CyberArk Sentry Exam
Core Privileged Access Security (PAS) Components - answer-EPV + PSM +PTA
Enterprise Password Vault (EPV) = - answer-Digital Vault + PVWA + CPM
EPV - answer-Enterprise Password Vault
Enterprise Password Vault - answer-A hardened and secured digital vault used to store
privileged account information.
CPM - answer-Central Policy Manager
Central Policy Manager - answer-Performs password changes and SSH key rotations on
devices based on the policies set by Vault Administrators.
PVWA - answer-Password Vault Web Access
Password Vault Web Access - answer-The web interface used by Administrators to perform
administrative tasks and by end users to gain access to privileged account information.
PSM - answer-Privileged Session Management
Privileged Session Management - answer-Prevent cyber attacks by isolating desktops from
sensitive target machines. Creates accountability and control over privileged session access
with policies, workflows, and privileged single sign on. Delivers continuous monitoring and
compliance with session recordings with zero footprint on target machines.
CPM and PVWA Information Exchange - answer-Do not exchange policy information directly.
Policy changes are saved to the Vault. Each component refreshes its local cache of policies
via the VPN.
PVWA/CPM Port - answer-TCP/443
Possible Reasons for Multiple CPMs - answer-Isolated network segments
WAN link latency
Scalability
Eight Security Controls of CyberArk - answer-1. Isolate and harden the digital vault server
2. Use 2-factor authentication
3. Restrict access to component servers
4. Limit privileges and points of administration
5. Protect sensitive accounts and encryption keys
6. Use secure protocols
7. Monitor logs for irregularities
8. Create and periodically test a DR plan
What types of attacks does isolating the digital vault server protect against? - answer-Pass-
the-hash and golden ticket (leverage Kerberos protocol)
Principles of Isolating and Hardening the Digital Vault Server - answer-1. Not be and never
have been a member of a Windows domain
2. No third-party software
3. Network traffic is restricted to CyberArk protocols
,4. Physical servers
What types of attacks does two-factor authentication protect against? - answer-Key loggers
or more advanced tools that are capable of harvesting plaintext passwords
Principles of Restricting Access to Component Servers - answer-1. Consider installing each
one on a dedicated physical server
2. Consider installing on workgroup rather than domain joined servers
3. Do not install non-CyberArk applications on the component servers
4. Limit the accounts that can access component servers and ensure that any domain
accounts used to access CyberArk servers are unable to access domain controllers
5. Use network-based firewalls and IPsec to restrict, encrypt, and authenticate inbound
administrative traffic
6. Use the PSM and the local admin account to access component servers
7. Deploy application whitelisting and limit execution to authorized applications
Why do you limit the number of privileged accounts and the extent of their privileges? -
answer-Reduces the overall privileged account attack surface.
Principles of Limiting Privileges and Points of Administration - answer-1. Reduce privileges of
CyberArk admin accounts
2. Eliminate unnecessary CyberArk admin accounts
3. CyberArk admins should not have access to all credentials
4. Require privilege elevation (Dual Control/Ticketing Integration)
5. Use the PSM to isolate and monitor CyberArk administration
6. Require 2-factor authentication for all avenues of admin access
CyberArk Internal Admin Accounts - answer-Administrator account
Master user account
Vault Encryption Keys - answer-Operator Key
Master Key
Operator Key - answer-Vault encryption key used for runtime encryption tasks
Master Key - answer-Vault encryption key used for recovery operations
Principles of Protecting Sensitive Accounts and Encryption Keys - answer-1. Use the
Microsoft Windows Password Reset Disk utility prior to installing the vault, and store the
Local Admin account password in a physical safe on a USB drive
2. Store the Master Password separately from the Master Key and each should be assigned
to different entities within an organization
3. Store the Master Key and Password in a physical safe
4. Do not store the Operator Key on the same media as the data (use an HSM)
Principles of Using Secure Protocols - answer-1. HTTPs for the PVWA
2. LDAPs for Vault-LDAP integration and CPM Windows scans
3. RDP/TLS for connections to the PSM and from PSM to target machines
4. SSH (instead of telnet) for password management
Principles for Monitoring Logs for Irregularities - answer-1. Aggregate CyberArk logs within
your SIEM
2. Monitor and alert upon excessive authentication failures, logins to the Vault server OS,
and logins as Admin or Master
3. Consider implementing PTA
, Is it ok to join the Digital Vault to an Active Directory Domain? - answer-No. It can lead to the
following: pass-the-hash attack, golden ticket attack, malicious or accidental changes in
domain GPO, attacks through open firewall ports, increased operational risk due to
enablement of unnecessary services.
