Exam (elaborations)
CYBERARK SENTRY EXAM 2024/2025 WITH 100% ACCURATE SOLUTIONS
- Course
- Institution
CYBERARK SENTRY EXAM 2024/2025 WITH 100% ACCURATE SOLUTIONS
[Show more]
Content preview
CYBERARK SENTRY EXAM 2024/2025WITH 100% ACCURATE SOLUTIONS
Core Privileged Access Security (PAS) Components - Precise Answer ✔✔EPV + PSM +PTA
Enterprise Password Vault (EPV) = - Precise Answer ✔✔Digital Vault + PVWA + CPM
EPV - Precise Answer ✔✔Enterprise Password Vault
Enterprise Password Vault - Precise Answer ✔✔A hardened and secured digital vault used to store
privileged account information.
CPM - Precise Answer ✔✔Central Policy Manager
Central Policy Manager - Precise Answer ✔✔Performs password changes and SSH key rotations on
devices based on the policies set by Vault Administrators.
PVWA - Precise Answer ✔✔Password Vault Web Access
Password Vault Web Access - Precise Answer ✔✔The web interface used by Administrators to perform
administrative tasks and by end users to gain access to privileged account information.
PSM - Precise Answer ✔✔Privileged Session Management
Privileged Session Management - Precise Answer ✔✔Prevent cyber attacks by isolating desktops from
sensitive target machines. Creates accountability and control over privileged session access with
policies, workflows, and privileged single sign on. Delivers continuous monitoring and compliance with
session recordings with zero footprint on target machines.
,CPM and PVWA Information Exchange - Precise Answer ✔✔Do not exchange policy information directly.
Policy changes are saved to the Vault. Each component refreshes its local cache of policies via the VPN.
PVWA/CPM Port - Precise Answer ✔✔TCP/443
Possible Reasons for Multiple CPMs - Precise Answer ✔✔Isolated network segments
WAN link latency
Scalability
Eight Security Controls of CyberArk - Precise Answer ✔✔1. Isolate and harden the digital vault server
2. Use 2-factor authentication
3. Restrict access to component servers
4. Limit privileges and points of administration
5. Protect sensitive accounts and encryption keys
6. Use secure protocols
7. Monitor logs for irregularities
8. Create and periodically test a DR plan
What types of attacks does isolating the digital vault server protect against? - Precise Answer ✔✔Pass-
the-hash and golden ticket (leverage Kerberos protocol)
Principles of Isolating and Hardening the Digital Vault Server - Precise Answer ✔✔1. Not be and never
have been a member of a Windows domain
2. No third-party software
3. Network traffic is restricted to CyberArk protocols
4. Physical servers
What types of attacks does two-factor authentication protect against? - Precise Answer ✔✔Key loggers
or more advanced tools that are capable of harvesting plaintext passwords
,Principles of Restricting Access to Component Servers - Precise Answer ✔✔1. Consider installing each
one on a dedicated physical server
2. Consider installing on workgroup rather than domain joined servers
3. Do not install non-CyberArk applications on the component servers
4. Limit the accounts that can access component servers and ensure that any domain accounts used to
access CyberArk servers are unable to access domain controllers
5. Use network-based firewalls and IPsec to restrict, encrypt, and authenticate inbound administrative
traffic
6. Use the PSM and the local admin account to access component servers
7. Deploy application whitelisting and limit execution to authorized applications
Why do you limit the number of privileged accounts and the extent of their privileges? - Precise Answer
✔✔Reduces the overall privileged account attack surface.
Principles of Limiting Privileges and Points of Administration - Precise Answer ✔✔1. Reduce privileges of
CyberArk admin accounts
2. Eliminate unnecessary CyberArk admin accounts
3. CyberArk admins should not have access to all credentials
4. Require privilege elevation (Dual Control/Ticketing Integration)
5. Use the PSM to isolate and monitor CyberArk administration
6. Require 2-factor authentication for all avenues of admin access
CyberArk Internal Admin Accounts - Precise Answer ✔✔Administrator account
Master user account
Vault Encryption Keys - Precise Answer ✔✔Operator Key
Master Key
Operator Key - Precise Answer ✔✔Vault encryption key used for runtime encryption tasks
, Master Key - Precise Answer ✔✔Vault encryption key used for recovery operations
Principles of Protecting Sensitive Accounts and Encryption Keys - Precise Answer ✔✔1. Use the
Microsoft Windows Password Reset Disk utility prior to installing the vault, and store the Local Admin
account password in a physical safe on a USB drive
2. Store the Master Password separately from the Master Key and each should be assigned to different
entities within an organization
3. Store the Master Key and Password in a physical safe
4. Do not store the Operator Key on the same media as the data (use an HSM)
Principles of Using Secure Protocols - Precise Answer ✔✔1. HTTPs for the PVWA
2. LDAPs for Vault-LDAP integration and CPM Windows scans
3. RDP/TLS for connections to the PSM and from PSM to target machines
4. SSH (instead of telnet) for password management
Principles for Monitoring Logs for Irregularities - Precise Answer ✔✔1. Aggregate CyberArk logs within
your SIEM
2. Monitor and alert upon excessive authentication failures, logins to the Vault server OS, and logins as
Admin or Master
3. Consider implementing PTA
Is it ok to join the Digital Vault to an Active Directory Domain? - Precise Answer ✔✔No. It can lead to the
following: pass-the-hash attack, golden ticket attack, malicious or accidental changes in domain GPO,
attacks through open firewall ports, increased operational risk due to enablement of unnecessary
services.
Why does CyberArk prohibit the installation of anti-virus and other agents on the Digital Vault? - Precise
Answer ✔✔Vulnerability due to opened firewall ports.
Why should you store the Operator Key on the HSM? - Precise Answer ✔✔If the Server Key is stored on
the local file system of the Digital Vault, it puts the system at risk. If an attacker were to gain access to
the operating system, Server Key, and encrypted data, it would be possible for the attacker to reverse
engineer the encryption process and gain access to Digital Vault data.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller YANCHY. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $16.49. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
81531 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now