CyberArk Sentry Exam
Core Privileged Access Security (PAS) Components correct answerEPV + PSM +PTA
Enterprise Password Vault (EPV) = correct answerDigital Vault + PVWA + CPM
EPV correct answerEnterprise Password Vault
Enterprise Password Vault correct answerA hardened and secured digital vault used to store privileged account information.
CPM correct answerCentral Policy Manager
Central Policy Manager correct answerPerforms password changes and SSH key rotations on devices based on the policies set by Vault Administrators.
PVWA correct answerPassword Vault Web Access
Password Vault Web Access correct answerThe web interface used by Administrators to perform administrative tasks and by end users to gain access to privileged account information.
PSM correct answerPrivileged Session Management
Privileged Session Management correct answerPrevent cyber attacks by isolating desktops from sensitive target machines. Creates accountability and control over privileged session access with policies, workflows, and privileged single sign on. Delivers continuous monitoring and compliance with session recordings with zero footprint on target machines.
CPM and PVWA Information Exchange correct answerDo not exchange policy information directly. Policy
changes are saved to the Vault. Each component refreshes its local cache of policies via the VPN. PVWA/CPM Port correct answerTCP/443
Possible Reasons for Multiple CPMs correct answerIsolated network segments
WAN link latency
Scalability
Eight Security Controls of CyberArk correct answer1. Isolate and harden the digital vault server
2. Use 2-factor authentication 3. Restrict access to component servers
4. Limit privileges and points of administration
5. Protect sensitive accounts and encryption keys
6. Use secure protocols
7. Monitor logs for irregularities
8. Create and periodically test a DR plan
What types of attacks does isolating the digital vault server protect against? correct answerPass-the-
hash and golden ticket (leverage Kerberos protocol)
Principles of Isolating and Hardening the Digital Vault Server correct answer1. Not be and never have been a member of a Windows domain
2. No third-party software
3. Network traffic is restricted to CyberArk protocols
4. Physical servers
What types of attacks does two-factor authentication protect against? correct answerKey loggers or more advanced tools that are capable of harvesting plaintext passwords
Principles of Restricting Access to Component Servers correct answer1. Consider installing each one on a
dedicated physical server 2. Consider installing on workgroup rather than domain joined servers
3. Do not install non-CyberArk applications on the component servers
4. Limit the accounts that can access component servers and ensure that any domain accounts used to access CyberArk servers are unable to access domain controllers 5. Use network-based firewalls and IPsec to restrict, encrypt, and authenticate inbound administrative traffic
6. Use the PSM and the local admin account to access component servers
7. Deploy application whitelisting and limit execution to authorized applications
Why do you limit the number of privileged accounts and the extent of their privileges? correct answerReduces the overall privileged account attack surface.
Principles of Limiting Privileges and Points of Administration correct answer1. Reduce privileges of CyberArk admin accounts
2. Eliminate unnecessary CyberArk admin accounts
3. CyberArk admins should not have access to all credentials
4. Require privilege elevation (Dual Control/Ticketing Integration)
5. Use the PSM to isolate and monitor CyberArk administration
6. Require 2-factor authentication for all avenues of admin access
CyberArk Internal Admin Accounts correct answerAdministrator account
Master user account
Vault Encryption Keys correct answerOperator Key
Master Key
Operator Key correct answerVault encryption key used for runtime encryption tasks
Master Key correct answerVault encryption key used for recovery operations Principles of Protecting Sensitive Accounts and Encryption Keys correct answer1. Use the Microsoft Windows Password Reset Disk utility prior to installing the vault, and store the Local Admin account password in a physical safe on a USB drive
2. Store the Master Password separately from the Master Key and each should be assigned to different entities within an organization
3. Store the Master Key and Password in a physical safe
4. Do not store the Operator Key on the same media as the data (use an HSM)
Principles of Using Secure Protocols correct answer1. HTTPs for the PVWA
2. LDAPs for Vault-LDAP integration and CPM Windows scans
3. RDP/TLS for connections to the PSM and from PSM to target machines
4. SSH (instead of telnet) for password management
Principles for Monitoring Logs for Irregularities correct answer1. Aggregate CyberArk logs within your SIEM
2. Monitor and alert upon excessive authentication failures, logins to the Vault server OS, and logins as Admin or Master
3. Consider implementing PTA
Is it ok to join the Digital Vault to an Active Directory Domain? correct answerNo. It can lead to the following: pass-the-hash attack, golden ticket attack, malicious or accidental changes in domain GPO, attacks through open firewall ports, increased operational risk due to enablement of unnecessary services.
Why does CyberArk prohibit the installation of anti-virus and other agents on the Digital Vault? correct answerVulnerability due to opened firewall ports.
Why should you store the Operator Key on the HSM? correct answerIf the Server Key is stored on the local file system of the Digital Vault, it puts the system at risk. If an attacker were to gain access to the operating system, Server Key, and encrypted data, it would be possible for the attacker to reverse engineer the encryption process and gain access to Digital Vault data.
CyberArk Proprietary Protocol or VPN Port correct answerTCP1858
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller YANCHY. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $20.69. You're not tied to anything after your purchase.