Why does CyberArk prohibit the installation of anti-virus and other agents on the Digital
Vault? - answer-Vulnerability due to opened firewall ports.
Why should you store the Operator Key on the HSM? - answer-If the Server Key is stored on
the local file system of the Digital Vault, it puts the system at risk. If an attacker were to
gain access to the operating system, Server Key, and encrypted data, it would be possible
for the attacker to reverse engineer the encryption process and gain access to Digital Vault
data.
CyberArk Proprietary Protocol or VPN Port - answer-TCP1858
What percentage of encryption processes occur on the client side? - answer-95%
Supported Authentication Methods - answer-CyberArk (Vault auth)
LDAP
RADIUS
Windows
PKI Auth
RSA SecurID
Amazon Cognito
SAML
Google Auth
Oracle SSO
Supported Encryption Methods - answer-AES-256/AES0128
RSA-2048/RSA-1024
3DES
SHA-256
Installation Package Consists of: - answer-Two copies of Operator CD
Two copies of the Master CD
License Agreement
Operator CD contains: - answer-Server Key
Recovery Public Key
Master CD contains: - answer-Recovery Private Key
Which CD is needed for Vault installation? - answer-Operator CD
When is the Master CD used? - answer-Emergency situations
These items need to be copied to the Vault Server before hardening: - answer-CyberArk
Server and Client Installation software
Operator CD
CyberArk License File
Digital Certificates installed for LDAP integration
Vault Installation Pre-Requisites - answer-Remove unnecessary network components
Core Privileged Access Security (PAS) Components - answer-EPV + PSM +PTA
Enterprise Password Vault (EPV) = - answer-Digital Vault + PVWA + CPM
EPV - answer-Enterprise Password Vault
Enterprise Password Vault - answer-A hardened and secured digital vault used to store
privileged account information.
CPM - answer-Central Policy Manager
Central Policy Manager - answer-Performs password changes and SSH key rotations on
devices based on the policies set by Vault Administrators.
PVWA - answer-Password Vault Web Access
Password Vault Web Access - answer-The web interface used by Administrators to perform
administrative tasks and by end users to gain access to privileged account information.
PSM - answer-Privileged Session Management
Privileged Session Management - answer-Prevent cyber attacks by isolating desktops from
sensitive target machines. Creates accountability and control over privileged session access
with policies, workflows, and privileged single sign on. Delivers continuous monitoring and
compliance with session recordings with zero footprint on target machines.
CPM and PVWA Information Exchange - answer-Do not exchange policy information directly.
Policy changes are saved to the Vault. Each component refreshes its local cache of policies
via the VPN.
PVWA/CPM Port - answer-TCP/443
Possible Reasons for Multiple CPMs - answer-Isolated network segments
WAN link latency
Scalability
Eight Security Controls of CyberArk - answer-1. Isolate and harden the digital vault server
2. Use 2-factor authentication
3. Restrict access to component servers
4. Limit privileges and points of administration
5. Protect sensitive accounts and encryption keys
6. Use secure protocols
7. Monitor logs for irregularities
8. Create and periodically test a DR plan
What types of attacks does isolating the digital vault server protect against? - answer-Pass-
the-hash and golden ticket (leverage Kerberos protocol)
Principles of Isolating and Hardening the Digital Vault Server - answer-1. Not be and never
have been a member of a Windows domain
2. No third-party software
3. Network traffic is restricted to CyberArk protocols
,4. Physical servers
What types of attacks does two-factor authentication protect against? - answer-Key loggers
or more advanced tools that are capable of harvesting plaintext passwords
Principles of Restricting Access to Component Servers - answer-1. Consider installing each
one on a dedicated physical server
2. Consider installing on workgroup rather than domain joined servers
3. Do not install non-CyberArk applications on the component servers
4. Limit the accounts that can access component servers and ensure that any domain
accounts used to access CyberArk servers are unable to access domain controllers
5. Use network-based firewalls and IPsec to restrict, encrypt, and authenticate inbound
administrative traffic
6. Use the PSM and the local admin account to access component servers
7. Deploy application whitelisting and limit execution to authorized applications
Why do you limit the number of privileged accounts and the extent of their privileges? -
answer-Reduces the overall privileged account attack surface.
