Question 1

Which principle requires that personal data be kept no longer than necessary?

Integrity and confidentiality

Storage limitation

Data minimization

Accuracy

Question 2

Which one of the following database issues occurs when one transaction writes a value to the
database that overwrites a value that was needed by transactions with earlier precedence?

Dirty read

SQL injection

Lost update

Incorrect summary

Question 3

Which of the following is not a requirement for data breach notification under the Tanzanian Data
Protection Act?

Notification to affected data subjects

Notification to the media

Notification as soon of becoming aware of the breach

Notification to the Personal Data Protection Commission

Question 4

Which command launches a CLI version of Wireshark?

dumpcap

Wireshk

editcap

tshark

Question 5

Which wireless security protocol replaces the personal pre-shared key (PSK) authentication with
Simultaneous Authentication of Equals (SAE) and is therefore resistant to offline dictionary
attacks?

ZigBee

WPA3-Personal

Bluetooth

WPA2-Enterprise

Question 6

You want to capture Facebook website traffic in Wireshark. What display filter should you use that
shows all TCP packets that contain the word Facebook?

[Link]==facebook

[Link]
tcp contains facebook

display==facebook

Question 7

Which of the following Bluetooth hacking techniques does an attacker use to send messages to
users without the recipients consent, similar to email spamming?

BlueSniffing

Bluejacking

Bluesmacking

Bluesnarfing

Question 8

Which of the following is a passive wireless packet analyser that works on Linux-based systems?

Tshark

Burp Suite

Kismet

OpenVAS

Question 9

Which of the following actions violates data protection principles?

Informing individuals about data processing activities

Encrypting personal data

Collecting more data than necessary

Ensuring data accuracy

Question 10

Which IOS jailbreaking technique patches the kernel during the device boot so that it becomes
jailbroken after each successive reboot?

Semi-tethered jailbreaking

Semi-untethered jailbreaking

Untethered jailbreaking

Tethered jailbreaking

Question 11

A POODLE attack targets what exactly?

VPN

AES

SSL

TLS

Question 12

Which Display filter will show only packets for the source address of [Link]?

ip src [Link]
![Link] == [Link]

[Link] == [Link] src

[Link] == [Link]

Question 13

Which of the following Windows-based tool displays who is logged onto a computer, either locally
or remotely?

PsLoggedon

TCPView

Tokenmon

Process Monitor

Question 14

Which of the following is not a valid ground for cross-border data transfers under the Tanzanian
Personal Data Protection Act, 2022?

Adequacy decision by the Personal Data Protection Commission

Standard contractual clauses

Consent of the data subject

All options are correct

Question 15
Which of the following is NOT a lawful basis for processing personal data under the personal data
protection act, 2022 in Tanzania?

Consent

Contract

Legitimate interests

Marketing

Question 16

Which of the following is not a hazard associated with penetration testing?

Application crashes

Denial of service

None of the choice

Data corruption

Question 17

Which Nmap option would you use if you were not concerned about being detected and wanted to
perform a very fast scan?

-A

-0

-TO

-T5
Question 18

Which file is a rich target to discover the structure of a website during web-server footprinting?

[Link]

[Link]

Document root

[Link]

Question 19

You have been asked to investigate the possibility of computer fraud in the finance department of a
company. It is suspected that a staff member has been committing finance fraud by printing
cheques that have not been authorized. You have exhaustively searched all data files on a bitmap
image of the target computer, but have found no evidence. You suspect the files may not have
been saved. What should you examine next in this case?

The metadata

The recycle bin

The swapfile

The registry

Question 20

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other.
They are located in different parts of the country but have exchanged encryption keys by using
digital certificates signed by a mutually trusted certificate authority. When the certificate authority
(CA) created Renee's digital certificate, what key was contained within the body of the certificate?

Renee's private key

CA's private key

Renee's public key

CA's public key

Question 21

Which of the following command is used to see the content of tar ([Link]) file without
extracting it?

None of the choice

tar - xvf [Link]

tar - tvf [Link]

tar - svf [Link]

Question 22

Which of the following web vulnerabilities would an attacker be attempting to exploit if they
delivered the following input?\n< !

DOCTYPE blah [] >

IDOR

XXE

XXS

SQLI

Question 23
Yasmine has been asked to consider a breach and attack simulation system. What type of system
should she look for?

A system that runs incident response simulations for blue teams to test their skills

A security operations and response (SOAR) system

A ticket and change management system designed to help manage incidents

A system that combines red and blue team techniques with automation

Question 24

Which of the following is a utility used to reset passwords?

TRK

ERC

IRD

WinRT

Question 25

Which of the following options includes standards or protocols that exist in layer 6 of the OSI
model?

JPEG, ASCII, and MIDI

HTTP, FTP, and SMT

NFS, SQL, and RPC

TCP, UDP, and TLS

Question 26

Gregory, a professional penetration tester working at Sys Security Ltd., is tasked with performing a
security test of web applications used in the company. For this purpose, Gregory uses a tool to test
for any security loopholes by hijacking a session between a client and server. This tool has a
feature of intercepting proxy that can be used to inspect and modify the traffic between the browser
and target application. This tool can also perform customized attacks and can be used to test the
randomness of session tokens. Which of the following tools is used by Gregory in the above
scenario?

Nmap

CXSAST

Wireshark

Burp Suite

Question 27

Which principle ensures that personal data is accurate and kept up to date?

Storage limitation

Accuracy

Data minimization

Integrity and confidentiality

Question 28

Which principle requires that personal data be processed in a manner that ensures appropriate
security?

