health Insurance Portability and Accountability Act) governs the security and privacy of ePHI. Question 34. In vulnerability management, the CVSS base score primarily measures: A) Exploit availability B) Impact on confidentiality, integrity, and availability C) Remediation cost D) Likelihood of detection Answer: B Explanation: CVSS (Common Vulnerability Scoring System) evaluates severity based on how a vulnerability affects CIA.

Practice Exam

Answer: B Explanation: Containment aims to prevent further spread by isolating compromised assets. Question 38. Chain of custody documentation is essential for: A) Ensuring backups are encrypted B) Maintaining the integrity of digital evidence for legal proceedings C) Automating incident response workflows D) Configuring firewall rule bases Answer: B Explanation: Proper chain of custody proves that evidence has not been altered, supporting admissibility in court. Question 39. Which cloud service model places the greatest security responsibility on the customer? A) SaaS B) PaaS C) IaaS D) FaaS Answer: C Explanation: In IaaS, the provider manages the underlying infrastructure, while the customer is responsible for OS, applications, and data security. Question 40. A Virtual Private Cloud (VPC) in AWS primarily provides:

Practice Exam

A) Physical isolation of hardware B) Logical network segmentation within the cloud C) Encrypted storage for all objects D) Automatic compliance reporting Answer: B Explanation: A VPC creates an isolated virtual network, allowing users to define subnets, routing, and security controls. Question 41. Which CASB function monitors data movement between on‑premises applications and cloud services? A) Identity federation B) Data loss prevention (DLP) enforcement C) Network intrusion detection D. [Note: Option D omitted intentionally] Answer: B Explanation: CASBs often provide DLP capabilities to inspect and control data transferred to cloud platforms. Question 42. In Software‑Defined Networking (SDN), the control plane is separated from the data plane. Which security risk does this architecture introduce? A) Increased latency for packet forwarding B) Centralized controller becoming a single point of failure/target C. [Option intentionally left blank]

Practice Exam

Question 46. Which OWASP Top 10 category is directly mitigated by input validation and parameterized queries? A. [Option omitted] Answer: SQL Injection. Explanation: Proper input handling prevents attackers from injecting malicious SQL commands. Question 47. In a cloud environment, which security control ensures that only authorized services can communicate within a VPC? A. [Option omitted] Answer: Security groups (stateful virtual firewalls). Explanation: Security groups define inbound and outbound traffic rules for instances, limiting communication to authorized sources. Question 48. Which of the following best describes “Zero Trust Architecture”? A. [Option omitted] Answer: Never trust, always verify—every access request is authenticated, authorized, and encrypted, regardless of location. Explanation: Zero Trust assumes breach and enforces strict identity and device verification for all traffic. Question 49. Which cryptographic algorithm provides the fastest symmetric encryption for high‑throughput VPN tunnels? A. [Option omitted]

Practice Exam

Answer: AES‑256 (in GCM mode). Explanation: AES‑256 GCM offers strong security with hardware acceleration, making it ideal for fast VPN encryption. Question 50. A digital certificate that has been revoked is identified using which protocol? A. [Option omitted] Answer: Online Certificate Status Protocol (OCSP). Explanation: OCSP provides real‑time validation of certificate revocation status. Question 51. Which TLS version is considered insecure and should be disabled on web servers? A. [Option omitted] Answer: TLS 1.0 (and TLS 1.1). Explanation: Older TLS versions lack modern cryptographic algorithms and are vulnerable to attacks like POODLE. Question 52. Which authentication method for Wi‑Fi uses certificates instead of shared passwords? A. [Option omitted] Answer: WPA2‑Enterprise with EAP‑TLS. Explanation: EAP‑TLS relies on client and server certificates, providing strong mutual authentication.