Principles of Limiting Privileges and Points of Administration - answer-1. Reduce privileges of
CyberArk admin accounts
2. Eliminate unnecessary CyberArk admin accounts
3. CyberArk admins should not have access to all credentials
4. Require privilege elevation (Dual Control/Ticketing Integration)
5. Use the PSM to isolate and monitor CyberArk administration
6. Require 2-factor authentication for all avenues of admin access
CyberArk Internal Admin Accounts - answer-Administrator account
Master user account
Vault Encryption Keys - answer-Operator Key
Master Key
Operator Key - answer-Vault encryption key used for runtime encryption tasks
Master Key - answer-Vault encryption key used for recovery operations
Principles of Protecting Sensitive Accounts and Encryption Keys - answer-1. Use the
Microsoft Windows Password Reset Disk utility prior to installing the vault, and store the
Local Admin account password in a physical safe on a USB drive
2. Store the Master Password separately from the Master Key and each should be assigned
to different entities within an organization
3. Store the Master Key and Password in a physical safe
4. Do not store the Operator Key on the same media as the data (use an HSM)
Principles of Using Secure Protocols - answer-1. HTTPs for the PVWA
2. LDAPs for Vault-LDAP integration and CPM Windows scans
3. RDP/TLS for connections to the PSM and from PSM to target machines
4. SSH (instead of telnet) for password management
Principles for Monitoring Logs for Irregularities - answer-1. Aggregate CyberArk logs within
your SIEM
2. Monitor and alert upon excessive authentication failures, logins to the Vault server OS,
and logins as Admin or Master
3. Consider implementing PTA
, Is it ok to join the Digital Vault to an Active Directory Domain? - answer-No. It can lead to the
following: pass-the-hash attack, golden ticket attack, malicious or accidental changes in
domain GPO, attacks through open firewall ports, increased operational risk due to
enablement of unnecessary services.
Why does CyberArk prohibit the installation of anti-virus and other agents on the Digital
Vault? - answer-Vulnerability due to opened firewall ports.
Why should you store the Operator Key on the HSM? - answer-If the Server Key is stored on
the local file system of the Digital Vault, it puts the system at risk. If an attacker were to
gain access to the operating system, Server Key, and encrypted data, it would be possible
for the attacker to reverse engineer the encryption process and gain access to Digital Vault
data.
CyberArk Proprietary Protocol or VPN Port - answer-TCP1858
What percentage of encryption processes occur on the client side? - answer-95%
Supported Authentication Methods - answer-CyberArk (Vault auth)
LDAP
RADIUS
Windows
PKI Auth
RSA SecurID
Amazon Cognito
SAML
Google Auth
Oracle SSO
Supported Encryption Methods - answer-AES-256/AES0128
RSA-2048/RSA-1024
3DES
SHA-256
Installation Package Consists of: - answer-Two copies of Operator CD
Two copies of the Master CD
License Agreement
Operator CD contains: - answer-Server Key
Recovery Public Key
Master CD contains: - answer-Recovery Private Key
Which CD is needed for Vault installation? - answer-Operator CD
When is the Master CD used? - answer-Emergency situations
These items need to be copied to the Vault Server before hardening: - answer-CyberArk
Server and Client Installation software
Operator CD
CyberArk License File
Digital Certificates installed for LDAP integration
Vault Installation Pre-Requisites - answer-Remove unnecessary network components