Purpose limitation
Accuracy

Data minimization

Integrity and confidentiality

Question 29

Chris uses a packet sniffer to capture traffic from a TACACS+ server. What protocol should he
monitor, and what data should he expect to be readable?

TCP; all but the username and password, which are encrypted.

UDP; none-TACACS+ encrypts the full session.

UDP; all but the username and password, which are encrypted.

TCP; none-TACACS+ encrypts the full session.

Question 30

How can an organization use the MITRE ATT&CK framework to improve its cybersecurity posture?

By designing cyber threat maps

By integrating within application firewall framework

By mapping attackers behaviour

By mapping attacker tactics and techniques to identify gaps in defenses

Question 31

How would you describe an attack where an attacker attempts to deliver the payload over multiple
packets over long periods of time with the purpose of defeating simple pattern matching in IDS
systems without session reconstruction? A characteristic of this attack would be a continuous
stream of small packets.
Session Hijacking

Session Fragmentation

Session Stealing

Session Splicing

Question 32

Which of the following is an XML-based, open-standard data format for exchanging authentication
and authorization data between an identity provider and a service provider?

LDAP

Oauth

KryptoKnight

SAML

Question 33

Which of the following uses a database of known attacks?

Signature file

Behavior

Anomaly

Shellcode

Question 34
Which of the following actions compromise cyber security?

Threat

Attack

Exploit

Vulnerability

Question 35

Which of the following setups should a tester choose to analyze malware behaviour?

A normal system without internet connection

A normal system with internet connection

A virtual system with network simulation for internet connection

A virtual system with internet connection

Question 36

Which one of the following testing methodologies typically works without access to source code?

White-box testing

Static testing

Dynamic testing

Code review

Question 37
Which type of virus attaches with EXE files and the resulting infected EXE file attacks other EXE
files and infects them?

Stealth virus

Memory resident virus

Parasitic virus

Boot sector virus

Question 38

Mike, a security engineer, was recently hired by BigFox Ltd. The company recently experienced
disastrous DoS attacks. The management had instructed Mike to build defensive strategies for the
companys IT infrastructure to thwart DoS/DDoS attacks. Mike deployed some countermeasures to
handle jamming and scrambling attacks. What is the countermeasure Mike applied to defend
against jamming and scrambling attacks?

Allow the transmission of all types of addressed packets at the ISP level

Implement cognitive radios in the physical layer

Allow the usage of functions such as gets and strcpy

Disable TCP SYN cookie protection

Question 39

Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?

msfpayload

msfd

msfencode
Msfcli

Question 40

Which one of the following is not an effective control against SQL injection attacks?

Parameterization

Escaping

Limiting database permissions

Client-side input validation

Question 41

Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN
standards on a Linux platform?

Kismet

Netstumbler

Nessus

Abel

Question 42

Kayla recently completed a thorough risk analysis and mitigation review of the software developed
by her team and identified three persistent issues:\ni. Cross-site scripting \nii. SQL injection \niii.
Buffer overflows\nWhat is the most significant deficiency in her team's work identified by these
issues?

Source code design issues

Lack of API security

Improper error handling

Improper or missing input validation

Question 43

Which of the following best describes \"data anonymization\"?

Encrypting personal data

Storing data on a secure server

Deleting all personal data

Removing personally identifiable information to prevent identification of data subjects

Question 44

Which of the following is a key aspect of data integrity?

Limiting data access to authorized users

Data encryption

Regular data backups

Ensuring data is accurate and complete

Question 45

You are a Network Security Officer. You have two machines. The first machine ([Link]) has
snort installed, and the second machine ([Link]) has kiwi syslog installed.

You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert
message from snort. You decide to run wireshark in the snort machine to check if the messages
are going to the kiwi syslog machine. What Wireshark filter will show the connections from the
snort machine to kiwi syslog machine?

[Link]= = 514 && [Link]= = [Link]

[Link]= = 514 && [Link]= = 192.168.150

[Link]= = 514 && [Link]= = [Link]

[Link]= = 514 && [Link]= = [Link]

Question 46

Which of the following is a scripting language?

CGI

[Link]

Java

ActiveX

Question 47

Consider the following code:\nURL:[Link] [Link]/[Link]? \ntext=\n\nlf an attacker

can trick a victim user to click a link like this, and the Web application does not validate input, then
the victims browser will pop up an alert showing the users current set of cookies. An attacker can
do much more damage, including stealing passwords, resetting your home page, or redirecting the
user to another Web site. What is the countermeasure against XSS scripting?

Connect to the server using HTTPS protocol instead of HTTP

Create an IP access list and restrict connections based on port number

Disable Javascript in IE and Firefox browsers

Replace \"<\" and \">\" characters with \"& I t;\" and \"& g t;\" using server scripts

Question 48

Which of the following tactics uses malicious code to redirect users web traffic?

Phishing

Spimming

Pharming

Spear-phishing

Question 49

You work as an IT security auditor hired by a law firm in Boston to test whether you can gain
access to sensitive information about the company clients. You have rummaged through their trash
and found very little information. You do not want to set off any alarms on their network, so you
plan on performing passive foot printing against their Web servers. What tool should you use?

Ping sweep

Dig

Netcraft

Nmap

Question 50

Which of the following is NOT a purpose of a Data Protection Impact Assessment (DPIA)?

Identifying data protection risks

Identifying measures to mitigate data protection risks

Preventing any form of data processing

Assessing the necessity and proportionality of data processing